MyBB Community Forums

Dear mybb community

I have an authorization php script which only relies on Cookies and DataBase queries.

It doesnt include any MyBB scripts, and it is not terminating only if you have a valid SessionID and a specific UserID

I wrote it because i didnt wanted it to take up much memory in the first place.


>> First i check if mybbuser is existing in the Cookie

if(array_key_exists("mybbuser", $_COOKIE))

>> Then i grab the UID from the Cookie

$USER_ID = substr($_COOKIE['mybbuser'], 0 , strpos($_COOKIE['mybbuser'], "_"));

>> Here its a simple UID comparsion with the whitelist

if(!in_array($USER_ID , $uid_list)) exit;

>> Here i am preparing to fetch the SID's  from  "mybb_sessions" for this UID

$query = $pdo_forum ->  prepare("SELECT sid FROM mybb_sessions WHERE uid = :uid");
$query -> execute(array("uid" => $USER_ID));

>> And then i am fetching those SID's , until ONE of them is equal to the SID from the Cookie
Script terminates if no matches found.

while($sid = $query -> fetchColumn())
{
      if($sid == $_COOKIE["sid"]){ $SID_OK = true; break;}
}

if(!$SID_OK) exit ;

My question is if this code is secure enough to ensure, that only a logged member with a specific UserID is able to pass through this.

Or is there something that i am horribly missing ?

Thank you

IIRC, MyBB also compares the loginkey stored in mybb_users table when loading a logged in user:

https://github.com/mybb/mybb/blob/mybb_1...on.php#L69
https://github.com/mybb/mybb/blob/mybb_1...n.php#L147

I'm not sure if it's what you might be looking for.

(2020-04-30, 05:08 AM)noyle Wrote: [ -> ]IIRC, MyBB also compares the loginkey stored in mybb_users table when loading a logged in user:

Thanks, i'll include as well

Sorry I missed admin in the thread title.

If you need to authorize admins, maybe additional checks should involve. For example check the user's user group as

`mybb_users`.`usergroup`