2020-10-01, 12:18 AM
If someone obtains the cookie of another user, they have access to their account for the lifetime of the forum
in class_session.php, 20 lines down into the function load_user and after loginkey was verified...
there should be a check to see when the user was last active and if their session is expired...
and if their session is expired the function update_loginkey needs to be called in functions_user.php so that the cookie/key they have becomes invalid
I tried changing something myself but I ran into the problem of when class_session.php is called...
In load_user(), around line 200 I tried adding
but I ran into the problem that this code runs when the person is logging in... so maybe there is some check to make it
But that last part is kinda fuzzy to me I need to get something to eat lol
Maybe in line 326 in login.php, change
Maybe in global.php around line 45, skip "creating a session" if this is a log-in request?
in class_session.php, 20 lines down into the function load_user and after loginkey was verified...
there should be a check to see when the user was last active and if their session is expired...
and if their session is expired the function update_loginkey needs to be called in functions_user.php so that the cookie/key they have becomes invalid
I tried changing something myself but I ran into the problem of when class_session.php is called...
In load_user(), around line 200 I tried adding
update_loginkey($mybb->user['uid']);
return false;
inside the if statement if($time - $mybb->user['lastactive'] > 900)but I ran into the problem that this code runs when the person is logging in... so maybe there is some check to make it
update_loginkey($mybb->user['uid']);
if (this is not a log-in request)
return false;
so that the authentication fails only if 15 minutes passed since last active AND this wasn't a login requestBut that last part is kinda fuzzy to me I need to get something to eat lol
Maybe in line 326 in login.php, change
my_setcookie("mybbuser", $user['uid']."_".$user['loginkey'], $remember, true, "lax");
to use update_loginkey()... so that each login generates a new loginkey. And when they AFK and the session expires, that's the other time a new loginkey is generated - but that loginkey is just meant to erase the previous one and will get changed again when the user logs in againMaybe in global.php around line 45, skip "creating a session" if this is a log-in request?