MyBB Community Forums

Full Version: Solve cookie authentication security vulnerability
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Currently when you create an account on a myBB forum, a cookie is created and attached to that account in the database.

That cookie never changes.

So whenever you're browsing the forum, making posts and threads, etc... the server is using the cookie in your browser to authenticate all the requests

An attacker can use this by:
1. XSS (search Samy Myspace XSS worm) to send the cookie in your browser back to the attacker
2. CSRF you can visit google.com and the browser will make a request to the forum and can start making threads and posts without you knowing
3. Browser Vulnerability, if you don't update your web browser or something an attacker can take the cookies
4. Server breach, the cookies on the server are stored in plain text (kind of like plain text passwords), and they have no expiration so one server breach and an attacker would have access to every user account (you would have to make everyone reset their passwords... that MIGHT fix it?)

The cookie has a format <uid>_<loginkey>

To fix this problem we need to:
1. Generate a new loginkey when a user signs out, and don't share it back to them
2. Generate a new loginkey when a user makes a request with an expired session, and don't share it back to them
3. When a user logs in, generate a new loginkey
4. When a user logs in, update their last-active time (to avoid having their first request upon logging in be seen as an expired session)

Code fixes for the above are:
1. Inside member.php, inside the ['action'] == "logout"  if statement, add (somewhere before the last redirect() function
update_loginkey($mybb->user['uid']);
2. Inside inc/class_session.php and the load_user() function, inside the $time - $mybb->user['lastactive']  > 900 if statement, add (at the end of the if statement)
update_loginkey($mybb->user['uid']);
return false;
3. Inside inc/datahandlers/login.php and the complete_login() function, add (before the my_setcookie("mybbuser", $user['uid']."_".$user['loginkey'], $remember, true, "lax"); line)
$user['loginkey'] = update_loginkey($user['uid']);
4. Right above the last line, also add
$sql_array = array(
 "lastactive" => TIME_NOW,
 "lastvisit" => TIME_NOW
);
$db->update_query("users", $sql_array, "uid = '{$user['uid']}'"); 

To adjust how long it takes for a session to expire, go back to #2 and change the number 900 in the if statement ($time - $mybb->user['lastactive']  > 900) ... try changing 900 to 10 (seconds) and see if the changes worked and you can juggle a session by refreshing the page within 10 seconds, or not refreshing the page and seeing the session expire
If I understand your steps correctly this will log any user out of all their sessions in any device whenever they logout from a single device.
I don't know if the following plugin works, but I think giving the users access to manage their sessions could be a better approach.
https://community.mybb.com/mods.php?action=view&pid=306
(2020-10-01, 07:49 PM)Omar G. Wrote: [ -> ]If I understand your steps correctly this will log any user out of all their sessions in any device whenever they logout from a single device.

Yes, same as previous thread https://community.mybb.com/thread-229600...pid1356640

It's a feature.

(2020-10-01, 07:51 PM)Omar G. Wrote: [ -> ]I don't know if the following plugin works, but I think giving the users access to manage their sessions could be a better approach.
https://community.mybb.com/mods.php?action=view&pid=306

That plugin seems to be frontend only. It looks nice, it works if the client cooperates (by setting an additional cookie and voluntarily deleting their own cookies on kickout), but from security standpoint, it has no effect at all since all sessions still share the same login cookie and the client might decide to keep theirs around.
Yes, the loginkey has issues and limitations that have been know since long before 2019, it is not kept a secret and it should eventually be improved on as in the links Devilshakerz shared.

You are correct in that the plugin I mentioned is of no way a real improvement to the current system regarding security. What I'm trying to is to provide insight to the people reading this "tutorial" which will add new "features".
If you're reading this, try the above changes on a test-installation and see if anything breaks or if you don't like it

What the changes will do (to summarize what was said above):
1. If a user is inactive for 900 seconds, they are logged out automatically
2. If a user logs in on a device, they will be logged out on their previous device