MyBB Community Forums

MyBB Community Forums > Extensions > Plugins > Plugin Support > Security Question
Full Version: Security Question
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

mike.cal

2006-06-07, 06:47 PM
i'm planning on using the forum's login system as the login system for my main website as well. i noticed one of the cookies set by the forum is mybbuser or something like that and it holds the userid and the password hash.

anyway, my question is, is it safe to use this information to authenticate users?

i guess this isn't really directly related to the forum, but to cookies in general.

also, will users always have this cookie set? (assuming they are logged in)

any problems associated with using this?

i'm fairly good programmer, but i'm just a little weary about security concerns (people seem to like to hack my website)

Dennis Tsang

2006-06-07, 11:46 PM
The login cookie actually holds the user ID and the login key, not the password hash (unless you are still using MyBB RC4 or before). The login key has no relation at all to the password.

mike.cal

2006-06-08, 01:00 AM
oh yea, i have this in my code so far
...
$temp = explode("_", $_COOKIE["mybbuser"]
...
WHERE members.uid='" . $temp[0] . "' AND members.loginkey='" . $temp[1]
...

and if the query returns proper data, i assume the the user info are valid.

is this a secure method?

thanks

Ryan Gordon

2006-06-08, 01:35 AM
you might want to "addslashes" or something like that to the cookie, to prevent a security exploit or XSS exploit
MyBB Community Forums > Extensions > Plugins > Plugin Support > Security Question