Posts: 1,009
Threads: 47
Joined: Jun 2007
Reputation:
7
2007-07-25, 03:52 PM
(This post was last modified: 2007-07-25, 05:22 PM by aglioeolio.)
mrblackbird Wrote:Thanks guys but i have come accross one problem, which is what i think is causing the trouble. These are codes that should be used:
This worked for me on older themes to work in 1.2.8 and avoid the unable to logout error.
The logout code should be:
In header_welcomeblock_member:
Code:
<a href="{$mybb->settings['bburl']}/member.php?action=logout&uid={$mybb->user['uid']}&sid={$session->sid}">{$lang->welcome_logout}</a>)<br />
In index_logoutlink:
Code:
<a href="{$mybb->settings['bburl']}/member.php?action=logout&uid={$mybb->user['uid']}&sid={$session->sid}">{$lang->index_logout}</a> |
In changeuserbox:
Code:
<a href="{$mybb->settings['bburl']}/member.php?action=logout&uid={$mybb->user['uid']}&sid={$session->sid}">{$lang->change_user}</a>
How ever on this one:
In header_welcomeblock_member:
Code:
<a href="{$mybb->settings['bburl']}/member.php?action=logout&uid={$mybb->user['uid']}&sid={$session->sid}">{$lang->welcome_logout}</a>)<br />
Thanks for the Tip
It works perfectly with previous 1.2.x templates in myBB 1.2.9 here
Posts: 7
Threads: 2
Joined: Jul 2007
Reputation:
0
I still can't fix this issue for some reason .. i reverted the stuff noted before, but it didn't solve anything. Plus, it messed up my template, so I was forced to re-import it. Can someone please help? Thanks.
Posts: 65
Threads: 14
Joined: Nov 2005
Reputation:
0
2007-08-30, 11:12 AM
(This post was last modified: 2007-08-30, 03:51 PM by sacharja.)
I don't think that changing the logout manner was a good idea after all. Actually nobody can log s.o. else out because of the session id (and or cookie). If the attacker can get these information he can get everything (even the login password), because he compromised the system.
Nevertheless this feature is annoying for me, because I use Proxomitron that sometimes changes the "Client-ip" and then I'm not able to log out I don't think that it adds much security (for the reasons above).
AFAIK MyBB is the only BB that uses such a behavior.
Posts: 16,264
Threads: 579
Joined: Oct 2005
Reputation:
39
2007-08-30, 10:39 PM
(This post was last modified: 2007-08-30, 10:41 PM by Ryan Gordon.)
sacharja Wrote:I don't think that changing the logout manner was a good idea after all. Actually nobody can log s.o. else out because of the session id (and or cookie). If the attacker can get these information he can get everything (even the login password), because he compromised the system.
Nevertheless this feature is annoying for me, because I use Proxomitron that sometimes changes the "Client-ip" and then I'm not able to log out I don't think that it adds much security (for the reasons above).
AFAIK MyBB is the only BB that uses such a behavior.
Incorrect, phpBB uses sessions in ALL their URLs. Also, the attacker can't get the session id or cookie. Sessions expire usually fast and you still need the cookie information to officially authenticate, which, unless a hacker actually gets into your computer through another exploit in one of MS's apps, it's impossible.
Either way, we've fixed it for MyBB 1.2.10 to work with proxies.
Posts: 65
Threads: 14
Joined: Nov 2005
Reputation:
0
Tikitiki Wrote:Incorrect, phpBB uses sessions in ALL their URLs. As it should be, so what's incorrect?
Quote:Also, the attacker can't get the session id or cookie. Sessions expire usually fast and you still need the cookie information to officially authenticate, which, unless a hacker actually gets into your computer through another exploit in one of MS's apps, it's impossible.
That's exactly what I wrote:
sacharja Wrote:Actually nobody can log s.o. else out because of the session id (and or cookie). If the attacker can get these information he can get everything (even the login password), because he compromised the system. Did you actually read my post?
Tikitiki Wrote:Either way, we've fixed it for MyBB 1.2.10 to work with proxies. So v1.2.10 uses only sessions and cookies to logout?
Posts: 5,042
Threads: 309
Joined: Jun 2004
Reputation:
88
2007-08-31, 01:10 PM
(This post was last modified: 2007-08-31, 01:11 PM by Chris Boulton.)
No - 1.2.10 passes a different identifier to the script which is not based on your IP address.
We need to pass an identifier to the script to prevent CRSRF attacks (Cross Site Request Forgery).
As for the user having the session ID, in MyBB, there is nothing that a malicious user can not do to it. Due to the way sessions work, they cannot be hijacked in MyBB.
Posts: 16,264
Threads: 579
Joined: Oct 2005
Reputation:
39
sacharja Wrote:Tikitiki Wrote:Incorrect, phpBB uses sessions in ALL their URLs. As it should be, so what's incorrect?
sacharja Wrote:AFAIK MyBB is the only BB that uses such a behavior.
I'll let you answer your own question.
Posts: 65
Threads: 14
Joined: Nov 2005
Reputation:
0
Chris Boulton Wrote:No - 1.2.10 passes a different identifier to the script which is not based on your IP address.
We need to pass an identifier to the script to prevent CRSRF attacks (Cross Site Request Forgery).
As for the user having the session ID, in MyBB, there is nothing that a malicious user can not do to it. Due to the way sessions work, they cannot be hijacked in MyBB. Thanks, that'll be a good reason to upgrade then.
@Tikitiki
I feared that you didn't apply this statement to the sentence before it.
Posts: 1
Threads: 0
Joined: Sep 2007
Reputation:
0
I am having this problem too and have read through the posts but still cant figure out a solution for this. If anyone is able to help please let me know. My forums link is http://www.cland2.com/forums
Posts: 13,054
Threads: 304
Joined: Jun 2004
Reputation:
55
Have you read this post?
http://community.mybboard.net/showthread...#pid140142
Sorry this thread is a little confusing.
|