Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Recognize admin without using mybb functions
#1
Dear mybb community

I have an authorization php script which only relies on Cookies and DataBase queries.

It doesnt include any MyBB scripts, and it is not terminating only if you have a valid SessionID and a specific UserID

I wrote it because i didnt wanted it to take up much memory in the first place.


>> First i check if mybbuser is existing in the Cookie
if(array_key_exists("mybbuser", $_COOKIE))

>> Then i grab the UID from the Cookie
$USER_ID = substr($_COOKIE['mybbuser'], 0 , strpos($_COOKIE['mybbuser'], "_"));

>> Here its a simple UID comparsion with the whitelist
if(!in_array($USER_ID , $uid_list)) exit;

>> Here i am preparing to fetch the SID's  from  "mybb_sessions" for this UID
$query = $pdo_forum ->  prepare("SELECT sid FROM mybb_sessions WHERE uid = :uid");
$query -> execute(array("uid" => $USER_ID));

>> And then i am fetching those SID's , until ONE of them is equal to the SID from the Cookie
Script terminates if no matches found.
while($sid = $query -> fetchColumn())
{
      if($sid == $_COOKIE["sid"]){ $SID_OK = true; break;}
}

if(!$SID_OK) exit ;

My question is if this code is secure enough to ensure, that only a logged member with a specific UserID is able to pass through this.

Or is there something that i am horribly missing ?

Thank you
Reply
#2
IIRC, MyBB also compares the loginkey stored in mybb_users table when loading a logged in user:

https://github.com/mybb/mybb/blob/mybb_1...on.php#L69
https://github.com/mybb/mybb/blob/mybb_1...n.php#L147

I'm not sure if it's what you might be looking for.
Could be wrong but worth a try.
Reply
#3
(2020-04-30, 05:08 AM)noyle Wrote: IIRC, MyBB also compares the loginkey stored in mybb_users table when loading a logged in user:

Thanks, i'll include as well
Reply
#4
Sorry I missed admin in the thread title.

If you need to authorize admins, maybe additional checks should involve. For example check the user's user group as
`mybb_users`.`usergroup`
Could be wrong but worth a try.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)