Cookies don't change
#1
If someone obtains the cookie of another user, they have access to their account for the lifetime of the forum

in class_session.php, 20 lines down into the function load_user and after loginkey was verified...

there should be a check to see when the user was last active and if their session is expired...

and if their session is expired the function update_loginkey needs to be called in functions_user.php so that the cookie/key they have becomes invalid

I tried changing something myself but I ran into the problem of when class_session.php is called...

In load_user(), around line 200 I tried adding
update_loginkey($mybb->user['uid']);
return false;
inside the if statement if($time - $mybb->user['lastactive'] > 900)

but I ran into the problem that this code runs when the person is logging in... so maybe there is some check to make it
update_loginkey($mybb->user['uid']);
if (this is not a log-in request)
    return false;
so that the authentication fails only if 15 minutes passed since last active AND this wasn't a login request

But that last part is kinda fuzzy to me I need to get something to eat lol

Maybe in line 326 in login.php, change
my_setcookie("mybbuser", $user['uid']."_".$user['loginkey'], $remember, true, "lax");
to use update_loginkey()... so that each login generates a new loginkey. And when they AFK and the session expires, that's the other time a new loginkey is generated - but that loginkey is just meant to erase the previous one and will get changed again when the user logs in again

Maybe in global.php around line 45, skip "creating a session" if this is a log-in request?
Reply
#2
Yes, the loginkey only changes when the user's password is changed. The session mechanism is only used for location information (Who's Online).

Note that the same account may be logged in on multiple devices, so interfering with loginkey would log someone out everywhere.

Eventually MyBB should track authentication per-device: https://github.com/mybb/mybb/issues/3662
devilshakerz.com/pgp (DF3A 34D9 A627 42E5 BC6A 6750 1F2F B8AA 28FF E1BC) ▪ keybase.io/devilshakerz
Reply
#3
(2020-10-01, 08:02 AM)Devilshakerz Wrote: Yes, the loginkey only changes when the user's password is changed. The session mechanism is only used for location information (Who's Online).

Note that the same account may be logged in on multiple devices, so interfering with loginkey would log someone out everywhere.

Eventually MyBB should track authentication per-device: https://github.com/mybb/mybb/issues/3662

Are you sure that's true? If someone has the cookie, they're effectively logged in (indefinitely, or until the password is changed).... In other words if I copy the cookie I have in my browser, and send it to my cell phone browser, now I'm instantly logged in as that user and can post as them, make threads as them etc.

And good point that modifying loginkey, how it is, would only let one browser at a time be able to be logged in... though if the timeout is 15 minutes is there really a reason for someone to be logged in to more than one device at a time? (especially since this is a forum and multi-accounting wouldn't make a lot of sense)

Apologies if that came across as rude... I just had coffee and I'm listening to Disturbed lol

Quote:store hashes/HMACs of session keys only

Oh man... this has been up since 2019?

If someone gets into the database, they have plaintext "keys"/passwords for every single user lol

If ur not gonna change this any chance you can help me determine if a request was a login-request in class_session.php at line 200?

So I can skip checking session-expiration if the user got here after logging in (since the session is probably expired if they're logging in again)

Smile
Reply
#4
(2020-10-01, 08:27 AM)noob1337 Wrote: Are you sure that's true? If someone has the cookie, they're effectively logged in (indefinitely, or until the password is changed).... In other words if I copy the cookie I have in my browser, and send it to my cell phone browser, now I'm instantly logged in as that user and can post as them, make threads as them etc.

Yes, authentication security currently depends on the secrecy of the loginkey, and that state is not stored in the database.

Quote:if the timeout is 15 minutes is there really a reason for someone to be logged in to more than one device at a time?
If you're referring to the Cut-off Time (mins) setting, it's also related to location status, not authentication itself.
With Remember me checked, the cookie is set for a year, otherwise for the browser session duration (https://github.com/mybb/mybb/blob/mybb_1...n.php#L326).

Your approach (resetting the key when attempting to use it after some time of inactivity) might miss some scenarios where the old key continues to be unnecessarily "extended" (by logging in without attempting to use the key first). Consider using a task instead, where users' keys will be reset automatically depending on the time of last activity to enforce authentication expiration.
devilshakerz.com/pgp (DF3A 34D9 A627 42E5 BC6A 6750 1F2F B8AA 28FF E1BC) ▪ keybase.io/devilshakerz
Reply
#5
(2020-10-01, 02:54 PM)Devilshakerz Wrote:
(2020-10-01, 08:27 AM)noob1337 Wrote: Are you sure that's true? If someone has the cookie, they're effectively logged in (indefinitely, or until the password is changed)....  In other words if I copy the cookie I have in my browser, and send it to my cell phone browser, now I'm instantly logged in as that user and can post as them, make threads as them etc.

Yes, authentication security currently depends on the secrecy of the loginkey, and that state is not stored in the database.

Quote:if the timeout is 15 minutes is there really a reason for someone to be logged in to more than one device at a time?
If you're referring to the Cut-off Time (mins) setting, it's also related to location status, not authentication itself.
With Remember me checked, the cookie is set for a year, otherwise  for the browser session duration (https://github.com/mybb/mybb/blob/mybb_1...n.php#L326).

Your approach (resetting the key when attempting to use it after some time of inactivity) might miss some scenarios where the old key continues to be unnecessarily "extended" (by logging in without attempting to use the key first). Consider using a task instead, where users' keys will be reset automatically depending on the time of last activity to enforce authentication expiration.

IDK everything about this is wrong

I have the solution I'm gonna post it in general forum if you don't consider this a security problem (u shouldn't have a problem with me posting it if it isn't a security problem)
Reply
#6
(2020-10-01, 04:12 PM)noob1337 Wrote: IDK everything about this is wrong

I have the solution I'm gonna post it in general forum if you don't consider this a security problem (u shouldn't have a problem with me posting it if it isn't a security problem)

Feel free; we can move this thread to public forums if that sounds OK.
devilshakerz.com/pgp (DF3A 34D9 A627 42E5 BC6A 6750 1F2F B8AA 28FF E1BC) ▪ keybase.io/devilshakerz
Reply
#7
(2020-10-01, 04:39 PM)Devilshakerz Wrote:
(2020-10-01, 04:12 PM)noob1337 Wrote: IDK everything about this is wrong

I have the solution I'm gonna post it in general forum if you don't consider this a security problem (u shouldn't have a problem with me posting it if it isn't a security problem)

Feel free; we can move this thread to public forums if that sounds OK.

Ok here's the thread https://community.mybb.com/thread-229616.html

(in case you want to remove it)
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)