Fork me on GitHub
Subscribe 2

Ticket #254 (fixed enhancement)

Improve cookie security

  • Created: 2011-01-24 15:30:54
  • Reported by: Franz
  • Assigned to: Reines
  • Milestone: 1.4.4
  • Component: security
  • Priority: high

Merely a reminder that we should take care of the issues mentioned in the e-mail that was sent to our security mailing list a while ago.

History

Reines 2011-01-25 16:12:26

  • Owner set to Reines.
  • Priority changed from highest to high.
  • Type changed from task to enhancement.

We should use a hash of the cookie_seed + expire so we can validate (by checking the expire time < time() and the hash = hash(cookie_seed + expire) that the expire time of the cookie hasn't been altered by a the user.

Instead of regular hash we should probably use a hash_hmac, assuming we can easily enough implement this for PHP4.

We should also consider adapting generate_random_key() to use /dev/random if it exists.

Reines 2011-01-29 12:47:47

  • Uploaded patch fluxbb-cookiehash.patch. (view)

I've created a patch for this - just waiting to hear back from Peter if he thinks it makes sense or not.

Reines 2011-01-30 14:19:40

  • Uploaded patch fluxbb-cookiehash.patch. (view)

Slightly updated patch. This should be ready to commit now once the rest of the 1.4.4 tickets are finished.

Reines 2011-02-02 15:20:20

  • Status changed from open to fixed.

I have now commit this.

Franz 2011-02-02 15:27:46

  • Visibility set to public.

That promptly logged me out tongue