Ticket #254 (fixed enhancement)
Improve cookie security
- Created: 2011-01-24 15:30:54
- Reported by: Franz
- Assigned to: Reines
- Milestone: 1.4.4
- Component: security
- Priority: high
Merely a reminder that we should take care of the issues mentioned in the e-mail that was sent to our security mailing list a while ago.
History
Reines 2011-01-25 16:12:26

- Owner set to Reines.
- Priority changed from highest to high.
- Type changed from task to enhancement.
We should use a hash of the cookie_seed + expire so we can validate (by checking the expire time < time() and the hash = hash(cookie_seed + expire) that the expire time of the cookie hasn't been altered by a the user.
Instead of regular hash we should probably use a hash_hmac, assuming we can easily enough implement this for PHP4.
We should also consider adapting generate_random_key() to use /dev/random if it exists.
Reines 2011-01-29 12:47:47

- Uploaded patch fluxbb-cookiehash.patch. (view)
I've created a patch for this - just waiting to hear back from Peter if he thinks it makes sense or not.
Reines 2011-01-30 14:19:40

- Uploaded patch fluxbb-cookiehash.patch. (view)
Slightly updated patch. This should be ready to commit now once the rest of the 1.4.4 tickets are finished.