Forums

Unfortunately no one can be told what FluxBB is - you have to see it for yourself.

You are not logged in.

#1 2015-02-12 20:24:42

chris98
Member
From: England, United Kingdom
Registered: 2013-05-31
Posts: 1,292
Website

Design Advice

I'm asking here for a bit of design advice. I'm working on my site (eventually it will become a mod here) and adding the ability to password-protect forums.

At the moment, I've added in part of the admin panel, but I've hit a obstacle: what to do with the passwords. I've had several ideas:

  1. Hash them

  2. Encode them

  3. Store in plain text

Currently, they would be stored in plain text just like the SMTP password, displayed & updated in the exact same way. However, I'm unsure how to store this. My instinct says hash them, but then other problems would come into play- for example, how to display them in the admin panel? Not that this would be too hard to overcome, but I'm sure you'll get my point.

Because it's not a user password, I thought it may be better (still not great) to store them in plain text, but I also want to keep it similar to FluxBB, and of course, above everything- make sure it's secure and safe.

Next, there is another thing I'd like to ask, more preference really. When checking whether the user entered password is correct, should I store the details in a cookie, or database? I've actually looked around about this, and the most popular software such as phpbb use database storage, but this may unnecessarily slow the script down checking for the session. And of course, if it was a guest forum, you'd have to store IP addresses not user IDs.

What would anyone else recommend that would best suit FluxBB?

Offline

#2 2015-02-12 22:03:31

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,632
Website

Re: Design Advice

Hash them - why do you want to display them in the admin panel?
If there's a password stored for a certain forum, just tell the user there is one and give them an option to change it.


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#3 2015-02-13 08:00:50

GWR
Member
From: Germany
Registered: 2010-08-06
Posts: 194

Re: Design Advice

If you really need to display a "hint" to the admins:
- store hash
- store first 3 letters of the password (you know: "123...")

@storage:
store it in the cookie as this is a custom option just adding "convenience" to the user (if he did not have it stored, he gets asked for the password)
Storing in the database adds much more complexity: guests should not be identified by password.

Keep in mind to store the password in an hash with user-adjusted-salt - so every "password" in the cookie is different to others and cannot get decoded that easily. I am not sure if this is really needed (if they get your cookie, they might also have the potential to login to the board and look for the password printed somewhere).

If you store "user acl" in the database, you of course do not have to expose the hash/password in a cookie which might land in 3rd party hands.


bye
Ron

Offline

#4 2015-02-13 13:27:59

chris98
Member
From: England, United Kingdom
Registered: 2013-05-31
Posts: 1,292
Website

Re: Design Advice

why do you want to display them in the admin panel?

I was going to display them (or rather this output below) in the password field, just like the SMTP password.

$password = ($cur_forum['password'] != '' && $cur_forum['redirect_url'] == '') ? random_key(pun_strlen($cur_forum['password']), true) : '';

This would not work very well with a hash, and I do like the way that this is displayed.

Keep in mind to store the password in an hash with user-adjusted-salt - so every "password" in the cookie is different to others and cannot get decoded that easily

This is actually how I'm going to (now) hash the passwords. I'm going to generate a random piece of text, store it in the database column, then hash the password with that text. Each time the password is updated, the salt changes.

Offline

#5 2015-02-13 17:35:56

chris98
Member
From: England, United Kingdom
Registered: 2013-05-31
Posts: 1,292
Website

Re: Design Advice

Ok, after quite a while, I think I've finally figured this out and am almost ready for testing this. However, how does this first look for setting/checking the cookies?

function set_forum_login_cookie($id, $forum_password)
{
	global $pun_config;

	$cookie_data = isset($_COOKIE[$pun_config['o_cookie_name'].'_forums']) ? $_COOKIE[$pun_config['o_cookie_name'].'_forums'] : '';
	if (!$cookie_data || strlen($cookie_data) > FORUM_MAX_COOKIE_SIZE)
		$cookie_data = '';

	$cookie_data = unserialize($cookie_data);
	//Maybe using a 64 character random string increases security? Who knows....
	$salt = random_key(64, true);
	$cookie_hash = hash('sha512', $forum_password.hash('sha512', $salt));
	$cookie_data[$id] = array('hash' => $cookie_hash, 'salt' => $salt);

	forum_setcookie($pun_config['o_cookie_name'].'_forums', serialize($cookie_data), time() + $pun_config['o_timeout_visit']);
	$_COOKIE[$pun_config['o_cookie_name'].'_forums'] = serialize($cookie_data);
}


function check_forum_login_cookie($id, $forum_password)
{
	global $pun_config;

	$cookie_data = isset($_COOKIE[$pun_config['o_cookie_name'].'_forums']) ? $_COOKIE[$pun_config['o_cookie_name'].'_forums'] : '';
	if (!$cookie_data || strlen($cookie_data) > FORUM_MAX_COOKIE_SIZE)
		$cookie_data = '';

	// If it's empty, define as a blank array to avoid 'must be a boolean' error
	$cookie_data = ($cookie_data !== '') ? unserialize($cookie_data) : array();
	if (!array_key_exists($id, $cookie_data))
		show_forum_login_box($id);
	else
	{
		if ($cookie_data[$id]['hash'] !== hash('sha512', $forum_password.hash('sha512', $cookie_data[$id]['salt'])))
			show_forum_login_box($id);
	}
}

Thanks once again for your support thus far smile

Last edited by chris98 (2015-02-13 17:42:17)

Offline

#6 2015-02-14 08:45:06

GWR
Member
From: Germany
Registered: 2010-08-06
Posts: 194

Re: Design Advice

Is it really necessary to use the hashed salt as salt in the hash? think entropy of random 64 chars should be enough.
Calculating Sha512 isnt done for free.

$cookie_data = unserialize($cookie_data);
-> validate $cookie_data afterwards (must be an array in your case), it might be "false" and follow-up lines might fail then.


All in all it looks okay to me. Did you think about adding to the fluxbb-user-cookie (tainting it) to avoid an additional server request?

bye
Ron

Offline

#7 2015-03-04 11:53:49

chris98
Member
From: England, United Kingdom
Registered: 2013-05-31
Posts: 1,292
Website

Re: Design Advice

Is it really necessary to use the hashed salt as salt in the hash? think entropy of random 64 chars should be enough.
Calculating Sha512 isnt done for free.

While I can understand what you're saying, it doesn't generally slow it down that much and it is slightly better being hashed. And after managing to get it working with the hash, I really don't want to have to spend another few hours trying to get it working again without being hashed.

All in all it looks okay to me. Did you think about adding to the fluxbb-user-cookie (tainting it) to avoid an additional server request?

I don't really want to merge it with the actual FluxBB cookie to keep them separate, and it's easier for the user installing to just copy/paste a few functions across.

Sorry for the long wait in this being released ... here it is for those interested: https://fluxbb.org/resources/mods/forum-passwords/

Last edited by chris98 (2015-03-04 11:54:12)

Offline

#8 2015-03-04 21:26:51

GWR
Member
From: Germany
Registered: 2010-08-06
Posts: 194

Re: Design Advice

Your mod heavily mods the source files (adds code and replaces queries). It also alters existing tables  - but you want to keep cookies separate? tongue

I think it wont create much trouble when piggybacking on the existing cookie, but nvm ... now it is released and there seems no real need to change the current behaviour.

Thanks for the mod, albeit I do not use it (yet).


bye
Ron

Offline

Board footer

Powered by FluxBB