| Author |
 Topic Search  Topic Options
|
WebWiz-Bruce 
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
 Post Options
 Thanks(0)
 Quote  Reply
 Posted: 07 February 2006 at 1:05pm |
|
Most of the bugs from the current beta version are fixed, but there are some known issues like skins, CSS, db table prefix, etc. that are still to be looked at
|
|
|
 |
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Post Options
Thanks(0)
Quote Reply
Posted: 07 February 2006 at 1:17pm |
 MadDog wrote:
Im not sure about this, but if someone is browsing a website and their IP changes, doesnt their session ID also reset (even if the browser is left open)?
|
This is very true, but then I came across an article on PhpBB that explained how they got around this issue, so borrowed the idea from them:- http://www.phpbb.com/kb/article.php?article_id=54By checking only the first 3 quads in the IP address this should prevent issues where the IP address of the user changes from proxy to proxy, but as 3 quads are used (24 bit) this should be enough to deter any hacker from using session ID's to gain access to a forum.
|
|
|
|
site master
Newbie
Joined: 08 January 2006
Status: Offline
Points: 33
|
Post Options
Thanks(0)
Quote Reply
Posted: 07 February 2006 at 2:22pm |
|
how the hell did you do this?
|
|
shovel
Groupie
Joined: 08 November 2001
Location: United States
Status: Offline
Points: 72
|
Post Options
Thanks(0)
Quote Reply
Posted: 08 February 2006 at 12:52am |
|
I am also using Firefox and have had no problem so far with cookies disabled. Very cool. :)
Jim
|
|
shovel
Groupie
Joined: 08 November 2001
Location: United States
Status: Offline
Points: 72
|
Post Options
Thanks(0)
Quote Reply
Posted: 08 February 2006 at 1:03am |
|
No problem with cookie-less login on Opera 8 either. Not sure if it could be related, but the page generation was incredibly slow.
This page was generated in 46.625 seconds.
|
|
MadDog
Mod Builder Group
Joined: 01 January 2002
Status: Offline
Points: 3008
|
Post Options
Thanks(0)
Quote Reply
Posted: 08 February 2006 at 4:30am |
-boRg- wrote:
This is very true, but then I came across an article on PhpBB that
explained how they got around this issue, so borrowed the idea from
them:-
http://www.phpbb.com/kb/article.php?article_id=54
By
checking only the first 3 quads in the IP address this should prevent
issues where the IP address of the user changes from proxy to proxy,
but as 3 quads are used (24 bit) this should be enough to deter any
hacker from using session ID's to gain access to a forum. |
That still seams like it would leave a big open whole for hackers if they where using the same ISP and their IP was almost identical but i will trust you and see how it works out.
Edited by MadDog - 08 February 2006 at 4:31am
|
|
|
|
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Post Options
Thanks(0)
Quote Reply
Posted: 08 February 2006 at 12:50pm |
|
As you say MadDog it could be a security risk, but using the security mesaures mentioned it is only slight risk, and PhpBB seem to have been using this for quite a while without any issues.
You also have to remember that for most users cookies are used, so it would be very difficult for the hacker to get the session ID and would be the same level of risk as for the present User ID stored in cookies.
For those that don't have cookies enabled, the hacker still has to get hold of the session ID, which would mean getting access to the users own machine to see the 32 bit session ID appended to URL's in the querystring.
If a user accidently posts a link in a post etc. with their session ID attached, then it could be a slight security risk, but also combining it with an IP address and the session only being valid for 20 minutes should be adequate protection in most cases.
I will also look for a way that the session ID is stripped from any links the user posts in the forum. This should also add a bit more protection.
|
|
|
|
megetron
Groupie
Joined: 20 September 2004
Status: Offline
Points: 147
|
Post Options
Thanks(0)
Quote Reply
Posted: 08 February 2006 at 2:33pm |
Coockies system works just fine on IE beta2. I experienced some issues with the "Quick Reply" box.
|
|
