[Topic moved from Bug Reports and renamed by lexikos.]
Same issue as this post viewtopic.php?f=14&t=82158
I'm using 64-bit AHK on 64-bit Windows 10.
Link to discord thread, for extra context:
https://discord.com/channels/115993023636176902/1195022953516118106/1195022953516118106
EDIT: thanks to login token shenanigans, the above message was posted by alfinete, not me. See below.
Login token in URL allows anyone to impersonate a user
Login token in URL allows anyone to impersonate a user
Last edited by Qriist on 11 Jan 2024, 13:16, edited 2 times in total.
Re: Keyboard Hook being removed in 64-bit AHK
Sooo REAL Qriist here. Apparently the forum url includes a sid token that just logs people in as you on other systems. Could we, like, nuke that feature so this doesn't happen again?
Re: Login token in URL allows anyone to impersonate a user
Given that the original post was about an issue that clearly already has a Bug Report topic, I have moved this topic to Forum Issues to deal with the login token issue.
I would assume that the SID appearing in a URL is explicitly not "cookie token bs", but a mechanism intended to permit logins without cookies.
In order for someone who is not Qriist to post as Qriist, Qriist must have shared a URL containing the SID. But what were the conditions that caused the SID to be present in the first place?
I would assume that the SID appearing in a URL is explicitly not "cookie token bs", but a mechanism intended to permit logins without cookies.
In order for someone who is not Qriist to post as Qriist, Qriist must have shared a URL containing the SID. But what were the conditions that caused the SID to be present in the first place?
Re: Login token in URL allows anyone to impersonate a user
@lexikos Thanks for moving this. I will have a look immediately. And you're correct it's part of a security feature apparently. It looks like this is a default behaviour if cookies are disabled/disallowed, but could be mitigated with IP address validation.
@tank FYI. Here's what I'm looking at currently.
https://www.phpbb.com/community/viewtopic.php?t=2549911
https://www.phpbb.com/support/docs/en/3.2/kb/article/fixing-incorrect-cookie-settings
EDIT: I've turned on Session IP Validation, and changed cookies to expire after 30 days, but you'll notice an sid in the url when just logging in. Otherwise, you shouldn't see while browsing the forums if the cookies are working correctly.
@tank FYI. Here's what I'm looking at currently.
https://www.phpbb.com/community/viewtopic.php?t=2549911
https://www.phpbb.com/support/docs/en/3.2/kb/article/fixing-incorrect-cookie-settings
EDIT: I've turned on Session IP Validation, and changed cookies to expire after 30 days, but you'll notice an sid in the url when just logging in. Otherwise, you shouldn't see while browsing the forums if the cookies are working correctly.
Windows 10 x64 Professional, Intel i5-8500, NVIDIA GTX 1060 6GB, 2x16GB Kingston FURY Beast - DDR4 3200 MHz | [About Me] | [About the AHK Foundation] | [Courses on AutoHotkey]
[ASPDM - StdLib Distribution] | [Qonsole - Quake-like console emulator] | [LibCon - Autohotkey Console Library]
Who is online
Users browsing this forum: No registered users and 14 guests