• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

RandomNess of cookie

 
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello.

I had a probleme that made me use an old backup of my forum.

Yet one user (Call him A) which has registered after the backup (but before the restore) came back.

Of course his account didn't exist anymore. but this user was identified as another user (Call him B) (which registered after the restore).

I hope I made myself clear, it isn't easy.

My guess is the following:

When B registered he got the same user Id as A did.

When A came back he got autologed by the cookie which happen to be the same.

My question is: how is the cookie generated, I feel there's some security issue behind. Either the randomness is to low, or the server generate the same cookie for a given Id, which would enable someone to guess the cookie and login with any account.

I think there was some ramdon hash we have to change when installing, maybe it is used for generating the cookies. In this case, the problem would mainly be in case of restore.

Any comment about that?
[originally posted on jforum.net by pala]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes, there is a hash. It works like that:

In SystemGlobals.properties, you have a property named user.hash.sequence, that is used to scramble user's cookie when he choose to automatically log in.

JForum has 3 cookies for this situation:

jforumUserId - stores the user id
jforumAutoLogin - auto login or not
jforumUserHash - the trick: a md5 hash, calculated upon "user.hash.sequence" and the user's id.

When the user comes back, JForum gets your private hash (user.hash.sequence), the user id from the cookie, calculates the hash and matches it against the value of "jforumUserHash" cookie. If it get a match, the user is "logged in"

So, in order to happen this issue you related, you should be using a relatively old JForum release, or having the same user.sequence.hash in both installations.

Rafael
[originally posted on jforum.net by Rafael Steil]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In fact I had to restore an old database of the forum.

I didn't thought of changing the user.hash.sequence.

What would happen if I change the hash on an existing database? will user loose the automatic log-in?

[originally posted on jforum.net by pala]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes, if you change the hash, automatic login will fail for existing hashes, so the user will have to log in again.

Anyway, it's not your fault this happening, as JForum lacks good documentation, situation I'm trying to fix up, with http://www.jforum.net/confluence


Rafael
[originally posted on jforum.net by Rafael Steil]
 
reply
    Bookmark Topic Watch Topic
  • New Topic