phpBB currently supports authentication and therefore the use of sessions with and without cookies. This results in the session ID being added to URLs on guest sessions and when cookies do not work as well as the requirement to use append_sid() to prevent users from being accidentally logged out.
In order to improve the security of sessions in phpBB, we should follow the recommendations set forth by OWASP and purely rely on cookies:
https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
- caused
-
PHPBB-17022 Link to SQL Report page is generated incorrectly
-
- Closed
-
- is related to
-
PHPBB-16825 Adjust handling of session ID when requiring cookies
-
- Unverified Fix
-