Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-16207

Require cookies for sessions

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Unverified Fix (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.3.0-b1, 3.2.8
    • Fix Version/s: 4.0.0-a1
    • Component/s: Sessions
    • Labels:
      None

      Description

      phpBB currently supports authentication and therefore the use of sessions with and without cookies. This results in the session ID being added to URLs on guest sessions and when cookies do not work as well as the requirement to use append_sid() to prevent users from being accidentally logged out.

      In order to improve the security of sessions in phpBB, we should follow the recommendations set forth by OWASP and purely rely on cookies:

      https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Marc Marc
              Reporter:
              Marc Marc
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: