Details

    • Type: Improvement
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.3.0-b1, 3.2.8
    • Fix Version/s: 4.0.0-a1
    • Component/s: Sessions
    • Labels:
      None

      Description

      phpBB currently supports authentication and therefore the use of sessions with and without cookies. This results in the session ID being added to URLs on guest sessions and when cookies do not work as well as the requirement to use append_sid() to prevent users from being accidentally logged out.

      In order to improve the security of sessions in phpBB, we should follow the recommendations set forth by OWASP and purely rely on cookies:

      https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              Marc Marc
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: