Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-16825

Adjust handling of session ID when requiring cookies

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Unverified Fix (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.0.0-a1
    • Component/s: Sessions
    • Labels:
      None

      Description

      This is a follow up ticket to the previous change of requiring cookies for sessions. Changes that should be included in this are mainly for better UX and also to ensure previously expected CSRF with forced session IDs still is valid with the new approach that does not use session IDs in URLs anymore.

      These include, among others:

      • Ensure login / logout is properly checked
      • Ensure simple actions like marking of forums, subscribing, etc. are properly secured
      • Default to having "Remember me" enabled
      • Do not retrieve "sid" in URL unless force_sid is being used

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Marc Marc
              Reporter:
              Marc Marc
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: