[PHPBB3-9935] Replaying logins

XML

Word

Printable

Details

Type: Improvement
Status: Closed (View Workflow)
Priority: Minor
Resolution: Fixed
Affects Version/s: 3.0.8
Fix Version/s: 3.0.15-RC1
Component/s: Authentication
Labels:
None

Description

I noticed on the phpBB.com forum that I could log out, and if I hit the back button in Safari a few times, I could replay my original login by POSTing the form again.

I think that some sort of one-time use token, like a nonce, should be used to guard against this sort of thing. It would require the login form to be reloaded every time, meaning that someone using a browser button to go back and POST again would get an error, even if the username and password submitted were correct.

Or, the form token system, with a short expiry time, such as 3-5 minutes, would also work OK. Just something that prevents a token from being used twice after a period of time.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

patch
0.9 kB
30/Aug/11 6:47 PM

Activity

People

Assignee:: CHItA

Reporter:: Dog Cow

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 01/Dec/10 3:00 AM

Updated:: 10/Sep/17 11:17 AM

Resolved:: 10/Sep/17 11:17 AM