Want to get involved in developing SMF, then why not lend a hand on our github!
Started by uglybunz, October 02, 2013, 09:50:41 AM
GuestSeptember 30, 2013, 22:54:0947f704b6f3a98b57d8eb439ef526c15aType of error: Undefinedhxxp://smf.obfuscated.org/index.php?action=login8: Undefined index: permissionsFile: /usr/home/ewebb/smf-experimental/Sources/Security.phpLine: 831
GuestSeptember 30, 2013, 22:54:0947f704b6f3a98b57d8eb439ef526c15aType of error: Generalhxxp://smf.obfuscated.org/index.php?action=login2: in_array() expects parameter 2 to be array, null givenFile: /usr/home/ewebb/smf-experimental/Sources/Security.phpLine: 831
QuoteSo, is it a bug? In my opinion it is, as SMF could easily recover from the above situation by clearing the problematic cookie and logging something more meaningful in the log, in case someone is trying to hack authentication in some way. It seems to me that the above scenario was not anticipated by SMF's programmers.Current behaviour: Login attempts or password reset attempts by users with 'bogus' cookies cause inexplicable authentication errors or failures. Undefined or meaningless errors are logged. The users experiencing the problem have no idea why they can't log in, especially if they are unaware that maintenance work has been carried out.Suggested behaviour: SMF should recognise when an invalid cookie with the 'correct' Cookie Name is presented, and log an obvious security message and the IP of the user. Then it should clear the problematic cookie and allow the user to proceed to authentication.
Quote from: Kindred on February 17, 2016, 06:40:12 AMbut your issue is a ONE TIME occurrence. The situation described by the OP ONLY happens after a backup and restore... If you only did it once, then wile, it may happen, it is not an ongoing thing.
Quote from: Kindred on February 18, 2016, 07:50:59 AMit is a one time occurrence. It ONLY happens if you take a backup and then restore it with active sessions in the table and don't change the cookie name (most of the time, a large upgrade from major to major version DOES change the cookie name and upgrades from minor to minor version can and should be doing using the patch files in the package manager not the large upgrade)
// !!! Maybe change the cookie name if going to 1.1, too? // Update Settings.php with the new settings. changeSettings($changes);