Simple Machines Blogs > Developers' Blog

SMF 2.0.16+ cookie changes

(1/3) > >>

Sesquipedalian:
Hello all!

With SMF 2.0.16 we have introduced an important security change for our cookies. This change will also be in the next release of SMF 2.1.

We now generate an HMAC for parts of the cookie using an authentication sercet only known by the server. This prevents forgeries of the cookie by any would-be attacker.

This change breaks backwards compatibility with cookies for 2.0.15 and below. Therefore, integrations and modifications that need to tap into SMF's cookie will need to be updated.

To support both the new and the old cookie hashes, you may use this code:


require_once($sourcedir . '/Load.php');

// Use strong cookie
if (function_exists('get_auth_secret'))
$hashed_password = hash_hmac('sha1', sha1($user_info['passwd'] . $user_info['password_salt']), get_auth_secret());
// Fallback for older versions
else
$hashed_password = sha1($user_info['passwd'] . $user_info['password_salt']);


The get_auth_secret() function, which is part of Load.php, was introduced in 2.0.16 to ease the generation and retrieval of the authentication secret. If that function exists, your code will know that it should use the new password hash in the cookie. If it does not, your code should use the old hash.

Because we know that not all mods can be updated immediately, we've included a setting in the 2.0.16 admin control panel to allow the admin to disable the new cookie security for the sake of backwards compatibility with outdated mods. This setting is only available when a mod that uses the 'integrate_verify_user' hook is installed. This setting will be removed in future versions of SMF; it is only intended as a stop-gap measure until mod authors have time to update their code.

Thanks for reading!

Skhilled:
Thanks for your hard work. :)

Rock Lee:
Thanks for all the work, I think so far I don't use any mod that uses those lines (I have to see if any will give problems).


Regards!

Rob Lightbody:
Thanks for this post.  It explains why my Coppermine Gallery has stopped working.

I want to temporarily use your function to disable the new cookie security, to allow me to get Coppermine updated - I can see the checkbox "Use basic cookie authentication" but its disabled ?

Keep up the good work team, and thanks for the support so far.

Shambles:

--- Quote ---... I can see the checkbox "Use basic cookie authentication" but its disabled ? ...

--- End quote ---

Indeed - the new cookie stuff seems to have disabled TapaTalk access.  How is this new authentication checkbox controlled?

Navigation

[0] Message Index

[#] Next page

Go to full version