Advertisement:

Author Topic: SMF 2.0.16+ cookie changes  (Read 5628 times)

Offline Sesquipedalian

  • The Mad Doctor
  • Lead Developer
  • Sophist Member
  • *
  • Posts: 1,126
  • Gender: Male
  • It works! ... in theory.
    • Sesquipedalian on GitHub
SMF 2.0.16+ cookie changes
« on: December 28, 2019, 03:31:53 AM »
Hello all!

With SMF 2.0.16 we have introduced an important security change for our cookies. This change will also be in the next release of SMF 2.1.

We now generate an HMAC for parts of the cookie using an authentication sercet only known by the server. This prevents forgeries of the cookie by any would-be attacker.

This change breaks backwards compatibility with cookies for 2.0.15 and below. Therefore, integrations and modifications that need to tap into SMF's cookie will need to be updated.

To support both the new and the old cookie hashes, you may use this code:


require_once($sourcedir '/Load.php');

// Use strong cookie
if (function_exists('get_auth_secret'))
	
$hashed_password hash_hmac('sha1'sha1($user_info['passwd'] . $user_info['password_salt']), get_auth_secret());
// Fallback for older versions
else
	
$hashed_password sha1($user_info['passwd'] . $user_info['password_salt']);


The get_auth_secret() function, which is part of Load.php, was introduced in 2.0.16 to ease the generation and retrieval of the authentication secret. If that function exists, your code will know that it should use the new password hash in the cookie. If it does not, your code should use the old hash.

Because we know that not all mods can be updated immediately, we've included a setting in the 2.0.16 admin control panel to allow the admin to disable the new cookie security for the sake of backwards compatibility with outdated mods. This setting is only available when a mod that uses the 'integrate_verify_user' hook is installed. This setting will be removed in future versions of SMF; it is only intended as a stop-gap measure until mod authors have time to update their code.

Thanks for reading!
I promise you nothing.

Sesqu... Sesqui... what?
Sesquipedalian, the best word in the English language.

Offline Skhilled

  • Full Member
  • ***
  • Posts: 513
  • Gender: Male
  • When you stop learning, you stop living!
    • Crip Zone Themes
Re: SMF 2.0.16+ cookie changes
« Reply #1 on: December 28, 2019, 09:05:03 AM »
Thanks for your hard work. :)

Offline Rock Lee

  • Native Language Support Specialist
  • SMF Hero
  • *
  • Posts: 3,652
  • Gender: Male
  • Learning more every day!
    • BomberCode.Oficial on Facebook
    • RockLee-BC on GitHub
    • @Bomber_Code on Twitter
    • Bomber Code ~ La nueva era del conocimiento
Re: SMF 2.0.16+ cookie changes
« Reply #2 on: December 28, 2019, 09:01:19 PM »
Thanks for all the work, I think so far I don't use any mod that uses those lines (I have to see if any will give problems).


Regards!
¡Regresando como cual Fenix! ~ Bomber Code © 2020
Ayudas - Aportes - Tutoriales - Y mucho mas!!!

Offline Rob Lightbody

  • Charter Member
  • Jr. Member
  • *
  • Posts: 172
  • Gender: Male
  • Rob Lightbody, QE2 Story Forum administrator
    • The QE2 Story
Re: SMF 2.0.16+ cookie changes
« Reply #3 on: December 29, 2019, 11:58:22 AM »
Thanks for this post.  It explains why my Coppermine Gallery has stopped working.

I want to temporarily use your function to disable the new cookie security, to allow me to get Coppermine updated - I can see the checkbox "Use basic cookie authentication" but its disabled ?

Keep up the good work team, and thanks for the support so far.

Offline Shambles

  • SMF Hero
  • ******
  • Posts: 5,495
  • Gender: Male
    • i30 Owners Club
Re: SMF 2.0.16+ cookie changes
« Reply #4 on: December 29, 2019, 04:19:41 PM »
Quote
... I can see the checkbox "Use basic cookie authentication" but its disabled ? ...

Indeed - the new cookie stuff seems to have disabled TapaTalk access.  How is this new authentication checkbox controlled?

Offline SleePy

  • Let there be light!
  • Site Team Lead
  • SMF Master
  • *
  • Posts: 30,596
  • Gender: Male
  • Thats his happy face.
    • jdarwood007 on GitHub
    • @jdarwood on Twitter
    • SleePy Code - My personal site
Re: SMF 2.0.16+ cookie changes
« Reply #5 on: December 29, 2019, 04:58:10 PM »
The setting is only supposed to be enabled if another integration has triggered 'integrate_verify_user'.
You can directly add it to your Settings.php though to bypass this:
Code: [Select]
$cookie_no_auth_secret = true;

You will be logged out again after changing this.
Jeremy D — Site Team / SMF Developer
Support the SMF Support team!
Profiles:
GitHub

Offline rbradbury

  • Newbie
  • *
  • Posts: 3
Re: SMF 2.0.16+ cookie changes
« Reply #6 on: December 29, 2019, 05:25:02 PM »
Thanks for the quick reply.

I added the code to Settings.php but the 'Use basic cookie authentication' checkbox remained greyed out

Offline GL700Wing

  • Full Member
  • ***
  • Posts: 492
  • Gender: Female
Re: SMF 2.0.16+ cookie changes
« Reply #7 on: December 29, 2019, 06:45:54 PM »
The setting is only supposed to be enabled if another integration has triggered 'integrate_verify_user'.
You can directly add it to your Settings.php though to bypass this:
Code: [Select]
$cookie_no_auth_secret = true;

You will be logged out again after changing this.
I made this change via Administration Center » Server Settings » Cookies and Sessions in the hope of also getting my Coppermine bridge to work again but now whenever I try to login to SMF I get the error message "You were unable to login. Please check your cookie settings."

The only way I could get back into my forum was to manually edit Settings.php and remove/comment out the line $cookie_no_auth_secret = 1;.


Edit: On another forum enabling this setting did not cause any issues as far as logging into SMF was concerned but it didn't resolve the Coppermine bridging issue ...
« Last Edit: December 29, 2019, 07:11:41 PM by GL700Wing »
Life doesn't have to be perfect to be wonderful ...

Offline lurkalot

  • Support Specialist
  • SMF Hero
  • *
  • Posts: 1,644
  • Gender: Male
  • Tinyportal Support
    • guitaristguild on Facebook
    • Tinyportal on GitHub
    • @GuitaristGuild on Twitter
    • Guitarist Guild
Re: SMF 2.0.16+ cookie changes
« Reply #8 on: December 29, 2019, 07:18:56 PM »
The setting is only supposed to be enabled if another integration has triggered 'integrate_verify_user'.
You can directly add it to your Settings.php though to bypass this:
Code: [Select]
$cookie_no_auth_secret = true;

You will be logged out again after changing this.
I made this change via Administration Center » Server Settings » Cookies and Sessions in the hope of also getting my Coppermine bridge to work again but now whenever I try to login to SMF I get the error message "You were unable to login. Please check your cookie settings."

The only way I could get back into my forum was to manually edit Settings.php and remove/comment out the line $cookie_no_auth_secret = 1;.


Edit: On another forum enabling this setting did not cause any issues as far as logging into SMF was concerned but it didn't resolve the Coppermine bridging issue ...

Regarding the Coppermine bridge.  There's two new bridge files you can download to resolve this, uploaded tonight.  One for Coppermine 1.5.x https://forum.coppermine-gallery.net/index.php/topic,80028.msg387612.html#msg387612

and one for Coppermine 1.6.x https://forum.coppermine-gallery.net/index.php/topic,77951.msg387613.html#msg387613

Offline KittyGalore

  • Charter Member
  • Semi-Newbie
  • *
  • Posts: 58
    • Big Brother TV Backup
Re: SMF 2.0.16+ cookie changes
« Reply #9 on: December 29, 2019, 07:27:09 PM »
Thanks for the quick reply.

I added the code to Settings.php but the 'Use basic cookie authentication' checkbox remained greyed out
If you change it from disabled to enabled in the Mangeserver.php it won't be greyed out.
SMF Curve 2.0x

Offline GL700Wing

  • Full Member
  • ***
  • Posts: 492
  • Gender: Female
Re: SMF 2.0.16+ cookie changes
« Reply #10 on: December 29, 2019, 07:36:08 PM »
Regarding the Coppermine bridge.  There's two new bridge files you can download to resolve this, uploaded tonight.  One for Coppermine 1.5.x https://forum.coppermine-gallery.net/index.php/topic,80028.msg387612.html#msg387612

and one for Coppermine 1.6.x https://forum.coppermine-gallery.net/index.php/topic,77951.msg387613.html#msg387613
Perfect - worked like a charm!  Thanks!!
Life doesn't have to be perfect to be wonderful ...

Offline Rock Lee

  • Native Language Support Specialist
  • SMF Hero
  • *
  • Posts: 3,652
  • Gender: Male
  • Learning more every day!
    • BomberCode.Oficial on Facebook
    • RockLee-BC on GitHub
    • @Bomber_Code on Twitter
    • Bomber Code ~ La nueva era del conocimiento
Re: SMF 2.0.16+ cookie changes
« Reply #11 on: December 30, 2019, 08:35:45 PM »
The setting is only supposed to be enabled if another integration has triggered 'integrate_verify_user'.
You can directly add it to your Settings.php though to bypass this:
Code: [Select]
$cookie_no_auth_secret = true;

You will be logged out again after changing this.

No effect, I could not log in (at least with a secondary account) I had to comment on the entire line to allow me to enter ... I would have to do tests with a new user if the same happens but only applies to old users.


Regards!
¡Regresando como cual Fenix! ~ Bomber Code © 2020
Ayudas - Aportes - Tutoriales - Y mucho mas!!!

Offline Sesquipedalian

  • The Mad Doctor
  • Lead Developer
  • Sophist Member
  • *
  • Posts: 1,126
  • Gender: Male
  • It works! ... in theory.
    • Sesquipedalian on GitHub
Re: SMF 2.0.16+ cookie changes
« Reply #12 on: December 31, 2019, 01:26:51 AM »
We'll be simplifying the logic that controls this in 2.0.18.

In the meantime, if manually adding $cookie_no_auth_secret = 1; to your Settings.php isn't enough to make this work as you want, try also adding an entry for 'integrate_verify_user' to the settings table in your database, and give it a dummy value, as shown in the attached image.
I promise you nothing.

Sesqu... Sesqui... what?
Sesquipedalian, the best word in the English language.

Offline Rock Lee

  • Native Language Support Specialist
  • SMF Hero
  • *
  • Posts: 3,652
  • Gender: Male
  • Learning more every day!
    • BomberCode.Oficial on Facebook
    • RockLee-BC on GitHub
    • @Bomber_Code on Twitter
    • Bomber Code ~ La nueva era del conocimiento
Re: SMF 2.0.16+ cookie changes
« Reply #13 on: December 31, 2019, 07:58:33 AM »
In a new forum it doesn't give me problems but if I update my site, doing tests if I put in value 0 there is no problem but when I can be on my computer I make the change you suggest me! Thank you @Sesquipedalian
¡Regresando como cual Fenix! ~ Bomber Code © 2020
Ayudas - Aportes - Tutoriales - Y mucho mas!!!

Offline aegersz

  • SMF Hero
  • ******
  • Posts: 1,631
  • Gender: Male
  • the "mods and tweaks" junkie
    • aegersz on GitHub
    • dopetalk (drugs and users)
Re: SMF 2.0.16+ cookie changes
« Reply #14 on: February 11, 2020, 11:48:54 AM »
I followed your instructions and disabled the checkbox as required but the SA Chat mod still failes to run.

Any thoughts ?

All I could think about were the cookie changes and I have posted in the mod.
The configuration of my Linux VPS (SMF 2.0 with 150 mods & some assorted manual tweaks) can be found here and notes on my mods can be found here (warning: those links will take you to a drug related forum). My (House) music DJ dedication page is here

Offline Ulibka

  • Semi-Newbie
  • *
  • Posts: 44
  • Gender: Male
Re: SMF 2.0.16+ cookie changes
« Reply #15 on: June 05, 2020, 09:17:48 AM »
I'm have SMF 2.017, default theme
I;m register user with russian letters : Иван

When I attempt to login (quick login, all login and password correct), password is 1234
Login redirect to index.php?action=login2 and I'm see: incorrect password


I'm input login +password and I'm can see forum

May be you know solution ?

Offline Deaks

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 22,482
  • Gender: Male
    • SMFReview on Facebook
    • pouvik on GitHub
    • @@smfreview on Twitter
    • SMFReview
Re: SMF 2.0.16+ cookie changes
« Reply #16 on: June 05, 2020, 11:17:46 AM »

Offline Ulibka

  • Semi-Newbie
  • *
  • Posts: 44
  • Gender: Male
Re: SMF 2.0.16+ cookie changes
« Reply #17 on: June 05, 2020, 03:07:38 PM »
I'm try to ask https://www.simplemachines.ru/ but nobody don't know answer.

Problem is that if you have login with 2 bytes UTF-8 - you need to login twice.

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 59,302
  • Gender: Male
    • Kindred-999 on GitHub
Re: SMF 2.0.16+ cookie changes
« Reply #18 on: June 05, 2020, 03:13:50 PM »
We know.

the fix has been published several times.

amd that site -- despite the name - is not an official SMF support site
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.