Accept cookie authorization only from last user's session host (or IP range)
Mod Version: 1.00, by JohnWoo
This modification is in the archives.
| vB Version: 3.0.0 | Rating:  (0 vote - 0 average) |
Installs: 2 |
| Released: 25 Jul 2004 | Last Update: Never | Downloads: 6 |
 Not Supported
|
||
Hello!
As we all know, native VB authorization have two main weak sides:
- cookie connected only with username (userid)
[if somebody will steal your cookies (all browsers including latest allow to do it very easy), he will be able to enter]
- password string (even md5 hash of password from JS) in post data always same
[is somebody in your network can trace you HTTP headers, he will be able to send same post data and enter]
We can try to fight with first problem connecting cookie stored in browser with users host or, if php on your server have no gethostbyaddr function, with first 3 numbers of IP (IP range).
After installing authorization scenario will be the following:
1. user enter username and password in login form and submit it
2. if password match vb set two cookies:
- userid (number)
- password hash
[md5 hash for the result of concatenation "already hashed password stored in db" + "current user's host or ip range" + "some long string just to be more sure".
But if user host look like "dialaup-1276.something.isphost.com", only "isphost.com" part will be included in concatenation.]
3. If user use cookie authorization, VB will compare cookie send by browser with same md5 hash of same concatenation result. So if cookie comes from different host, user will be forced to enter password again.
Hope that this small hack will make your vb little more secure
PS It is possible to fight easy with second weak side too, but it needs too much files and template changes and explanations and i don't fink that i'll be able to explaing it with my English Sorry
As we all know, native VB authorization have two main weak sides:
- cookie connected only with username (userid)
[if somebody will steal your cookies (all browsers including latest allow to do it very easy), he will be able to enter]
- password string (even md5 hash of password from JS) in post data always same
[is somebody in your network can trace you HTTP headers, he will be able to send same post data and enter]
We can try to fight with first problem connecting cookie stored in browser with users host or, if php on your server have no gethostbyaddr function, with first 3 numbers of IP (IP range).
After installing authorization scenario will be the following:
1. user enter username and password in login form and submit it
2. if password match vb set two cookies:
- userid (number)
- password hash
[md5 hash for the result of concatenation "already hashed password stored in db" + "current user's host or ip range" + "some long string just to be more sure".
But if user host look like "dialaup-1276.something.isphost.com", only "isphost.com" part will be included in concatenation.]
3. If user use cookie authorization, VB will compare cookie send by browser with same md5 hash of same concatenation result. So if cookie comes from different host, user will be forced to enter password again.
Hope that this small hack will make your vb little more secure
PS It is possible to fight easy with second weak side too, but it needs too much files and template changes and explanations and i don't fink that i'll be able to explaing it with my English
Sorry Download
This modification is archived and cannot be downloaded.