Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-16207

Require cookies for sessions

    XMLWordPrintable

Details

    • Improvement
    • Status: Unverified Fix (View Workflow)
    • Major
    • Resolution: Fixed
    • 3.3.0-b1, 3.2.8
    • 4.0.0-a1
    • Sessions
    • None

    Description

      phpBB currently supports authentication and therefore the use of sessions with and without cookies. This results in the session ID being added to URLs on guest sessions and when cookies do not work as well as the requirement to use append_sid() to prevent users from being accidentally logged out.

      In order to improve the security of sessions in phpBB, we should follow the recommendations set forth by OWASP and purely rely on cookies:

      https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html

      Attachments

        Issue Links

          is related to

          Improvement - An improvement or enhancement to an existing feature or task. PHPBB3-16825 Adjust handling of session ID when requiring cookies

          • Major - Major loss of function.
          • Unverified Fix

          Activity

            People

              Marc Marc
              Marc Marc
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: