Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-16825

Adjust handling of session ID when requiring cookies

    XMLWordPrintable

Details

    • Improvement
    • Status: Unverified Fix (View Workflow)
    • Major
    • Resolution: Fixed
    • None
    • 4.0.0-a1
    • Sessions
    • None

    Description

      This is a follow up ticket to the previous change of requiring cookies for sessions. Changes that should be included in this are mainly for better UX and also to ensure previously expected CSRF with forced session IDs still is valid with the new approach that does not use session IDs in URLs anymore.

      These include, among others:

      • Ensure login / logout is properly checked
      • Ensure simple actions like marking of forums, subscribing, etc. are properly secured
      • Default to having "Remember me" enabled
      • Do not retrieve "sid" in URL unless force_sid is being used

      Attachments

        Issue Links

          is related to

          Improvement - An improvement or enhancement to an existing feature or task. PHPBB3-16207 Require cookies for sessions

          • Major - Major loss of function.
          • Unverified Fix

          Activity

            People

              Marc Marc
              Marc Marc
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: