09 Secure Yer Cookies

Started by Mindless, July 20, 2012, 09:04:24 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Daniel

seem to work fine in my end :-)

Mindless

#1
Credits to ColdFusion for the code, i only put it together. Secure check for ip to cookie to hamper cookie theft - note this checks first 2 octets. If you want the full ip checking use the other one i post.

@File takelogin.php :

Find this :

Code (php) Select
$lang = array_merge( load_language('global'), load_language('takelogin') );

Under it add :

Code (php) Select
$ip_octets = explode( ".", getenv('REMOTE_ADDR') );

Find this :

Code (php) Select
logincookie($row["id"], $row["passhash"]);

Change to :

Code (php) Select
$passh = md5($row["passhash"]."-".$ip_octets[0]."-".$ip_octets[1]);
logincookie($row["id"], $passh);



@File bittorrent.php inside userlogin() :

Find this:

Code (php) Select
unset($GLOBALS["CURUSER"]);

Under it add :

Code (php) Select
$ip_octets = explode( ".", getenv('REMOTE_ADDR') );

Find this:

Code (php) Select
if (get_mycookie('pass') !== $row["passhash"])
return;


Change to :

Code (php) Select
if(get_mycookie('pass') !== md5($row["passhash"]."-".$ip_octets[0]."-".$ip_octets[1]))
return;


@File takeprofedit.php :

Find this :

Code (php) Select
if (!mkglobal("email:chpassword:passagain:chmailpass"))
      bark("missing form data");


Under it add this :

Code (php) Select
$ip_octets = explode( ".", getenv('REMOTE_ADDR') );

Find this :

Code (php) Select
logincookie($CURUSER["id"], $passhash);

Change to :

Code (php) Select
logincookie($CURUSER["id"], md5($passhash."-".$ip_octets[0]."-".$ip_octets[1]));

You will be kicked out your site the minute the code is placed into user_login function and uploaded to ftp, when you log back in the passhash will be updated :)

I think this is correct if im wrong please correct me so i can update the post , cheers.