Login   Register  
PHP Classes
elePHPant
Icontem

Security

Recommend this page to a friend!
Stumble It! Stumble It! Bookmark in del.icio.us Bookmark in del.icio.us

      PHPBB 3 integration  >  All threads  >  Security  >  (Un) Subscribe thread alerts  
Subject:Security
Summary:Password unencrypted
Messages:1
Author:Eduardo Waghabi
Date:2011-10-26 11:30:43
 

  1. Security   Reply   Report abuse  
Picture of Eduardo Waghabi
Eduardo Waghabi
2011-10-26 11:30:43
Hi there,

I was thinking about using this piece of code in my site, but after looking into it a little, it seems to me that the script assumes a non encrypted password in a session variable.

$password = base64_decode($_SESSION['ps_string']);

So, even if I use password hashing in my user table (let's say with the crypt() php function), the user's password would still be vulnerable the moment I put it in a session variable and call the SessionManage() method. (Right?)

Then I thought about making the integration optional to the user, with a disclaimer of a possible security issue, but then the ID's (in my table and in PHPBB's) would get messy. Not to mention that no one would EVER click on that checkbox.

Do you have any ideias? Or am I just paranoid?

Abrašos from Rio de Janeiro,
Eduardo