CLU Posted March 30, 2012 Report Share Posted March 30, 2012 Hi Guys, I think I have came across a potential security issue with the build a CMS. It seems there is a worrying issue, that being if you had two different sites, then the users that login for one would be able to log into the other. I think this must have something to do with the session start. Although there would have to be some form of serendipity as the users will have to be using the same browser, but still this seems to be rather worrying. Would/does anyone have a solution to this? Maybe this could be solved by changing the salt? If anyone could help that would be great. CLU Quote Link to comment Share on other sites More sharing options...
falkencreative Posted March 30, 2012 Report Share Posted March 30, 2012 even if the usernames and passwords are different? Quote Link to comment Share on other sites More sharing options...
CLU Posted March 31, 2012 Author Report Share Posted March 31, 2012 It still seems to allow the user access irrespective of whether there PW and usernames are the same... So it just allows access... I really cannot find out how to prevent this.... Quote Link to comment Share on other sites More sharing options...
falkencreative Posted March 31, 2012 Report Share Posted March 31, 2012 I'll take a look later this week and see if I can reproduce. This shouldn't happen -- each site should have its own unique session. If you have these two sites online, any chance you could PM me the URLs and username/passwords to each so I can check? It would be much easier than having to to set up two sites of my own to test. Quote Link to comment Share on other sites More sharing options...
CLU Posted March 31, 2012 Author Report Share Posted March 31, 2012 At the moment the two sites that I have tested are on local servers, I was running tests to check everything and this is when i came across this issue. They are both reading from different databases, could the issue be with regards to the salt being the same? Quote Link to comment Share on other sites More sharing options...
falkencreative Posted March 31, 2012 Report Share Posted March 31, 2012 No, the salt should have nothing to do with it. Quote Link to comment Share on other sites More sharing options...
falkencreative Posted March 31, 2012 Report Share Posted March 31, 2012 I've looked into this issue a little more. As far as I understand it, the issue is that you are running the websites on the same domain (localhost). Because they are on the same domain, they are sharing the session, and thus sharing session variables that track whether the user is logged into the website. This is a situation that most people shouldn't run into, since the average user shouldn't be running multiple installations of the system on the same live domain. If you actually put these two sites up on their own domains, you shouldn't run into this issue. However, since I can't discount that fact entirely, I'll add this issue to the list of things I need to talk about when I do an update to the course. The easiest solution to this issue is to add this line just before "session_start();" within /app/core/core.php: session_name('[unique identifier here]'); Replace [unique identifier here] with a alphanumeric string that is unique to the website. Do that for both the sites running on your local server, using different unique identifiers for each, and you shouldn't have this issue any longer. This will set different session names for each site, keeping them unique and separate from each other even though they are running on the same domain. A slightly more elegant solution might be to set the unique identifier in a constant within /app/init.php, and then use that constant when you call session_name(). It would just be easier to find and change that variable within the init file rather than trying to remember which file session_start() is called in. Quote Link to comment Share on other sites More sharing options...
CLU Posted April 1, 2012 Author Report Share Posted April 1, 2012 It seems that you are right, I wasnt thinking about them being essentially on the same domain. Cheers for helping out... Also a heads up on another potential issue with the colorbox and the long. Because everything within the innit file is absolute so the site path being stated as www.domain.com... if a user types domain.com ... then when they click on the login link it throws an error, as its not including the www. The simple solution i fount was to create a htaccess file and just make sure the url is changed to match that within the innit file. Just a heads up. Thanks again. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.