Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Options

What's the VerificationKey for?

edited May 2007 in Vanilla 1.0 Help
Hi! First of all: Thanks for Vanilla. It's an amazing piece of software you wrote there and maybe the best forum i've seen yet :o) I'm about to use Vanillas session and user-table for my entire website. It's pretty much the first time I seriously deal with sessions and cookies, so I'm not sure I got all the security issues covered. Correct me if I'm wrong, but the SessionPostBackKey is just a random number to communicate with ajax. Then all i've left is a UserID and my cookie with the PHPSESSID allowing me to be an Administrator on my site. Is there really no more verification needed to prove my session as valid? What's the VerificationKey in the user-table for? I thought maybe this was something like my latest SessionID encrypted, but it never changes it's value. Let's assume there is much more going on with the session: Is it possible to use Vanilla-scripts one level below the forum-path (like in "/" instead of "/forum")? How? I would be pleased if you take a second to answer me ;o) Gizzmo

Comments

  • Options
    I think you'll find this discussion: http://lussumo.com/community/discussion/2371/security-bug-cookie-authentication/ very useful in considering vanillas security. As far as I'm aware (and you can feel free to check the code yourself) the practices discussed there are still in place now.
    You can set the cookie folder manually in vanilla so setting it to take effect on / not /forum is easy enough - then you just need to select the relevant People libaries to check stuff..
  • Options
    edited May 2007
    Yes. Thanks. Interesting Article! But don't get me wrong, I'm sure vanilla is pretty secure... at least secure enough for me. I just want my own site to be as secure as well :o) So the VerificationKey validates persistent cookies. I see. Never tried that before. And it seems even stolen cookies wouldn't work outside my Computer anymore >> Mark said: Right now Vanilla invalidates cookies if you sign in from another browser or location. That's yet 2 things my own premature login-script doesn't care about. Since vanilla and the rest of my site are using the same cookie the cookiepath is already set to / But: >> then you just need to select the relevant People libaries to check stuff.. I don't get that. It seems like each Vanilla-file is connected to one or more others. And in the end it all comes back to the installation-path wich is my.domain.com/forum Maybe it would be helpful if somebody can tell me where exactly the cookie gets validated. To tell the truth I've not even found the function for that.
  • Options
    If you look in the library/People folder of the vanilla download, there's a full library there (called the People library) which deals with ALL user-base interaction. There are functions in there which take care of creating, validating, removing, changing roles, changing preferences (i believe) etc etc...
This discussion has been closed.