PHP Classes


Recommend this page to a friend!

      PHPBB 3 integration  >  All threads  >  Security  >  (Un) Subscribe thread alerts  
Summary:Password unencrypted
Author:Eduardo Waghabi
Date:2011-10-26 11:30:43

  1. Security   Reply   Report abuse  
Picture of Eduardo Waghabi Eduardo Waghabi - 2011-10-26 11:30:43
Hi there,

I was thinking about using this piece of code in my site, but after looking into it a little, it seems to me that the script assumes a non encrypted password in a session variable.

$password = base64_decode($_SESSION['ps_string']);

So, even if I use password hashing in my user table (let's say with the crypt() php function), the user's password would still be vulnerable the moment I put it in a session variable and call the SessionManage() method. (Right?)

Then I thought about making the integration optional to the user, with a disclaimer of a possible security issue, but then the ID's (in my table and in PHPBB's) would get messy. Not to mention that no one would EVER click on that checkbox.

Do you have any ideias? Or am I just paranoid?

Abrašos from Rio de Janeiro,