Skip to content

v2.2.0

Choose a tag to compare

View all tags
@craigrodway craigrodway released this 25 Apr 21:30
· 7 commits to master since this release
v2.2.0
8473e61

This version fixes cookie function usage in PHP 8 and now relies on ProcessWire's built-in cookie functionality - thanks to Julian Pollak for the contribution.

This version also includes a security fix for the cookie theft detection code, where it might erroneously allow a single login.

The following code in the attemptLogin() method, upon detecting a mismatch between the cookie's key and the token stored in the database, correctly destroys the user's cookie sessions in the database. However, due to a missing return false; statement, the rest of the logging-in code following it is also executed when it shouldn't be.

The severity is lessened when using Fingerprinting, which works correctly to deny logins when the fingerprint does not match the expected value.

if ( ! $this->validateKeys($cookie->key, $row->token)) {
	$this->destroyLogins($cookie->user);
	return false; // <-- this line was missing
}
/* (rest of code to log the user in based on the User ID in the cookie) */

The risk of this issue, for most scenarios, is rated Low for likelihood but High for impact.

Changed

  • Use ProcessWire's 'Input' built-in cookie methods instead of native PHP cookie methods.

Fixed

  • Fixed issue that might raise PHP errors if the cookie isn't in the right format.

Security

  • Fixed issue where theft detection might still allow a successful login.
Assets 2
Loading