Login Verification Redirect
-
Hello,
Sometimes I get an error that I think you should know.When you log in to phpBB and switch to WordPress or log in directly to WordPress, it redirects to the WordPress login page to re-authenticate.
-
The plugin code check for phpBB session if it exist based on the passed cookie value- Since it could be possible for an attacker to pass random values and try to guess the session value of an user so to login into wordpress (then in phpbB if the session match) the solution has been this:
check the (bad) explain where:
How w3all sessions keys Brute Force countermeasure works
https://www.axew3.com/w3/forums/viewtopic.php?p=320#p320The plugin code refuse to check for the phpBB cookie session value for a NOT already logged in WP user, that want to login presenting a phpBB session cookie value, if the UID result to be into the bruteforced list.
I am just thinking on how to resolve this.
If logins where allowed only in WP, this part could be removed, we could only set a phpBB session cookie and update it each time, without getting values from a presented session cookie.
But if the logic is based on the fact that an user login in phpBB then present a cookie in WP, then it require to be controlled or a bruteforce can happen.Not clear how, but should be possible to minimize this aspect and resolve it for the normal user that has not been really attacked, but that due to mismatching session (cookie presented and db stored) it result like to be (it happen for example when: login into a tab with another user, while into the other tab, you were logged as another. At the time you’ll visit WP as logged into phpBB, this will happen).
Let check what will be possible to do, i will return over this very soon
- The topic ‘Login Verification Redirect’ is closed to new replies.
