Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#2672] - Fixing remember me function

? Success

User tests: Successful: Unsuccessful:

avatar Bakual
Bakual
12 Dec 2013

Problem

Because the change to JCrypt::hasStrongPasswordSupport() to fix its bugs we currently have a non-working remember-me function

Solution

In the remember system plugin:

  • I removed the reference to this function and always use JCrypt::timingSafeCompare() to compare the $privateKey from the cookie to the database stored $token.

In the joomla user plugin:

  • Fixed a typo from 'Coookie' to 'Cookie' (thanks to Leo Lammerink who pointed that out in the JBS google group)
  • Storing the encrypted $cryptedKey instead of $privateKey into the cookie. Here I am a bit unsure how that was supposed to work prior. It probably was broken before?

Question for security experts

The privateKey (which is just a random string) is encrypted using JUserHelper::getCryptedPassword() resulting in the cryptedKey which is now stored both in database and cookie. As far as I understand the system (which is based on http://jaspan.com/improved_persistent_login_cookie_best_practice), the whole encryption isn't needed here and serves no purpose. It's a non-guessable one-time token.
But I may be wrong.

avatar Bakual Bakual - open - 12 Dec 2013
avatar Bakual
Bakual - comment - 12 Dec 2013

This is a doc explaining how to test the feature back when it was introduced. I think it should still be valid more or less: https://docs.google.com/document/d/1cV3g-11xt3EB2Pi1m1Mej1mcPte2ERDBzacL3UaHJyg

avatar Bakual Bakual - change - 13 Dec 2013
Labels Added: ? ?
avatar Bakual
Bakual - comment - 13 Dec 2013

Since @infograf768 found another bug, updated the PR again.

  • It will now remove all entries in #__user_keys for a given user and uastring (=browser) when the user logs out.
  • When logged in using the cookie, the old entry is overwritten with the new one instead of creating a new entry. The check for that was there, but both conditionals had a bug...
avatar infograf768 infograf768 - reference | 3dfb13d - 15 Dec 13
avatar infograf768 infograf768 - merge - 15 Dec 2013
avatar infograf768 infograf768 - close - 15 Dec 2013
avatar infograf768 infograf768 - change - 15 Dec 2013
Status New Closed
Closed_Date 0000-00-00 00:00:00 2013-12-15 05:09:21
avatar infograf768 infograf768 - close - 15 Dec 2013
avatar Bakual Bakual - head_ref_deleted - 15 Dec 2013

Add a Comment

Login with GitHub to post a comment