OK, I'm normally at my best when lured into something I can't stand not working
Full Session Protection SP1.3.x V1.1This upgrade comprises of the changing of the following 6 scripts:
Load.pl
LogInOut.pl
Subs.pl
Profile.pl
AdminEdit.pl
YaBBC.pl
english.lng (as I needed to add an error line)
What has been changed ?
- header routine is now compatible with latest RFC's (equal to SP2)
- Redirect subs now also pass the cookie (which old code did not)
- Cookie handling now handled by a sub routine (borrowed from SP2)
- User validity is now checked on password and IP based static session id per login session
- All forms now have a hex encrypted dynamic session id which is also based on IP, but where the seed can be any random number between 0 and 99 so each pass the form session changes.
- User password in cookie is now dynamic and changes every logged in session based on 10000 possible random seeds.
- changed template subroutine not to load news.txt for every line in the template (which was stupid)
- image tag bug fix for bmp files
- image tag cannot hold action command to YaBB.
When does it react ?
1. if a user changes IP address he gets logged out
2. if a form holds a session value not related to the IP address from the user
3. if the form has no session value (as all should have one now using some smart regexing in the template subroutine)
4. if the cookie has been tampered with (so hijacking is useless)
Please test (as far as you can tingle with IP addresses and spoofed forms) and report any irregularities.
Version History
1.0
Original Release
1.1
Restricted img tag not to allow any action commands