Login token in URL allows anyone to impersonate a user

[Qriist]

[Topic moved from Bug Reports and renamed by lexikos.]

Same issue as this post viewtopic.php?f=14&t=82158
I'm using 64-bit AHK on 64-bit Windows 10.

Link to discord thread, for extra context:
https://discord.com/channels/115993023636176902/1195022953516118106/1195022953516118106

EDIT: thanks to login token shenanigans, the above message was posted by alfinete, not me. See below.

[Qriist]

Sooo REAL Qriist here. Apparently the forum url includes a sid token that just logs people in as you on other systems. Could we, like, nuke that feature so this doesn't happen again?

image.png (199.99 KiB) Viewed 1242 times

image.png (218.05 KiB) Viewed 1242 times

[lexikos]

Given that the original post was about an issue that clearly already has a Bug Report topic, I have moved this topic to Forum Issues to deal with the login token issue.

I would assume that the SID appearing in a URL is explicitly not "cookie token bs", but a mechanism intended to permit logins without cookies.

In order for someone who is not Qriist to post as Qriist, Qriist must have shared a URL containing the SID. But what were the conditions that caused the SID to be present in the first place?

[joedf]

@lexikos Thanks for moving this. I will have a look immediately. And you're correct it's part of a security feature apparently. It looks like this is a default behaviour if cookies are disabled/disallowed, but could be mitigated with IP address validation.
@tank FYI. Here's what I'm looking at currently.
https://www.phpbb.com/community/viewtopic.php?t=2549911
https://www.phpbb.com/support/docs/en/3.2/kb/article/fixing-incorrect-cookie-settings

EDIT: I've turned on Session IP Validation, and changed cookies to expire after 30 days, but you'll notice an sid in the url when just logging in. Otherwise, you shouldn't see while browsing the forums if the cookies are working correctly.