Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#25 2011-06-15 22:12:46

Gocom
Developer Emeritus
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: The Sacred Lawn...

Bloke wrote:

Bit drastic given the risks. Isn’t the easiest solution to comment out the code in ign_password_protect that regenerates the nonce? Shouldn’t be necessary any longer. From my cursory exam it looks like ign_update_access() is a good starting point.

How isn’t it necessary? We need some method of knowing who is logged in if anything. We can’t just turn off the regeneration of nonce from the public side login. That would give anyone that gets the cookie (mind me, the cookie that would always stay same) access to everything. By effectively knowing how is logged in (yes, something that works with multi-site installs), we could generate the nonce only when it doesn’t effect the admin-side login.

Offline

#26 2011-06-15 22:35:00

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,446
Website GitHub

Re: The Sacred Lawn...

Gocom wrote:

we could generate the nonce only when it doesn’t effect the admin-side login.

That would make sense. At the moment it appears to be generating a new nonce every time someone visits a public page which trashes the admin side security. Perhaps if ign_pw_protect was session-based…

Mind you, I don’t really know how igner’s voodoo works. Need cola.

Last edited by Bloke (2011-06-15 22:37:54)


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#27 2011-06-16 04:27:00

wet
Developer Emeritus
From: Schoerfling, Austria
Registered: 2005-06-06
Posts: 3,330
Website Mastodon

Re: The Sacred Lawn...

Gocom wrote:

…we could generate the nonce only when it doesn’t effect the admin-side login.

Thou shalt not fiddle with our nonce.

Offline

#28 2011-06-16 16:47:46

igner
Plugin Author
Registered: 2004-06-03
Posts: 337

Re: The Sacred Lawn...

Once upon a time, said nonce-fiddling was the only option.

That being said, rather than resetting the nonce, I can probably grab the hash from the existing nonce in the case is_logged_in() returns a valid user; to be honest I’m not sure why I didn’t do that in the first place, except perhaps laziness.

On a side note – what’s the value in stripping the nonce from the user object that is_logged_in() returns? It’s not as though anyone who has access to call is_logged_in() couldn’t then do a lookup to get the nonce?


And then my dog ate my badger, and the love was lost.

Offline

#29 2011-06-16 17:03:46

igner
Plugin Author
Registered: 2004-06-03
Posts: 337

Re: The Sacred Lawn...

oh, wait. that’s why I didn’t – because the nonce is a one-way hash, so I can’t get the hash. So it’d be feasible to rework a number of the validation routines to leverage is_logged_in() to avoid resetting the nonce in the case that there’s a valid admin session for that user.

Sigh.


And then my dog ate my badger, and the love was lost.

Offline

#30 2011-06-17 04:14:02

Manfre
Plugin Author
From: North Carolina
Registered: 2004-05-22
Posts: 588
Website

Re: The Sacred Lawn...

Bloke wrote:

Maybe v0.6 — the version running on mrdale’s server — is radically different from 0.5b9 then.

0.5b11c was the most recent version I found before updating it so that it once again allowed public side logins for txp 4.4. The always updating nonce was added in commit 20e0b2cc0040fc271e90

Offline

#31 2011-06-17 16:25:25

igner
Plugin Author
Registered: 2004-06-03
Posts: 337

Re: The Sacred Lawn...

I just pushed up a change to github that should prevent clobbering the nonce when there’s an existing admin session.

Sadly, I don’t have an up to date install to test on, so in my ongoing tradition of half-assed development on this project, I’m throwing it out there untested. (And to be exceptionally annoying, I cleaned up some of the messy indentation while I had the file open…so the commit is bigger than the actual change).

https://github.com/igneramos/ign_password_protect


And then my dog ate my badger, and the love was lost.

Offline

#32 2011-06-18 05:53:10

wet
Developer Emeritus
From: Schoerfling, Austria
Registered: 2005-06-06
Posts: 3,330
Website Mastodon

Re: The Sacred Lawn...

btw: The grumpy old man is now played by HAL.

Offline

#33 2011-06-18 15:46:45

Dragondz
Moderator
From: Algérie
Registered: 2005-06-12
Posts: 1,538
Website GitHub Twitter

Re: The Sacred Lawn...

authentification not working on new release : txp 4.4.1

I use ign version 6.1 (from igner github) and also tried manfre version but both failed!

The connexion work but when i click a link i got message “There was a problem logging in.”

(Apologise if this is not the right place for that)

Offline

#34 2011-06-18 15:50:44

wet
Developer Emeritus
From: Schoerfling, Austria
Registered: 2005-06-06
Posts: 3,330
Website Mastodon

Re: The Sacred Lawn...

I’d suggest to use ign_password_protect’s own thread for such issues.

Offline

#35 2011-06-18 21:07:19

Dragondz
Moderator
From: Algérie
Registered: 2005-06-12
Posts: 1,538
Website GitHub Twitter

Offline

Board footer

Powered by FluxBB