The Sacred Lawn...

Gocom · 2011-06-15 22:12:46

Bloke wrote:

Bit drastic given the risks. Isn’t the easiest solution to comment out the code in ign_password_protect that regenerates the nonce? Shouldn’t be necessary any longer. From my cursory exam it looks like ign_update_access() is a good starting point.

How isn’t it necessary? We need some method of knowing who is logged in if anything. We can’t just turn off the regeneration of nonce from the public side login. That would give anyone that gets the cookie (mind me, the cookie that would always stay same) access to everything. By effectively knowing how is logged in (yes, something that works with multi-site installs), we could generate the nonce only when it doesn’t effect the admin-side login.

Bloke · 2011-06-15 22:35:00

Gocom wrote:

we could generate the nonce only when it doesn’t effect the admin-side login.

That would make sense. At the moment it appears to be generating a new nonce every time someone visits a public page which trashes the admin side security. Perhaps if ign_pw_protect was session-based…

Mind you, I don’t really know how igner’s voodoo works. Need cola.

Last edited by Bloke (2011-06-15 22:37:54)

wet · 2011-06-16 04:27:00

Gocom wrote:

…we could generate the nonce only when it doesn’t effect the admin-side login.

Thou shalt not fiddle with our nonce.

igner · 2011-06-16 16:47:46

Once upon a time, said nonce-fiddling was the only option.

That being said, rather than resetting the nonce, I can probably grab the hash from the existing nonce in the case is_logged_in() returns a valid user; to be honest I’m not sure why I didn’t do that in the first place, except perhaps laziness.

On a side note – what’s the value in stripping the nonce from the user object that is_logged_in() returns? It’s not as though anyone who has access to call is_logged_in() couldn’t then do a lookup to get the nonce?

igner · 2011-06-16 17:03:46

oh, wait. that’s why I didn’t – because the nonce is a one-way hash, so I can’t get the hash. So it’d be feasible to rework a number of the validation routines to leverage is_logged_in() to avoid resetting the nonce in the case that there’s a valid admin session for that user.

Sigh.

Manfre · 2011-06-17 04:14:02

Bloke wrote:

Maybe v0.6 — the version running on mrdale’s server — is radically different from 0.5b9 then.

0.5b11c was the most recent version I found before updating it so that it once again allowed public side logins for txp 4.4. The always updating nonce was added in commit 20e0b2cc0040fc271e90

igner · 2011-06-17 16:25:25

I just pushed up a change to github that should prevent clobbering the nonce when there’s an existing admin session.

Sadly, I don’t have an up to date install to test on, so in my ongoing tradition of half-assed development on this project, I’m throwing it out there untested. (And to be exceptionally annoying, I cleaned up some of the messy indentation while I had the file open…so the commit is bigger than the actual change).

https://github.com/igneramos/ign_password_protect

wet · 2011-06-18 05:53:10

btw: The grumpy old man is now played by HAL.

Dragondz · 2011-06-18 15:46:45

authentification not working on new release : txp 4.4.1

I use ign version 6.1 (from igner github) and also tried manfre version but both failed!

The connexion work but when i click a link i got message “There was a problem logging in.”

(Apologise if this is not the right place for that)

wet · 2011-06-18 15:50:44

I’d suggest to use ign_password_protect’s own thread for such issues.

Dragondz · 2011-06-18 21:07:19

Sorry

Textpattern CMS

Textpattern CMS support forum

#25 2011-06-15 22:12:46

Re: The Sacred Lawn...

#26 2011-06-15 22:35:00

Re: The Sacred Lawn...

#27 2011-06-16 04:27:00

Re: The Sacred Lawn...

#28 2011-06-16 16:47:46

Re: The Sacred Lawn...

#29 2011-06-16 17:03:46

Re: The Sacred Lawn...

#30 2011-06-17 04:14:02

Re: The Sacred Lawn...

#31 2011-06-17 16:25:25

Re: The Sacred Lawn...

#32 2011-06-18 05:53:10

Re: The Sacred Lawn...

#33 2011-06-18 15:46:45

Re: The Sacred Lawn...

#34 2011-06-18 15:50:44

Re: The Sacred Lawn...

#35 2011-06-18 21:07:19

Re: The Sacred Lawn...

Board footer