Cookies And Logins

[digip]

If anyone notices the forums are not saving your logins and cookies properly (it shouldnt since there is a typo) you can manually enter them once you login by copying the cookie and entering them at the url prompt using:

java script:document.cookie="hak5_coppa=your_values";
java script:document.cookie="hak5_ipb_stronghold=your_values";
java script:document.cookie="hak5_member_id=your_values";
java script:document.cookie="hak5_pass_hash=your_values";
java script:document.cookie="hak5_session_id=your_values";

Once added, use whatever cookie editor you like and change the expiration date so it saves it for later use, or edit the javascript command to add an expiration date on your own. See here for more help: http://www.w3schools.com/js/js_cookies.asp

It seems the site is setting the cookies for "forum.hak5.org" instead of "forums.hak5.org". Im not sure how other browsers are handling this or if it is causing you a problem, but Opera is smart enough to not let the forums grab cookies for for a different url (which is a good thing) so if I close the browser or leave the site, I have to log in again. Once I entered them with the commands above, it works fine. I tweeted to Darren about this, but I know hes busy on vacation.

In the meantime, if you see this issue not saving your logins each time you come back, this is the problem.

[Charles]

For whatever reason that just seems to go right over my head. *headdesk*

[digip]

Vako said it was his typo, he will fix tomorrow, so won't have to worry about it.

..but if you wanted to know, you type the command (without the space in the word "javascript") into the address bar of your browser and it sets the cookie value you supply to it. What that value is, depends on what you are able to capture from the login process to the forums. How you captrue that is also up to you, but I can copy them from my browsers settings to set them correctly in Opera.

You could also use a network sniffer, such as Wireshark to find the cookie values for your login, which is initially how I figured out what the problem was with the wrong domain values.

If you wanted to play with this more, go to something like google.com (with cookies enabled of course) and then type into the addressbar:

java script:document.write(document.cookie);

It should then tell you what cookies are set for that specific page. Go to news.google.com and do it again, and you should see some additional info. Each specific domain name or web address can have its own cookie. This is why the logins are not saved on the forums at the moment, because when you close your browser and come back, they try to talk to your browser, looking for cookies at forums.hak5.org (forums with an "s"), but they wont be there since they were actually set for forum.hak5.org (no "s" in forums).

If by chance your browser didnt save the logins properly and lets you stay logged on, well, then your browser is insecure and you might want to look into that. If another site was able to access cookies for a different domain you logged onto, then they could steal your login credentials, and spoof your login without the need for a username and password - Cookie authentication alone.

[Charles]

Ahhh. Gotcha. Fortunately my browser doesn't keep me logged it.

I seem to recall reading something like that could be used with XSS to grab cookie data (from Yahoo I think), but I cannot remember where I read it.

[VaKo]

I buggered up a setting, so now its been fixed. Please report any issues here.

[Charles]

Great job getting the site and forums up and running.

[VaKo]

Jason Applebaulm did all the work.

[Charles]

Credit goes where credit is deserved. :D