Session Variables in URL

**Steve Machol** · Tue 28 Oct '08, 12:27pm

That only appears if you are logging in without cookies. Clicking on the 'Remember me' box when you log in will eliminate that, assuming you are not blocking cookies.

**mbaratta** · Tue 28 Oct '08, 12:31pm

Steve,

We are not blocking cookies and I have clicked the "Remember Me" box.

I used the web developer toolbar in firefox to confirm that cookies are being set.

The session information also appears while navigating the site when you are not logged in.

Is this a security issue? We tried to exploit it to ensure a user couldn't but we didn't go that far.
Thanks,

**Zachery** · Tue 28 Oct '08, 12:32pm

I can't see why the session hash would be a security issue or I'm pretty sure something would have come up by now. We've been using a session hash since 1.0. It shouldn't allow a session to be transfered between pc's nor does it create an admin session anywhere.

Here is the code that creates the session

PHP Code:


 $vbulletin->session =& new vB_Session($vbulletin, $sessionhash, $vbulletin->GPC[COOKIE_PREFIX . 'userid'], $vbulletin->GPC[COOKIE_PREFIX . 'password'], $styleid, $languageid);

**mbaratta** · Tue 28 Oct '08, 12:34pm

Thanks Steve and Zachery,

I'm only concerned because this only began happening a couple of days ago.

How can the session hash not allow me to login to the admincp or modcp in FF? I get stuck in a loop.

Thanks,

**Steve Machol** · Tue 28 Oct '08, 2:51pm

If you are clicking on 'Remember me' and not blocking cookies, then the only other possible cause of this is an add-on or your server is blocking cookies.

**Zachery** · Wed 29 Oct '08, 1:17am

Originally posted by mbaratta

Thanks Steve and Zachery,

I'm only concerned because this only began happening a couple of days ago.

How can the session hash not allow me to login to the admincp or modcp in FF? I get stuck in a loop.

Thanks,

We use a different session to validate administrators and moderators. its the cpsession table.

Session Variables in URL

Session Variables in URL

Comment

Comment

Comment

Comment

Comment

Comment