Eduardo Waghabi - 2011-10-26 11:30:43
Hi there,
I was thinking about using this piece of code in my site, but after looking into it a little, it seems to me that the script assumes a non encrypted password in a session variable.
$password = base64_decode($_SESSION['ps_string']);
So, even if I use password hashing in my user table (let's say with the crypt() php function), the user's password would still be vulnerable the moment I put it in a session variable and call the SessionManage() method. (Right?)
Then I thought about making the integration optional to the user, with a disclaimer of a possible security issue, but then the ID's (in my table and in PHPBB's) would get messy. Not to mention that no one would EVER click on that checkbox.
Do you have any ideias? Or am I just paranoid?
Abraços from Rio de Janeiro,
Eduardo
