Discuz! Analysis of Cookie mechanism for login verification

Every Discuz! The forum has a specific authkey, that is, Discuz! In the program, $ _ DCACHE ['Settings'] ['authkey'] and together with the user's browser feature value HTTP_USER_AGENT, constitute the discuz_auth_key variable. the following code is used to build my vita system, conflicts between administrator management convenience and system security risks discovered
The whole site uses cookie verification. for example, wordpress verification is based on cookies because cookies are transmitted in plaintext.
The cookie is easily intercepted in the LAN, or the vita has an XSS vulnerability when I am not cool,
In this case, the website is xxx


Another scenario is to use the session to authenticate the administrator identity. However, due to the inherent session processing mechanism of php, it cannot be saved for a long time. the session system built using the database has a high overhead, in this case, I had to first study how everyone did it.


So I analyzed Discuz! Login authentication mechanism


Every Discuz! The forum has a specific authkey, that is, Discuz! In the program, $ _ DCACHE ['Settings'] ['authkey'] and the discuz_auth_key variable is combined with the user's browser feature value HTTP_USER_AGENT. the following code is used:
The commone. inc. php file contains about 130 lines.


$ Discuz_auth_key = md5 ($ _ DCACHE ['Settings'] ['authkey']. $ _ SERVER ['http _ USER_AGENT ']);




In Discuz! After a forum user logs in, there will be a cookie named cdb_auth (cdb _ is the name of your site, which can be set not in the config. inc. php file), Discuz! The forum relies on this to determine whether a user is logged in. before analyzing the content of this value, let's see how it is generated.
List ($ discuz_pw, $ discuz_secques, $ discuz_uid) = empty ($ _ DCOOKIE ['auth '])? Array ('','', 0): daddslashes (explode ("\ t", authcode ($ _ DCOOKIE ['auth'], 'decode'), 1 );


To explain, the obtained client cookie goes through Discuz! After the authcode function is decrypted, the username and password entered by the user will be obtained. in the authcode function, the value of $ discuz_auth_key is used. if you do not know $ discuz_auth_key, basically, the probability of decompressing the user name and password based on the value in the cookie is 0. Similarly, in the process of generating cdb_auth, the user name and password entered by the user are obtained first, after the verification is correct, use authcode to encrypt and write the cookie.
The above is Discuz! The login verification process of common users is not detailed and can be viewed clearly.