Announcement

Collapse
No announcement yet.

Clear authentication cache?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Clear authentication cache?

    Evil users have stolen the session ids, via XSS, of members. They can now log into these accounts any time they choose. Is there any way to invalidate all sessionids and force universal relogin?

  • #2
    I've tried changing the cookie prefix, even adding something to the md5 salt, but it seems as if vb is not reauthenticating the cookies on each page. Shouldn't there be a password/session/cookie check on critical pages, such as moderation/posting?

    Comment


    • #3
      Did you try empting the session table?

      Comment


      • #4
        Yes, but I don't think that eliminates some of the cookies they've stolen

        Comment


        • #5
          Originally posted by mxtabs View Post
          Yes, but I don't think that eliminates some of the cookies they've stolen
          Edit: Nevermind, all solved now. I modified the algorithm slightly

          Comment

          widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
          Working...
          X