Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
Remember cookie user mismatch - security issue
  • Hi Harro,

    I have a very weird issue that is driving me crazy.
    I have simple auth configured, and I used to have the remember me functionality. For at least a year now.
    This week a user showed me the screen and he had been logged in as another user.
    No login prompt, directly into the system, using the remember me, but as a different user.
    He was, obviously concerned about the application security.
    I disabled remember me cookies creation but I had not found the parameter in simpleauth.php.

    Today it happened again. We could see the existing cookies, so there was in fact a remember me cookie, probably from last week.
    This time, logged in as yet another different user.

    I have disabled now remember me functionality in the fuel/app/config/simpleauth.php file, but I am panicking about suddenly the system being unreliable.

    What could have caused this? There is in fact something that has changed since last week, and that is that I have moved the VPS where the application runs to another server, with a different IP. I can't think of anything else that could be so different that could cause this.

    I run Fuel 1.8, with PHP7.0.17.
    Session management is using file.

    Any help debugging this would be really appreciated.

    Thank you very much. Best regards.
  • Harro VertonHarro Verton
    Accepted Answer
    Remember me is implemented using a separate session instance, using an encrypted cookie. 

    The cookie is stored locally by the browser, so it is linked to the PC and the browser installed on it, and not the user. Did someone else use that PC before that user did?

    The cookie contains the user-id of the user to be remembered, so if you use a browser which has been used by someone else earlier, and that person logged in with remember_me enabled, the next user will not be prompted to login. 

    This is the way the remember-me function works, you will have that with any site or application that has this functionality. 
  • Hi Harro,
    yes, I understand that. The weird - worrying thing is that nobody else used that same computer. And those two users are geographically separated by more than 600km.

    I am thinking that it may be related with a networking/routing change we have done to the VPS and that the IP addresses somehow may have been affected. Still trying to debug that.

    But if you say the cookie has the user_id, that is what confuses me. In my logs I just have the visit of the usurpated user, no login.

    Honestly, I cannot find an explanation. I assume some sort of collision has occured, but given how the hashes are generated it is impossible.
    I have disabled the remember me functionality for now completely.

    Many thanks anyway.


  • If you check the code of the Auth_Login_Simpleauth class, you'll see in perform_check() that it will check for the existence of a remember-me cookie, and if it exists, it will retrieve the "user_id" variable from it, and use that to call the force_login() method.

    force_login() will use that user_id to query the user database, and log the user in. Looking at that code, I don't really see how it is possible to be logged-in as another user.

    Your users table has a PK called 'id', which is int auto-increment? No overload of an Auth method that could interfere?

    Was this a single occurence, or can it be reproduced? If it happens regularly (enough), it might not be a bad idea to log IP address and username in perform_check(), and log IP address and user_id in force_login(). And perhaps in logout() too. Given the fact you know the IP of this user, you should be able to have a picture of the login/logout activity of this particular PC, and be able to see at least what happens when the user encounters this.

    Based on the outcome we can debug further, as long as the cause is not known, it is not only an issue for you, but also potentially for every other Fuel user, and that worries me.
  • Hi Harro,

    Thank you for your time.
    There are no overloads of the auth methods. And the user table has a PK 'id', int auto-increment. As explained in the documentation.

    It has occurred twice, each time as a different user (the user reporting the issue sent me snapshots of him being logged in as two other different users, with one week difference).
    But I haven't tried to reproduce it on production yet (doing it myself, etc), I just reacted closing the feature.

    I will add those checks as suggested, but honestly I don't dare to enable rememberme in production again.

    I will enable it on the staging servers, though and try to run some tests against it, lets see if I can reproduce it.

    As said, we have made a networking change on the VPS that consist of that server having a public IP for the web requests, but its own gateway goes through the internal network, which has a different outgoing IP address. At some point, I saw in the logs as incoming HTTP requests appeared as coming from 127.0.0.1.
    It can be that the rememberme cookie got that IP address - due to network misconfiguration - that would be the same IP for every user. But if you say that the userid is also included in the cookie, that shouldn't be it.
    I have checked now and I can't reproduce the 127.0.0.1 issue but I have put a log on that.

    Thank you very much for your help, I'll try to get to the root of this.
    Best

  • Harro VertonHarro Verton
    Accepted Answer
    It can't be related to the IP address change, the remember-me cookie is browser specific, and can only be created in that browser (unless you have disabled all cookie security). 

    Just thought of this:

    Do you have mutliple Fuel applications in the same domain by any chance? Or test, staging and production in the same domain? If so, check how your cookies are created, if they are created for the whole domain, instead of only the host, and your apps don't have different encryption keys, cookies from one app can be picked up by another app.
  • We have a single Fuel application under several subdomains. That is a wildcard subdomain, each user has its own subdomain. user1.domain.tld, user2.domain.tld, etc. All of them access the same codebase in the same vhost.
    The cookie is valid for *.domain.tld
    Staging and develop have their own domains and they are in different servers each.
    In the config for simple_auth I had both IP address and browser agent to true.
    Can that be related?

    What does this mean?
    >(unless you have disabled all cookie security).

    Thank you, best

  • In that setup, the remember-me cookie will be valid for all your sites (subdomains), so if all use the same user table, the user will be able to access ALL sites (user1, user2, etc), but with his own credentials, not with that of another user.

    So if you haven't make sure user1 can't have access to user2.domain.tld, all hostnames are accessable to all users.
  • Hi Harro,

    good news, I found the cause.
    In fact, it is what you mention above. This is a mistake of our design. I thought of develop, staging, etc but I forgot this:
    We have several nodes in production (USA, Europe, etc). Each one has a separate database of users, as they are unrelated.
    As the *.domain.tld is common to all the nodes, the cookies are valid throughout the system.
    Last week that user not only was moved (the VPS), he also created two new accounts in a different node (for various reasons, just a coincidence).
    It happens that the rememberme cookie saved the ID of the users in the US node (us.domain.tld)
    Then he opened a new session going to eu.domain.tld. The system accepted the cookie, as it was valid, and read the userid. The userid from the us node is obviously mapped to a different user (with the same userid) in the european node.  And made that twice, with both accounts-> two different other users. (facepalm)

    I am very sorry for the concerns, but really appreciate your help, thanks to you I could find the mistake.
    Fuel works perfectly, our design does not.

    That means that in order to allow rememberme functionality we would have to restrict the cookies to each domain eu.domain.tld, us.domain.tld, etc.

    Thank you very much.
    Best regards


  • No problem, good to know you found the problem, and great to know it's not something in our Auth framework. ;-)

    Currently, the remember-me cookie shares most of it's config with the generic session cookie definition in your session.php config file. So the cookie domain and path changes will also affect your standard sessions, take that into account.
  • Thank you!

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion