Users names can be changed even though set to NOT TO

[waiheke]

A user can open a new browser window, and put a new user name, and then it changes their name in the first window

[OldWolf]

Do you mean when frozen_nick is true?

[waiheke]

Yes it looks that way

[OldWolf]

I'm not sure how we'd patch this one. Frozen Nick is generally for the purpose of integration, so that a user cannot change their nick off of what's set by a system (such as a forum). I'm not sure it was designed to prevent nick changes in a more stand alone setup, because the user could always just leave and come back in with a new nick (which would make sense, and that portion would not be a bug). The only way to prevent this would be to prevent user's from being able to quit and come back or something, which just wouldn't make sense.

[re*s.t.a.r.s.*2]

Thats not possible,

If you enter the chat in standalone and you put a nick name, and the open another window or tab and go to the chat you get your same nickname because both open windows hold the same session cookie and the chat pick up that session automatically (not possible), now if you open IE and go to the chat you can get a new nick name because Firefox and IE have a different session cookie, I am using version pfc 1.2 , and if you attempt to use the nick command this tells you that you cant change nickname because I have frozen nick to "TRUE"... regards

[waiheke]

Thats not possible,

......

Oh okay then



Bees defy the laws of physics and aerodynamics when they fly - but they don't know that. They fly.

Possible or not, I have seen several users discover it could be done, and having a great time flicking between names. Later, when all was quiet, I tested it myself, using Firefox. It's what happened.

pfcglobalconfig.class.php entry is thus:

var $frozen_nick = true;


However ?
I have already identified the user, but a couple of pages of entry questions, and the user name is now in their session.

Should I do something with this variable:

var $nick = "";


??

Cheers!

[zagor256]

As far as I know frozen_nick username can only be changed when you change session data. It happens with phpbb integration and i think all others integrations. When username logout from phpbb and then login with different username, his usename on chat changes and displays 'xxx changes his username to yyy'. I've never have the problem like you. Maybe your user manualy changes session data (it could be done with web developer plugin for firefox,... it also depends of what type of integration you are using and how session data is stored).

[re*s.t.a.r.s.*2]

Bees defy the laws of physics and aerodynamics when they fly - but they don't know that. They fly.

Possible or not, I have seen several users discover it could be done, and having a great time flicking between names. Later, when all was quiet, I tested it myself, using Firefox. It's what happened.

pfcglobalconfig.class.php entry is thus:

var $frozen_nick = true;


However ?
I have already identified the user, but a couple of pages of entry questions, and the user name is now in their session.

Should I do something with this variable:

var $nick = "";


??

Cheers!

Dude , if you destroy the damn phpfreechat session cookie and the reenter the chat without going to the user form you have, and just reload the chat after destroying the cookie you can get a new nick even if you have the damn frozen nick to true...
Just think about have not much of thinking...
but that's a normal thing the chat does, is supposed to be like that...

[waiheke]

qué ?

I am not 100% sure what you said

sorry ?

[waiheke]

I will keep you informed, but haved added this to the top of the chat page:
It's a redirect, to see if I can force the user back to the login

Code: Select all

if ($_SESSION['name'] == "") header ("Location: index.php");

[re*s.t.a.r.s.*2]

however you authenticate user would be better doing this:

Code: Select all

$userIsLogged=$_SESSION['name'];
if(!$userIsLogged){
header ("Location: index.php");
}

just shutting out this dont know how you authenticate your user...
that would be a cleaner way to do it... regards

[re*s.t.a.r.s.*2]

To replicate your mistake...

1. loggin with registered nick..

2.- go to the chat as logged in..
3.-open up the page where you login in different browser tab and enter the chat as guest user


4.- Go in the chat as the guest, you would see that your registered nick get changed by the guest nick in the step 1 in the chat...


So is not phpfreechat fault, its the lack of security you have, you would fix this if you test at the login form if the user have session initialized and if session is true deny the login form or redirect to the chat...
Meanwhile I have found security flaws at your site twice..
regards..

[OldWolf]

however you authenticate user would be better doing this:

Code: Select all

$userIsLogged=$_SESSION['name'];
if(!$userIsLogged){
header ("Location: index.php");
}

just shutting out this dont know how you authenticate your user...
that would be a cleaner way to do it... regards

Wouldn't that throw a notice? If so:

Code: Select all

if(!isset($_SESSION['name']) || empty($_SESSION['name']))
header ("Location: index.php");

[re*s.t.a.r.s.*2]

Oldwolf
if $userIsLogged is empty or not set will redirect you anyway in the code I put dont it?
Although your code if good too..
I have put that code before finding the security issue at wheheke's site .
Remember I am still a noob at all this codeing things

[OldWolf]

Yes, it certainly will work. My point was (as I mentioned) I think it might throw a notice. Some people try not to have any notice/warnings.