Managed to integrate Phorum, but has it been done appropriately/securely?

I have a site designed for bus drivers (appr. 400+) having to log in to see their driving schedules and such. Recently they wanted a forum to be able to better communicate on things related to their work. And so I integrated Phorum.

Not all to sure I did things the best way, and was hoping you guys could comment on my integration?

Here's what I did:

1. Changed /templates/my_site/header.tpl and other relevant tpls to accomodate the look and feel of my site.
2. As soon as my site has successfully authenticated a login, I set a cookie called "bridge_logged_in". The cookie contains encrypted values for the username and his/her email address.
3. Created a bridge for the user_session_restore() hook in /mods/my_site/login_bridge.php in which I decrypt the contents of the cookie "bridge_logged_in" (if it does not exist, I redirect to start page in the hook common_pre()). The retrieved username and email address is then checked for Phorum user existence using phorum_api_user_search("username", $username). If no user id gets returned I create a new user using phorum_api_user_save($user_array). Thereafter I set the user id for both the short and long term session.

This setup seems to work and the system is live as of yesterday with great activity in the new phorum.

BUT, have I done something wrong here? The cookie solution, is it stupid or is there another better way to go? The contents of the cookie are encrypted and should thus pose few security issues. However, with this setup the phorum user is always logged in behind the scenes as I do not log off the phorum user when the user logs out of the main system. The setup now solely relies on the common_pre() to detect for the presence of the "bridge_logged_in" cookie.

Clever comments much appreciated!

A lot depends upon how your main site cookie is handled and how well trained your users are (to always log off). If the cookie survives you have problems (especially if your users use shared computers or public computers to access your site). This could be caused either by the users not logging off, you not destroying the cookie when they log off or if the computer went down and the cookie survived. Outsiders not knowing the links would not be particularly strong security.

Thx for responding!

You're right! I do however take special care to make sure the cookie gets deleted once my users log off. If they close the browser the cookie also gets deleted. But in the case of a computer crash, of course the cookie lives on.

The main site cookie is set to expire at the end of the session. Maybe I should change this to a fixed short time frame like 10 minutes or so (which gets extended by 10 minutes as soon as there is activity). What do you think?

The problem of having (or not) welltrained users is hard to get around. If they don't log off, sure their integrity might be compromised and their account might be messed with. There's no getting around this I guess.

I can't see any other approach than the cookie way, do you?



Edited 1 time(s). Last edit at 05/05/2010 06:43AM by tobefound.

Phorum also has the ability to authenticate without using a cookies (URI), but the problem that this brings up is that you can't really post a link into a page well. The short timeout would normally work, but it does tend to really irk users (my webmaster uses that strategy on our website so I have had to use a browser plugin that refreshes a page on the site every 15 minutes to stay logged in). I tend to believe that living with the problem of crashes is the lesser of the evils.

If a user hasn't been active in say 10 or 20 minutes, then it probably warrants cookie deletion. It's just a matter of getting used to how things work on this site but I get your point. Luckily the characteristics of the site in question is not that of long idle activity ones.

But would you or anyone else say there are other security issues with this setup? There must be a preferred way to integrate with Phorum based on my needs. Maybe this is it?