IPB security features

[Dincer]

hi I already have IPB forum system and it is running all good.But last cuple days ago I had one problem about admin panel.

That problem was. Some one whoever it was, stole my cokies and because I saved my password on to internet explorer.as you know when you save your password, it goes to cokies.

so someone whoever it was I dont know and somehow they stole my cokies and they used that as login to admin control panel and change some options and messed up the forum.but I am working at an network company and no offense please. I am asking some secutiry features to IPB developers.
For example when I login to CP, sysytem should look at to my cokies and my cokies has already my IP information in it and I can login to CP.But if someone else using my cokies,system should look at the IP number and if it seems different IP number than mine. it shouldn't be let them in to CP.
Normaly we are using this security features for banks and all other systems.Do you think ,IPB developers would make a security feature like this and save a lot of people life?
Because normaly if the IP number changes control panel should drop you out and you would have to login again.

but somehow or in somewhere between those process ,Php codes should be start and when I login to CP , it should have saved my IP my A cokiee to my B cokiee.but if someone lese trying to login with my cokiess,system should warnitself and lock that account.
it sounds little bit confuse but you may think that and create more security features like this.and we can sleep tight at nights.
Please forward this reguest to IPB developers I need their opinions on this one.
Thanks.
http://www.mjturkiye.net
Admin
Dincer

[Michael]

The 'stronghold cookie' feature in IPB should already do this.

[Dincer]

Thanks for your fast reply Michael.
if the stronghold cokiess do that,why do you think. that person who stole my cokiees ,he can login to CP with my account?

[Michael]

The ACP doesn't use cookies, you have to enter the user and password info to login. The cookie does not store the plain-text password. It's conceivable he could login to the board with your cookie, but the ACP would be off-limits to him. I would suggest resetting your password and enabling the stronghold cookie if you have not done so already. There are numerous features built-in to IPB to help protect you from attacks like this, you can post over at IPSBeyond or open a ticket in your Client Center if you need help understanding how to use them.

[Dincer]

I understand that.
I would like to show you one thing Michael.
I am sure you know this. http://forums.invisionpower.com/uploads/av-114727.txt
you guys had this,dont know when, But My forum had the same problem and thats why all of my worries about.
if that thing you said solve my problems I will do that.

[Watty]

what version of IPB are you using? I couldn't see it on your forum site as the IPB copyright has been removed.

[Dincer]

it is IP.Board Version (History) v2.3.1

[bfarber]

1) The ACP does not use cookies

2) Unless you specifically modified the php files (or submitted a ticket and one of the techs did to resolve your issue) the ACP does lock to an IP address. Meaning if you log in to the ACP and navigate, then use the url with the session id in it from a different IP, the session will be destroyed and you will need to login again. Likewise, two sessions for one user are not allowed in the ACP

3) The .txt file was addressed with our last patch, but as previously stated no harm can really come from that.

4) The IP address is not stored with the cookies - if it were, any hacker could fake it. It's pulled from your IP address the computer delivers to the server when communicating with it.

[Dincer]

Thanks for your fast reply bfarber.
I am talking about board ,I was not talking about ACP.
you know when you type your information for login in to IPB forum ,you can store your password and it goes to your cokiees.if someone stole that cokiee from you. is that possible,they can login to your board as admin?
I already turn on stronghold cokiees option.but also I just tested that I behaved that I am an other person and I gave my cokiee to my friend and he tried to login to board with my cokiee and he did, as a admin with my account.
Thanks for your all answes .
(edited)
4) The IP address is not stored with the cookies - if it were, any hacker could fake it. It's pulled from your IP address the computer delivers to the server when communicating with it.
I guess that ended my question.

[bfarber]

The public side does use cookies, as do 99.9% of web applications these days. If a hacker got your cookie, then yes, they could compromise your session (though they'd still not be able to get ACP access).

If you have the stronghold cookie enabled however, a separate cookie is set which is based on the first 2 octets of your IP - is your friend by chance on the same, or similar, IP address?

The challenge is to NOT let them get the cookie to begin with. IP.Board uses httponly cookies to prevent this via XSS, so the only other way they can get this is via packet sniffing - in which case they could likely just sniff your password right out and not bother with stealing a couple cookies.