here is phpbb's cookie
How does phpbb understand the following:-
who is the user assigned to the cookie
preventing or making faking cookies hard
What does all this fancy code mean such as %?
Could some one translate all this URL code into normal code which we understand?
waiting to hear from you..
This is a serialized array from php. Specifically it contains two keys, "autologinid" and "userid". Both are of string type, the autologin hash key has a value of "670b14728ad9902aecba32e22fa4f6bd", whereas the value of "userid" is 2.
As for how that works, well it depends on if you are on versions <2.0.18, or if you are on 2.0.18.
For versions <2.0.18 (as it appears you are on):
The userid variable is the user id of the account to use. The autologinid is an md5 of the users password. This is compared to the stored MD5 value in the users table, if they match, the user is logged in.
For version 2.0.18:
The userid variable is the user id of the account to use. The autologinid is the md5 of a psuedorandom value, generated when the user wants to auto login. This is compared to the MD5 of the MD5 of the PRN. This means whatever autologinid the user has is sent through MD5 then compared to the stored value in the database. Every time the user logs on, a new autologin id is generated.
The new system has two advantages. The first is that a variation of the users password is no longer stored on the machine. The second is that a read only database compromise won't allow an attacker to take over an account (without brute forcing the md5 hash).
A couple other notes, as far as I know, this does not fix any exploits in phpBB, it simply is a more secure way of doing it and helping to hamper any exploit attempts. A second is that he already gave out that password to a test account in another thread.
Hope this helps.