Session duration vs security

Get help with installation and running phpBB 3.2.x here. Please do not post bug reports, feature requests, or extension related questions here.
scottlambert40
Registered User
Posts: 8
Joined: Thu Aug 04, 2016 2:15 pm

Session duration vs security

Post by scottlambert40 » Sun Jun 09, 2019 7:36 pm

Hi,
I run a forum that is by subject nature quite secretive.
Only the minimum of personal information is gathered during registration and about 10% of members contribute to running costs via PayPal.

I am being pressured to increase session duration by a number of members to 2days. Does this present any significant security implications? I am not sure what a hacker could steal if they managed to get in

I would appreciate your views

Scott

User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 50413
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: Session duration vs security

Post by stevemaury » Sun Jun 09, 2019 7:51 pm

Do you allow "remember me" logins?
For REALLY good and VERY inexpensive hosting CLICK HERE

I can stop all your spam. I can upgrade or update your Board. PM or email me. (Paid support)

scottlambert40
Registered User
Posts: 8
Joined: Thu Aug 04, 2016 2:15 pm

Re: Session duration vs security

Post by scottlambert40 » Sun Jun 09, 2019 8:30 pm

I think so

User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 50413
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: Session duration vs security

Post by stevemaury » Sun Jun 09, 2019 10:50 pm

Then all the users have to do is check "Remember me" and it will be as though their session never ends.
For REALLY good and VERY inexpensive hosting CLICK HERE

I can stop all your spam. I can upgrade or update your Board. PM or email me. (Paid support)

User avatar
John connor
Registered User
Posts: 2054
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Session duration vs security

Post by John connor » Sun Jun 09, 2019 11:55 pm

I doubt your board is as secure as you think it is. Run the IP though Shodan and then read my signature on how to protect your forum from would-be hackers.

User avatar
JimA
Community Team Leader
Community Team Leader
Posts: 7604
Joined: Thu Jul 31, 2008 5:54 am
Location: The Netherlands
Name: Jim Mossing Holsteyn
Contact:

Re: Session duration vs security

Post by JimA » Mon Jun 10, 2019 4:42 pm

The answer is no, this doesn't make your board significantly more insecure. Stealing a session could under some circumstances lead to an account being taken over. However, there are various many protections against that happening within phpBB, increasing the session length does not suddenly get rid of all these protections, so therefore the risk might theoretically grow, but only by a tiny and insignificant bit.

Also, while everybody is free to have their own opinions, I feel the need to say phpBB is secure software (feel free to check independent benchmarking websites for this) and the suggestions that John Connor gives seem unnecessarily paranoid and bloaty to me.
Image Jim Mossing Holsteyn - Community Team Leader
Knowledge Base | Documentation | Board rules

If you're having any questions about the rules/customs of this website, feel free to drop me a PM.

scottlambert40
Registered User
Posts: 8
Joined: Thu Aug 04, 2016 2:15 pm

Re: Session duration vs security

Post by scottlambert40 » Mon Jun 10, 2019 7:28 pm

Thanks guys

My gut was that it wasn’t really an issue.

Scott

User avatar
John connor
Registered User
Posts: 2054
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Session duration vs security

Post by John connor » Tue Jun 11, 2019 6:36 pm

JimA wrote:
Mon Jun 10, 2019 4:42 pm
I feel the need to say phpBB is secure software (feel free to check independent benchmarking websites for this) and the suggestions that John Connor gives seem unnecessarily paranoid and bloaty to me.
With my use of CIDRAM and Ninjafirewall I have seen many attacks. Whether those attacks can be deployed on phpBB I don't know, but I'm not going to say, yeah, lets drop the firewall because phpBB is "the most secure board out there." If something does come along that is able to attack phpBB I'm not going to be there with my pants down and get owned and tea bagged. I refuse to be a victim.

Again, Ninjafirewall has caught directory traversal, XSS attacks and other things and CIDRAM has kept things like spam and connections from Azure, Google cloud, Digital Ocean you name it from connecting to my server. There's no reason why a server needs to connect to a server unless it's Google bot, etc. And in CIDRAM is search engine validation so if you try to look at my robots for example that prevent the viewing of certain folders you can't see it unless you are Google, Yahoo, Bing.

Anyway, it's just how I role.

User avatar
canonknipser
Registered User
Posts: 1963
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: Session duration vs security

Post by canonknipser » Tue Jun 11, 2019 8:46 pm

If you are a "big player" in your business, for sure you need a good protection against attackers. But for most people having non-profit web pages, a potential attacker has no interest to hack you. Maybe you attract those kind of people because you have a high wall of defence - just to test out their possibilities to break those walls and use their findings to attack the real target sites.

But quoting Nirvana
just because you're paranoid doesn't mean they're not after you
- even if those who are after you are like bitchecker :mrgreen:


But you also know the urban legends about security agencies developing security tools for everybody? Maybe just to implement backdoors on the systems where those tools are installed - remember: just a urban legend ...
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB

User avatar
John connor
Registered User
Posts: 2054
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Session duration vs security

Post by John connor » Wed Jun 12, 2019 4:15 am

canonknipser wrote:
Tue Jun 11, 2019 8:46 pm
even if those who are after you are like bitchecker :mrgreen:
That reminds me of a YouTube video of a kid talking about how to DDoS someone with the ping x.x.x.x -t command. :lol:

But you also know the urban legends about security agencies developing security tools for everybody? Maybe just to implement backdoors on the systems where those tools are installed - remember: just a urban legend ...
You honestly think that thought never crossed my mind? :lol: I have and do read books on the NSA and other things related to esacpe and evasion, how to stay hidden, SAS fighting techniques, Navy SEAL techniques, etc. "I have a particular set of skills..." My latest book I bought is Surprise, Kill, Vanish. I highly recommend the book Violence Of Mind by Varg Freeborn.

Anyway, you'd have to get my origin IP first I guess to infect the underlining server. But then again, I wouldn't put it past a three letter agency not to be in bed with CloudFlare. :ugeek: I guess rolling your own server from home sounds good. But you'd have to pay for the Internet upload speed. :lol:

User avatar
canonknipser
Registered User
Posts: 1963
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: Session duration vs security

Post by canonknipser » Wed Jun 12, 2019 9:16 am

John connor wrote:
Wed Jun 12, 2019 4:15 am
But you'd have to pay for the Internet upload speed. :lol:
And for the extra security to keep the men with the black hat from entering your home and copy the hard drive of your server ...

To be absolute secure, you need to keep away from internet, mobile and landline connections, streets, hospitals and every other source of potential danger
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB

User avatar
Mick
Support Team Member
Support Team Member
Posts: 21055
Joined: Fri Aug 29, 2008 9:49 am
Location: Watching cricket - definitely

Re: Session duration vs security

Post by Mick » Wed Jun 12, 2019 10:18 am

Paranoia can be fixed in most cases.
"The more connected we get the more alone we become" - Kyle Broflovski

User avatar
John connor
Registered User
Posts: 2054
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Session duration vs security

Post by John connor » Wed Jun 12, 2019 10:37 am

canonknipser wrote:
Wed Jun 12, 2019 9:16 am
John connor wrote:
Wed Jun 12, 2019 4:15 am
But you'd have to pay for the Internet upload speed. :lol:
And for the extra security to keep the men with the black hat from entering your home and copy the hard drive of your server ...

To be absolute secure, you need to keep away from internet, mobile and landline connections, streets, hospitals and every other source of potential danger
:lol: I do have cameras. You'd have to cut the power or cable line.

I'm not really paranoid, I just do things because I can and why not? Why not take proactive measures in safe guarding all of your hard work? I worked a very long time over four years ago to make my board and it's one reason why I encrypt and back it up all over the place periodically including on DVD/RW and Blu-ray BDRE stored in a fireproof safe. I'm also one of those prepper SHTF guys too. I'll have the last laugh when mankind is slowly dying out.

User avatar
Mick
Support Team Member
Support Team Member
Posts: 21055
Joined: Fri Aug 29, 2008 9:49 am
Location: Watching cricket - definitely

Re: Session duration vs security

Post by Mick » Wed Jun 12, 2019 3:23 pm

I bought a Glock.
"The more connected we get the more alone we become" - Kyle Broflovski

User avatar
Lumpy Burgertushie
Registered User
Posts: 66241
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: Session duration vs security

Post by Lumpy Burgertushie » Wed Jun 12, 2019 3:31 pm

Mick wrote:
Wed Jun 12, 2019 3:23 pm
I bought a Glock.
that is a good way to solve paranoia.

if it is really paranoia, then the glock would make you feel better and safer.

if the threat is real and the black hats do show up at your door, the glock will help with that as well.

if the paranoid person just can't stand it and the foil hats are not working then there is always the final cure and the glock can handle that as well.


a good all purpose tool the glock is.


robert
I am available for custom work on a donation basis. Please send me a PM with your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

OK, so what's the speed of dark?

Post Reply

Return to “[3.2.x] Support Forum”