Cookie Logging Protection

2art

I have a question. I was wondering if any of the devs. could probably code in a cookie logging protection system. If someone gets the cookies on a flarum form, they could easily log in, and change the email, password, and everything else. I was just wondering if there was already a plug-in or patch regarding cookie logging.

clarkwinkelmann

2art do other software have such a feature ? How would that work ?

If you have a keyboard of cookie logger on your computer you are pretty much done already.

If that's a likely threat for your audience, I think notifications are the important part. In Flarum you need access to the email address to change password and receive an email. Email change doesn't send a notification to the old address, but requires knowing the password. So just stealing the cookie won't be sufficient in either case.

Flarum stores the last IP used for a given session. A notification could be implemented if the IP changes during the session. But this could become very annoying for some users, particularly those using mobile connections, where the IP can legitimately change.

Also of relevance, my Sudo mode extension. It means even stealing the cookie of an admin session won't be enough to access the admin panel.