XF 1.5 Is it possible to identify staff by cookie?

Alpha1

Alpha1

Well-known member
We have added a Web Application Firewall (Anti-DDoS) by Stackpath.
These WAF rules can ban / block members. To avoid this happening to staff we would like to whitelist staff members somehow. And then automatically whitelist them.

Is it possible to identify staff by cookie?
 
Alfa1 said:
We have added a Web Application Firewall (Anti-DDoS) by Stackpath.
These WAF rules can ban / block members. To avoid this happening to staff we would like to whitelist staff members somehow. And then automatically whitelist them.

Is it possible to identify staff by cookie?
Click to expand...
Apologies, I removed my last post because I realised I misunderstood your post.

If your WAF can look up XF's datastore then you should be able to look up user info with the `xf_session` cookie, which contains the session ID. How much of a performance penalty I don't know - depends on where you store your session.

(It's been a long time since I worked with XF1 so my memory's a bit rusty)
 
You could just save an additional cookie with a secret value just for staff with a small addon. If that cookie is present the user should be a staff member. But the secret value should be kept secret. Not absolutely secure solution but for this purpose sufficient I think.
 
nocte said:
You could just save an additional cookie with a secret value just for staff with a small addon. If that cookie is present the user should be a staff member. But the secret value should be kept secret. Not absolutely secure solution but for this purpose sufficient I think.
Click to expand...

Cookies are stored on client machines and should be considered compromised. (this was my original comment by the way, before I realised I misunderstood things)
 
tyteen4a03 said:
Cookies are stored on client machines and should be considered compromised.
Click to expand...
In this case (exclude users from DDOS protection) the additional cookie does not give the user any rights, so I think the cookie solution would be o.k. - if a hacker knows the secret cookie value of a staff member he might also have his session and can log in as a staff member (at least if there's no activated 2FA) and this would be the main problem then, not the DDOS protection. Regarding performance and coding the cookie solution would be the easiest one.
 
Is it possible to differentiate between logged in and logged out users from the xf_session cookie?
 
Not without checking the database, you can check the xf_user cookie, however. This is stored in the format user_id,token
 
You must log in or register to reply here.

Similar threads

E
  • Question Question
XF 2.2 Trying to identify custom user field variables
Replies
2
Views
273
EchoRomeo
E
Mouth
  • Question Question
XF 2.2 How to identify Question Threads without Solutions (or votes)?
Replies
2
Views
449
Mouth
Mouth
asprin
  • Solved
XF 2.1 XF:Delete plugin code not able to identify local variables
Replies
1
Views
416
asprin
asprin
MylaChu
  • Solved
XF 2.2 Is it possible to protect the founders admin account from being messed with by other super admins
Replies
4
Views
187
MylaChu
MylaChu
VBX Co
  • Question Question
XF 2.2 Is it possible to add to postbit -> if message contains text/link ?
Replies
13
Views
1K
VBX Co
VBX Co
Back
Top Bottom