RakLib icon indicating copy to clipboard operation
RakLib copied to clipboard

Published 20 hours ago verified publisher icon pmmp

Cookie data

Open ismaileke opened this issue 1 year ago • 13 comments

Im not completely sure of the code i wrote. Please add/subtract and report my mistakes. We need to update this

ismaileke avatar Jul 28 '24 10:07 ismaileke

I think an Exception should be added to Cookie.php line 46 and i want to add the serverHasSecurity variable to pocketmine.yml or server.properties

ismaileke avatar Jul 30 '24 22:07 ismaileke

What to do in Cookie.php line 51

ismaileke avatar Aug 03 '24 10:08 ismaileke

also this seems to be a memory leak if you never clean up the data. but this should be handled by the server instead; RakLib implements the protocol, not the server to handle the protocol.

SOF3 avatar Aug 07 '24 16:08 SOF3

Suggestion for OpenConnReq2 class How can I access Cookie in OpenConnReq2.php

ismaileke avatar Aug 09 '24 12:08 ismaileke

image

They say ServerAddress is 7 bytes but look at this

MessageIdentifiers.php image

remoteBindingAddress(6 bytes)

ismaileke avatar Aug 10 '24 08:08 ismaileke

To avoid having to store all the cookies, I was wondering if it wasn't possible to use a predictable string based on the address and a server secret generated at start-up?

Smth like a hash but for int ?

ShockedPlot7560 avatar Aug 10 '24 08:08 ShockedPlot7560

To avoid having to store all the cookies, I was wondering if it wasn't possible to use a predictable string based on the address and a server secret generated at start-up?

Smth like a hash but for int ?

I previously considered this. I don't think a static secret for the whole server runtime is wise (attackers could collect cookies and reuse them), but we could have the secret periodically rotated (similar to how GS4 Query operates in PM).

A mechanism like that might be problematic for proxies, though, since they don't see the real IP of the client.

dktapps avatar Aug 10 '24 19:08 dktapps

@dktapps why would proxies be a problem? unless some packets are not sent through the proxy

SOF3 avatar Aug 14 '24 02:08 SOF3

because proxy sees only 1 IP address for all clients

@dktapps why would proxies be a problem? unless some packets are not sent through the proxy

dktapps avatar Aug 14 '24 09:08 dktapps

Why is this PR closed?

dktapps avatar Aug 14 '24 09:08 dktapps

because proxy sees only 1 IP address for all clients

@dktapps why would proxies be a problem? unless some packets are not sent through the proxy

I'd say it's the responsibility of the proxy to override the cookie field.

SOF3 avatar Aug 14 '24 10:08 SOF3

Why is this PR closed?

I couldn't find any solution.

ismaileke avatar Aug 14 '24 10:08 ismaileke

it is better for security that the cookie feature is always on

ismaileke avatar Sep 20 '24 11:09 ismaileke

Closed due to lack of activity.

dktapps avatar Jan 03 '25 16:01 dktapps