Password hash stored in cookie

Is there any way to use the php session id rather than the password hash to determine if a user is online?

Right now I can sniff  cookies and spoof the memberID and memberPassword (which is hashed) and gain access any time.

This is a terrible method for authentication, you might as well be storing the password in plain text in the cookie.

No, that is not the password you are seeing.  Do a bit of reading on how Dolphin handles passwords.

Sorry GG. You may have missed the part where he stated (which is hashed).

Dolphin does indeed store the hashed password in the password cookie, and the member id in the memberID cookie.

Thus, if you know the hashed password, you can create a cookie that matches, and your in.

This method is how my Deanos Tools switches to a different user account from admin and back again, all it does is update the cookies to match the info for the user your switching to. Quite simple.

I however don't really like the fact that this was brought up in a public forum. Not that it will be all that dangerous to know. You have to know how to sniff/hijack cookies to make use of this information which most average people cannot do. But bringing this up in a public forum was still a bad idea.

 What are the odds of someone getting the password hash and associating it with a specific user account on a Dolphin site? Rather slim I would think.

Pretty high if I'm in a coffee shop. (and don't have SSL)

Also, sorry about bringing this up here. I still would really like an answer about how I can go about fixing this without rewriting dolphin.  

Security by obscurity does not work.  For one, anyone can download Dolphin and install it and see how it works so it is perfectly OK to bring up any security related questions in this forum; if there are security holes they need to be addressed by the community.  Boonex has recently opened up development of Dolphin to developers; so any security concerns and issues need to be brought to the forefront, not hidden, because the hackers have full access to Dolphin code.  The community can work together to make Dolphin a secure platform.

But if you're sniffing traffic in a coffee shop and the person isn't using SSL you can get their username and password in plain text without needing to steal a cookie.. in that scenario it wouldn't matter what Dolphin used for login.

But to answer your original question, you would have to rewrite the Dolphin core code to change the way handles credentials.

You are right, but cookies are submitted at every request, not just once at login. Also it's in the cookies where you can easily see it if you have access to the computer.

It's still really bad.

I remember the good old days when people went to a coffee shop to have coffee.

 And doughnuts, don't forget the doughnuts.