[L-8] checkUsername session-based limit near-useless without cookies

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 0 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: LOW

Location: src/Controllers/AuthController.php:393-424

Bug: Session limit bypassed by clearing cookies.

Fix: Drop the session limit; rely on DB-backed IP RateLimitMiddleware.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:59pm

Resolved.

Removed the session-based rate limit from AuthController::checkUsername (src/Controllers/AuthController.php). It was bypassable by clearing cookies between requests; the DB-backed RateLimitMiddleware (keyed by IP + method + path) is the sole source of truth for throttling this endpoint, and was already in effect via the route registration.

Locking this thread.

Related Discussions

[L-6] Session-fallback rate-limit keys grow unbounded
Security Issues · 0 replies · 0 views
[M-28] UserCredit::history interpolates LIMIT/OFFSET as strings
Security Issues · 0 replies · 1 views
[M-23] Rate-limit key not scoped by HTTP method
Security Issues · 0 replies · 2 views
If you had unlimited bench space, which three platforms would you keep running?
Favorite Platform Roll Call · 0 replies · 1 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy