Facebook plugin, Security and LimitRequestFieldSize

Discussion in 'General Chat' started by projectashenfire, Apr 1, 2016.

  1. Using the facebook plugin caused my entire site to be unusable on my brower that initated a request to use
    the login feature. It does not always do that. You can undo the damage by deleting that particular cookie
    or deleting cookies generated in the last hour (in case you don't feel like auditing your cookie history).

    I did minor research and came to the conclusion I could fix this problem by changing the field size on
    the apache server my provider is running.

    I wrote them a ticket and the key phrase I used was:
    Would you please increase LimitRequestFieldSize to something like 16380?

    I was told that since I am on a shared host, they would not do as I asked because
    it would affect server security.

    How true is it, that increasing the field size, affects security?
  2. Dayir_A.

    Dayir_A. Staff Member

    Hello @projectashenfire,

    As you know, we removed Facebook login from Facebook plugin 4.x versions. It did exist in elder versions which were compatible with Subrion 3.x.
    This plugin's login feature worked like this:
    • By clicking on "Login with Facebook" button, it tries to retrieve the information from your Facebook account (User ID, User Name, email)
    • Then it checks, whether we do have in the members table such user
    • If no, then it inserts a new member record
    • If yes, then it just logs you in
    That's it.

    It just sends a simple HTTP request to Facebook API and gets small array with user details in json format. I don't think, that it requires increasing of LimitRequestFieldSize.

    > How true is it, that increasing the field size, affects security?

    I don't know about it, maybe Mr. @Vasily_B. will assist?
  3. Thank you for clearing the confusion with the login. Its not working, but at least I know what to look for. I am using 3.x.

    I find that more people are getting interested with my site as long as I allow them the facebook login.
  4. Dayir_A.

    Dayir_A. Staff Member

    You are welcome.
  5. Vasily_B.

    Vasily_B. Project Manager

    I don't think this might bring any security problems. At least there is no logic for this, I'm sure all the data should be validated correctly no matter how much data you process.


Share This Page