[_ck_]

HttpOnly cookies are a security advancement that is finally supported now by all major browsers (Firefox eventually got it right in 3.1, while IE 7 still has a bug but it generally works).

HttpOnly means a cookie cannot be read by javascript in the browser, only by the server (via PHP, etc.) This practically stops XSS exploits and makes it much harder if not impossible in most cases.

HttpOnly may “save your bacon” when a plugin has a security hole (like Private Messaging and bb-Reputation 0.0.5) and prevent a malicious script from forwarding your keymaster cookie to someone else via a XSS script.

I manged to get them to include HttpOnly in WordPress 2.7 and bbPress 1.0 but it’s still not in older WordPress or bbPress 0.9 because they worried about backward compatibility with some WordPress plugins that try to directly read the cookie (bad technique) instead of using server-side helpers.

However there are NO bbPress plugins that direct read the auth cookie and very few WordPress plugins still do this. I am not 100% positive how it will affect ajax but it shouldn’t because it’s still authorized on the server-side via PHP.

So if you’d like to try out HttpOnly on your bbPress 0.9, here’s how, it’s as simple as a mini-plugin. Note that if you are already using a cookie replacement plugin like my “Freshly Baked Cookies” or “Year Long Cookies” you will need to edit them instead of using the following (you can only use one cookie replacement plugin at a time).

I’d appreciate any feedback or experiences with this, especially if it causes problems:

Save this as _HttpOnly.php and upload into your my-plugins/ directory:

<?php

/*

Plugin Name: HttpOnly Auth Cookie

*/



function wp_set_auth_cookie($user_id, $remember = false) {

global $bb;



if ( $remember ) {

$expiration = $expire = time() + 1209600;

} else {

$expiration = time() + 172800;

$expire = 0;

}



$cookie = wp_generate_auth_cookie($user_id, $expiration);

do_action('set_auth_cookie', $cookie, $expire);



setcookie($bb->authcookie, $cookie, $expire, $bb->cookiepath, $bb->cookiedomain. '; HttpOnly' );

if ( $bb->cookiepath != $bb->sitecookiepath )

setcookie($bb->authcookie, $cookie, $expire, $bb->sitecookiepath, $bb->cookiedomain. '; HttpOnly' );

}

?>

To prove it’s working, you CANNOT use the Firefox webdeveloper plugin because that looks at the cookie in Firefox’s chrome, not at the user level. What you have to do is

1. prove you can see your bbpress/wordpress cookie by typing or copying this to your browser address bar javascript:alert(document.cookie);

2. install the plugin

3. log out and then log in

4. again type or copy this to your browser address bar javascript:alert(document.cookie);

5. if it’s working, you should NOT see your wordpress/bbpress cookie in the alert

Currently the only plugin I am aware of that tries to read the cookie directly in WordPress is the WP-UserOnline plugin from GamerZ, and he may have even fixed that by now in the newest versions. However there may be others, so test your setup.

[andrew-stacey]

I’ve had a go at adapting one of the WordPress plugins (easy LaTeX) for bbPress. It works for me, but there are probably a few things a little too specific to my set-up for it to be released “in the wild” – for example, I’m using both WordPress and bbPress so there’s a little cross-over information which wouldn’t be available on a bbPress-only site (putting in some options for that would probably be a good idea).

However, it might be suitable for beta-testing. I’ve put a copy here if anyone’s interested in taking a look and tweaking it.

A few details:

It uses a public server so no need for LaTeX to be installed locally.
It uses a cache (needs to be writable by the server) to save on server load.
It has a two-step parsing (not in the original) since forum posts are saved in their original format. This makes it more robust since the plugin allows for changing the tags that surround the mathematics. The saved format uses <math> tags which has the added advantage of avoiding markdown processing.
Due to being a rather limited programmer, I ended up copying stuff from other plugins to get it to work without really understanding what I was doing (particularly with add_filter and the like) so if some kind soul wishes to take pity on me and clean up my code I’d be very grateful.

[chrishajer]

What *do* you get instead of a 404? Something is probably overriding the 404 and displaying a page (WordPress does that sometimes depending on the way the theme is configured.) Are you integrated with WordPress?

And, can you post a link to your forum so someone can check the server response and see if it’s sending a 404 header but still displaying content? I recall that being a problem in the past but I can’t recall the details right now (maybe it was an IIS thing?)

[kris_115]

Basically I am very new to website design. I have begun learning photoshop and fireworks and am building my site at the moment using dreamweaver. I may have the complete wrong lingo when describing what it is that I am asking, but I am looking into incorporating a forum into my site using bbpress. At the moment i have a domain but no server and I was just wondering if I need a server in order to start working on configuring my forum or if I can do this before setting up an account. (I have downloaded bbpress but have no idea how to install it or if it runs through dreamweaver… but i suppose that is another story all together). At the moment I am just wondering if my website needs to be established on a server in order to configure wordpress?

[John James Jacoby]

How I do deep integration using WordPress 2.7 and bbPress 1.0 Alpha 6.

Add to beginning of bb-config.php:

if ( !defined('ABSPATH') & !defined('XMLRPC_REQUEST')) {

define('WP_USE_THEMES', false);

include_once( '/absolute/path/to/yourdomain.com/wp-blog-header.php' );

header("HTTP/1.1 200 OK");

header("Status: 200 All rosy");

}

[chrishajer]

In another thread you posted this:

> I’m using bbpress 0.9.0.4 and wordpress 2.7.1.

Those two versions will not integrate user logins (cookies) unless you use one of these two solutions:

https://bbpress.org/plugins/topic/freshly-baked-cookies/

https://bbpress.org/forums/topic/bayanimecom-wp26-and-bbpress-09-complete-cookie-integration

[maharzan]

and yes using with wordpress 2.7.1. any ideas?

[Txanny]

Hello,

Next days (or weeks) I sill start a new project. It will take long to develop and probably it will be finished later this year. I think it will 6 months or a bit more. It must be integrated with the latest version of WordPress.

So, I’m thinking about starting the project with the 1.0 alpha versions. I know it’s not as stable or secure as 0.9.x but hope it will be later this year. I’ve seen there are lots of changes from 0.9 to 1.0 and perhaps will be easiest to merge the new 1.0 versions than 0.9 to 1.0…

What’s your opinion? It’s the best idea to start the project with the alpha version ? Or you would start it with 0.9x and in the future you will make all arrangements to upgrade it? Consider that it will be finished this year fall.

Thanks for your comments,

Txanny.

[ganzua]

Ok, thanks for your help I’m going to try more of these queries. I find them very useful to integrate small details.

[_ck_]

To be clear, both bbPress and WordPress for that matter still work fine under PHP 4.4.x and technically 4.4.x is still supported officially.

It’s just the specific i18n problem they are encountering, where the fix in 1.0 hasn’t been backported to 0.9

Sam is unlikely to make any further changes to 0.9 unless it’s a security fix or serious performance problem.

I haven’t looked at the fix for 1.0 but I suspect someone could make a patch to make 0.9 do the same thing if they really wanted.

[_ck_]

Because for some reason the bbdb object must not be created when deeply integrated under 1.0

Must have something to do with backpress which re-uses wp functions.

[ganzua]

That is with bbPress 1.0 right? the object_type is for 1.0

Yes, it is bb 1.06a with wp 2.7

I tried with get_var and I get the same error for get_var;

Fatal error: Call to a member function get_var() on a non-object in….

but then I changed $bbdb for $wpdb and it works. Why? I don’t understand this.

[dphs]

Hi,

There is an answer to this question posted a year ago, but when I open the header.php file from my bb-templates/kakumei folder all that is there is “>”. I tried adding the code there, but it deleted the header. Is it located in another place?

I’m using bbpress 0.9.0.4 and wordpress 2.7.1.

Thanks!

[_ck_]

That is with bbPress 1.0 right? the object_type is for 1.0

You get nothing using get_results because it returns an array – use get_var instead

<?php

global $bbdb;

$result=$bbdb->get_var("SELECT SUM(meta_value) FROM bb_meta WHERE object_type='bb_topic' AND meta_key='views'");

echo $result;

?>

[dphs]

Hi,

I ended up deleting everything and then starting over. It seems to be ok now. I don’t understand however, why when asked to use my wordpress login to login to the forum, I am told the login failed. Can you explain?

Thanks!

[ganzua]

I need more info than “didn’t work”

Fatal error: Call to a member function get_results() on a non-object in wordpress/wp-content/themes/mytheme/header.php on line 149 (line where I placed the code)

Try replacing $bbdb with $wpdb

no error but what I want is to query bbpress data base. Whenever I echo $results there is no answer.

[Bloggsbe]

Norwegian translation of 0.9.0.4 -> here

Norsk oversettelse av 0.9.0.4 -> her

—

Rune

Norsk WordPress og bbPress forum

[_ck_]

I need more info than “didn’t work”

Try replacing $bbdb with $wpdb

[ganzua]

and remember to use $wpdb on WordPress pages, vs $bbdb on bbPress pages

I want to query $bbdb from a wp page. In particular, I want to fetch the total amount of views from your bb Topic Views plugin. This code didn’t work;

<?php

global $bbdb;

$results=$bbdb->get_results("SELECT SUM(meta_value) FROM bb_meta WHERE object_type='bb_topic' AND meta_key='views'");

$results=$bbdb->get_results($query);

?>

WordPress is installed in /wordpress/ and bbpress in /wordpress/bbpress/ both deep integrated. What’s missing?

[trouwen]

I’m going to try this today! I hope it works, because I love WordPress and BBpress..

[andyimages]

Thanks Ann, so far so good…..no problems on that end.

[chrishajer]

If you undo the integration (don’t include WordPress inside the bb-config.php) does it still happen?

Also, are you using a language other than English?

[chrishajer]

What version bbPress are you using? Is it integrated with WordPress, and if so, what version? Are you using a language file other than English?

[Thad Allender]

When I post code samples in my bbPress install, all quote marks show up like this:

"

This includes when I use backticks and/or buttons. Neither work.

For instance, when I post this code:

<div class="box">This is a box</div>

It becomes:

<div class=&quot;box&quot;>This is a box</div>

I am using the beta version of bbPress with WordPress integration. I have deactivate all plugins and switched themes, so I know it is a problem with my bbPress code.

Thoughts?

[code] buttons. Neither work.

For instance, when I post this code:

<div class="box">This is a box</div>

It becomes:

<div class=&quot;box&quot;>This is a box</div>

I am using the beta version of bbPress with WordPress integration. I have deactivate all plugins and switched themes, so I know it is a problem with my bbPress code.

Thoughts?

[chrishajer]

What versions did you integrate? What bbPress or WordPress plugins have you installed?