Radified Community Forums
http://radified.com/cgi-bin/yabb2/YaBB.pl
Rad Community Non-Technical Discussion Boards >> YaBB Forum Software + Rad Web Site >> Logging in "for keeps" expires
http://radified.com/cgi-bin/yabb2/YaBB.pl?num=1321257848

Message started by Christer on Nov 14th, 2011 at 2:04am

Title: Logging in "for keeps" expires
Post by Christer on Nov 14th, 2011 at 2:04am
After a period of time (days I think), do everyone have to log out and relog in to be able to do the "moderating stuff" and to modify their own posts?

Title: Re: Logging in "for keeps" expires
Post by NightOwl on Nov 14th, 2011 at 8:13am
@ Christer


Quote:
do everyone have to log out and re login to be able to do the "moderating stuff" and to modify their own posts?

The only time I have had to re-log-in is if I was on one computer (logged in) and then log-in from another computer as well.  This causes your first computer log-in to become *invalid*--but, when you return to that first computer--it still says you are logged-in, but, you do not have any *user privileges* on that computer until you re-validate your log in on that first computer.

Are you using more than one computer?

Title: Re: Logging in "for keeps" expires
Post by Christer on Nov 14th, 2011 at 9:56am

Quote:
Are you using more than one computer?

Usually, all my deeds from my home computer but it happens on rare occasions that I use another computer.

Edited:

Now, I had to log out and relog in to modify this post. It is "hours" not "days". (I could make a new post but not modifiy it.)

Title: Re: Logging in "for keeps" expires
Post by MrMagoo on Nov 14th, 2011 at 9:56pm
My experience is similar to NightOwl's.  If I login "for keeps" I can read posts, start new topics, and reply pretty much forever.  I can also modify, delete, split, etc until I log in through a different computer.  The second login seems to make me loose my moderator privileges on the first.  If I log out and log back in on the first computer, my privileges come back but they are then gone on the second computer.

Title: Re: Logging in "for keeps" expires
Post by Christer on Nov 15th, 2011 at 2:30am
MrMagoo,
what you describe is what I would find logical but not so on my system. This morning my "privileges" had not been reduced (can post, modify and moderate) like they had been yesterday morning (could post but neither modify nor moderate). Let's see what happens tomorrow morning.

By the way, I almost always boot XP so it can not be booting W7 "every second time" (I guess that would have been seen as a different computer).

Title: Re: Logging in "for keeps" expires
Post by NightOwl on Nov 15th, 2011 at 9:49am
@ Christer


Quote:
I almost always boot XP so it can not be booting W7 "every second time" (I guess that would have been seen as a different computer).

Yes, booting to another OS (even on the same machine) would represent a *different computer*.  There might be a way to set up your browser to use the same shared directory from either OS for cookies and stored browser files--but, I'm not sure if that's doable or not--and if the validation process will accept the forum cookie check from two different OS's as still being from the same source or not.

The forum software uses *cookies* to store what system you have logged in from--if the cookie's *credentials* does not match what the forum's validation expects, then you are *downgraded* as far as your privileges are concerned until you re-validate your password.  So, unless you can share the same cookies, as mentioned above, by the browser on each OS, then the cookies are stored separately and not seen as being from the *same system*!


Quote:
This morning my "privileges" had not been reduced (can post, modify and moderate) like they had been yesterday morning (could post but neither modify nor moderate)

Do you have any security or cleaning program running in the background that is deleting or modifying your cookies in some way?  Usually you can manually over-ride such programs to leave certain cookies alone so you don't loose their functionality.


Title: Re: Logging in "for keeps" expires
Post by Christer on Nov 15th, 2011 at 10:06am
NightOwl,
since I hardly ever use W7, the associated "problems" are a rare occurrence.

I use no cleaners, neither do I clear the browser cash when closing.

Title: Re: Logging in "for keeps" expires
Post by NightOwl on Nov 16th, 2011 at 10:07am
@ Christer


Quote:
I use no cleaners, neither do I clear the browser cash when closing.

You probably don't--but, by any chance are you using more than one browser on the same system?  And are you switching browsers?

Maybe you have a setting on your browser that is somehow effecting the handling of your cookies.

Another possibility--do you close your browser--go do other things--and then open your browser again.  In this process, does your IP address change--i.e. does your internet service provider assign a new IP each time you re-open your browser?  (Your IP address that is logged by the forum software is shown after your name in the list of *Online Users* down at the bottom of the main page .  I've not paid any attention to that, but I'm grasping at straws now!

Do any other sites that require a password and a cookie that's necessary to *stay logged-in* without re-entering the password show a similar issue of being *logged out* without you having logged out?

If you use Win7 on this system--does this same behavior happen?

You seem to have a unique issue--I've never had that problem--and no one else has reported a similar issue--unless they have logged in from a different computer and then gone back to the first computer.

Title: Re: Logging in "for keeps" expires
Post by Christer on Nov 17th, 2011 at 2:34am
NightOwl,


Quote:
You probably don't--but, by any chance are you using more than one browser on the same system?  And are you switching browsers?

IE8 only - no switching.


Quote:
Maybe you have a setting on your browser that is somehow effecting the handling of your cookies.

As far as I remember, default settings.


Quote:
Another possibility--do you close your browser--go do other things--and then open your browser again.  In this process, does your IP address change--i.e. does your internet service provider assign a new IP each time you re-open your browser?

I can't tell for sure but I think the IP-address is static. Maybe it changes but not between sessions.


Quote:
Do any other sites that require a password and a cookie that's necessary to *stay logged-in* without re-entering the password show a similar issue of being *logged out* without you having logged out?

It has happened on other sites but not on a regular basis like on RADIFIED.

I'm a moderator on Windows BBS and it requests that I verify myself from time to time by reentering the password (to let me moderate) but that's different.


Quote:
If you use Win7 on this system--does this same behavior happen?

I don't know and it would be difficult to test since I must boot to XP every day. (I use older applications which don't work with W7.)


Quote:
You seem to have a unique issue--I've never had that problem--and no one else has reported a similar issue--unless they have logged in from a different computer and then gone back to the first computer.

Don't put too much time into this issue. I can live with it.

(This morning, I still had all privileges - post, modifiy, moderate.)

Title: Re: Logging in "for keeps" expires
Post by NightOwl on Nov 19th, 2011 at 11:53am
@ Christer


Quote:
I can't tell for sure but I think the IP-address is static. Maybe it changes but not between sessions.

Was looking at the *Admin* section of the forum, brought up the Help files and here's what it says:


Quote:
Sessions are a YaBB feature designed to protect administrative functions. If sessions are enabled in the Admin Center, staff will be required to revalidate their session whenever their network connection changes IP address.

To revalidate your session, simply click "Update Session" on the YaBB main menu at the top of the forum. If this link isn't present, then your session doesn't need to be updated.

By default, it asks you for your Password to revalidate.

So, as I guessed earlier, it's based on the IP address that the forum logs when you log in.

So, check your IP address that should be listed after your name on the main page when you are logged in.  Write it down, and the next time you have to re-validate your log in, again check that IP address.  Is it changing?

Title: Re: Logging in "for keeps" expires
Post by Christer on Nov 20th, 2011 at 12:59pm

Quote:
So, check your IP address that should be listed after your name on the main page when you are logged in.  Write it down, and the next time you have to re-validate your log in, again check that IP address.  Is it changing?

I will check. (I have been away a few days but I am still logged in with full privileges.)

Title: Re: Logging in "for keeps" expires
Post by Christer on Nov 21st, 2011 at 2:49am
This morning I had been downgraded. No IP-addresses were displayed until I had logged out and relogged in. My IP-address had changed! Nothing I can do about it but now I know why I get downgraded.

So, NightOwl, your middle name should be "Hercule" after Agatha Christies character "Poirot".

Title: Re: Logging in "for keeps" expires
Post by NightOwl on Nov 27th, 2011 at 10:28pm
@ Christer


Quote:
your middle name should be "Hercule" after Agatha Christies character "Poirot".

That's a great TV mystery program--we get it on our PBS (Public Broadcast System) here in the USA.


Quote:
Nothing I can do about it....

Ah, but the *mystery* has not been solved!  Why is your IP address changing? 

Did that behavior just begin recently--or has it always been doing that?

Have you contacted your ISP (Internet Service Provider) to see if it's something they have just started?

I think your system can be programmed to *renew* your IP address' *lease*--and it may be during that renewal that your IP changes.  Again, maybe your ISP has (re)programed your modem to behave differently than before.

Title: Re: Logging in "for keeps" expires
Post by Christer on Nov 28th, 2011 at 2:33am
NightOwl,


Quote:
Why is your IP address changing?

I have no idea, didn't think it was changing and it seems to be changing at random.


Quote:
Did that behavior just begin recently--or has it always been doing that?

It has been doing it since I started using my new build in january 2011 but I think it was before that. The old build had the same programs installed, "only" the hardware and drivers changed.


Quote:
Have you contacted your ISP (Internet Service Provider) to see if it's something they have just started?

No, I haven't but I will.


Quote:
I think your system can be programmed to *renew* your IP address' *lease*--and it may be during that renewal that your IP changes.  Again, maybe your ISP has (re)programed your modem to behave differently than before.

I don't have a "modem", only a "splitter" to get 4 connectors for internet and 2 connectors for a phone line.

(This morning, the IP-address had changed.)

Title: Re: Logging in "for keeps" expires
Post by Christer on Nov 28th, 2011 at 2:48am
One additional thought:

The behaviour is specific to RADIFIED. On other fora, my privileges don't get reduced by/because of an IP-address change. On RADIFIED it is like I'm being logged off but not really ... :-? ... if you understand what I mean.

Title: Re: Logging in "for keeps" expires
Post by Rad on Nov 29th, 2011 at 2:42pm
from a friend familiar with these kinds of things:


Quote:
Looking at the source code, this behaviour is built into Yabb2 for some reason. I've just taken a quick look at the 2.5 source and although it might not be the whole answer, it seems this is as-designed for YaBB2.

Look at AdminIndex.pl which controls most of the admin functions, and this early fragment:

require "$sourcedir/Subs.pl";
require "$sourcedir/System.pl";
require "$sourcedir/DateTime.pl";
require "$sourcedir/Load.pl";
&LoadCookie;       # Load the user's cookie (or set to guest)
&LoadUserSettings; # Load user settings

This suggests which modules have the cookie processing, which relates to what user sessions are. Inside Sources/Load.pl we have this:

sub LoadUserSettings {
&LoadBoardControl;
$iamguest = $username eq 'Guest' ? 1 : 0;
if ($username ne 'Guest') {
&LoadUser($username);
if (!$maintenance || ${$uid.$username}{'position'} eq 'Administrator') {
$iammod = &is_moderator($username);
if (${$uid.$username}{'position'} eq 'Administrator' || ${$uid.$username}{'position'} eq 'Global Moderator' || $iammod) { $staff = 1; }
else { $staff = 0; }
$sessionvalid = 1;
if ($sessions == 1 && $staff == 1) {
$cursession = &encode_password($user_ip);
chomp $cursession;
if (${$uid.$username}{'session'} ne $cursession || ${$uid.$username}{'session'} ne $cookiesession) { $sessionvalid = 0; }
}

This bit shows a value $cursession which contains an encrypted copy of the $user_ip (which comes from the CGI REMOTE_ADDR which is the user's external IP visible from the webserver end) and this has to match the stored session in the user cookie as an extra check only applied to administrative users (presumably to prevent some kinds of attacks associated with cookie forgery or impersonation). For "staff", extra checks on the 'session' cookie to ensure that the IP hasn't changed are made, whereas normal user sessions don't get this check.

Using this kind of thing - encrypting with the user's IP as part of a cookie - is common in most web applications, but it's not normally done this particular way and in particular admins normally aren't treated specially. Instead, more robust techniques are employed (to say nothing of using https everywhere and/or using OpenID). Given that YaBB dates from a more innocent age in web-security terms, that's not surprising though.

Title: Re: Logging in "for keeps" expires
Post by Christer on Nov 30th, 2011 at 5:10am
Rad and all,

I thought that it had to do with my status as moderator but then, why reduce my "normal privileges" as a member (modifying my own posts) and not my "moderating privileges" (modifying other members posts) only?

This morning, I had a new IP-address and had to log out and re-log in. I checked which cookie changed and to my surprise, it was not named "radified-something.txt" but "U10TY0GS.txt"

From Rad's post:


Quote:
it seems this is as-designed for YaBB2


Maybe it is a recent forum software upgrade that brought this behaviour and the reason why I never noticed the IP-address changes before.


Quote:
This bit shows a value $cursession which contains an encrypted copy of the $user_ip (which comes from the CGI REMOTE_ADDR which is the user's external IP visible from the webserver end) and this has to match the stored session in the user cookie as an extra check only applied to administrative users (presumably to prevent some kinds of attacks associated with cookie forgery or impersonation). For "staff", extra checks on the 'session' cookie to ensure that the IP hasn't changed are made, whereas normal user sessions don't get this check.


That's why I can't find my current IP = 213.113.122.213

That confirms that the behaviour is by design.

(I have not yet asked my provider why the IP-address changes "at random".)

Title: Re: Logging in "for keeps" expires
Post by Christer on Nov 30th, 2011 at 5:27am

Quote:
it was not named "radified-something.txt" but "U10TY0GS.txt"

Maybe I should add that all cookies on my system (XP-pro) are named like that but before, they were named "sitename-something.txt". Probably a change to IE8 cookie management but when it was introduced, I don't know. It has obviously been a while since I checked the cookie folder.

I also checked the contents of "index.dat" which holds a reference "cookie file name" > "sitename-something".

Radified Community Forums » Powered by YaBB 2.4!
YaBB © 2000-2009. All Rights Reserved.