Welcome, Guest. Please Login
 
  HomeHelpSearchLogin FAQ Radified Ghost.Classic Ghost.New Bootable CD Blog  
 
Pages: 1 2 
Send Topic Print
Logging in "for keeps" expires (Read 11384 times)
Rad
Radministrator
*****
Offline


Sufferin' succotash

Posts: 4090
Newport Beach, California


Back to top
Re: Logging in "for keeps" expires
Reply #15 - Nov 29th, 2011 at 2:42pm
 
from a friend familiar with these kinds of things:

Quote:
Looking at the source code, this behaviour is built into Yabb2 for some reason. I've just taken a quick look at the 2.5 source and although it might not be the whole answer, it seems this is as-designed for YaBB2.

Look at AdminIndex.pl which controls most of the admin functions, and this early fragment:

require "$sourcedir/Subs.pl";
require "$sourcedir/System.pl";
require "$sourcedir/DateTime.pl";
require "$sourcedir/Load.pl";
&LoadCookie;       # Load the user's cookie (or set to guest)
&LoadUserSettings; # Load user settings

This suggests which modules have the cookie processing, which relates to what user sessions are. Inside Sources/Load.pl we have this:

sub LoadUserSettings {
&LoadBoardControl;
$iamguest = $username eq 'Guest' ? 1 : 0;
if ($username ne 'Guest') {
&LoadUser($username);
if (!$maintenance || ${$uid.$username}{'position'} eq 'Administrator') {
$iammod = &is_moderator($username);
if (${$uid.$username}{'position'} eq 'Administrator' || ${$uid.$username}{'position'} eq 'Global Moderator' || $iammod) { $staff = 1; }
else { $staff = 0; }
$sessionvalid = 1;
if ($sessions == 1 && $staff == 1) {
$cursession = &encode_password($user_ip);
chomp $cursession;
if (${$uid.$username}{'session'} ne $cursession || ${$uid.$username}{'session'} ne $cookiesession) { $sessionvalid = 0; }
}

This bit shows a value $cursession which contains an encrypted copy of the $user_ip (which comes from the CGI REMOTE_ADDR which is the user's external IP visible from the webserver end) and this has to match the stored session in the user cookie as an extra check only applied to administrative users (presumably to prevent some kinds of attacks associated with cookie forgery or impersonation). For "staff", extra checks on the 'session' cookie to ensure that the IP hasn't changed are made, whereas normal user sessions don't get this check.

Using this kind of thing - encrypting with the user's IP as part of a cookie - is common in most web applications, but it's not normally done this particular way and in particular admins normally aren't treated specially. Instead, more robust techniques are employed (to say nothing of using https everywhere and/or using OpenID). Given that YaBB dates from a more innocent age in web-security terms, that's not surprising though.
 
WWW  
IP Logged
 

Christer
Übermensch
*****
Offline



Posts: 1283
Sweden


Back to top
Re: Logging in "for keeps" expires
Reply #16 - Nov 30th, 2011 at 5:10am
 
Rad and all,

I thought that it had to do with my status as moderator but then, why reduce my "normal privileges" as a member (modifying my own posts) and not my "moderating privileges" (modifying other members posts) only?

This morning, I had a new IP-address and had to log out and re-log in. I checked which cookie changed and to my surprise, it was not named "radified-something.txt" but "U10TY0GS.txt"

From Rad's post:

Quote:
it seems this is as-designed for YaBB2


Maybe it is a recent forum software upgrade that brought this behaviour and the reason why I never noticed the IP-address changes before.

Quote:
This bit shows a value $cursession which contains an
encrypted copy of the $user_ip
(which comes from the CGI REMOTE_ADDR which is the user's external IP visible from the webserver end) and this has to match the stored session in the user cookie as an extra check only applied to administrative users (presumably to prevent some kinds of attacks associated with cookie forgery or impersonation).
For "staff", extra checks on the 'session' cookie to ensure that the IP hasn't changed are made, whereas normal user sessions don't get this check.


That's why I can't find my current IP = 213.113.122.213


That confirms that the behaviour is by design.


(I have not yet asked my provider why the IP-address changes "at random".)
 

Old chinese proverb:
If I hear - I forget, If I see - I remember, If I do - I understand
 
IP Logged
 
Christer
Übermensch
*****
Offline



Posts: 1283
Sweden


Back to top
Re: Logging in "for keeps" expires
Reply #17 - Nov 30th, 2011 at 5:27am
 
Quote:
it was not named "radified-something.txt" but "U10TY0GS.txt"

Maybe I should add that all cookies on my system (XP-pro) are named like that but before, they were named "sitename-something.txt". Probably a change to IE8 cookie management but when it was introduced, I don't know. It has obviously been a while since I checked the cookie folder.

I also checked the contents of "index.dat" which holds a reference "cookie file name" > "sitename-something".
 

Old chinese proverb:
If I hear - I forget, If I see - I remember, If I do - I understand
 
IP Logged
 
Pages: 1 2 
Send Topic Print