Welcome, Guest. Please
Login
Home
Help
Search
Login
FAQ
Radified
Ghost.Classic
Ghost.New
Bootable CD
Blog
Radified Community Forums
›
Rad Community Non-Technical Discussion Boards
›
YaBB Forum Software + Rad Web Site
› Logging in "for keeps" expires
(Moderators: Rad, Christer, NightOwl, Pleonasm, MrMagoo, El_Pescador)
‹
Previous Topic
|
Next Topic
›
Pages:
1
2
Logging in "for keeps" expires (Read 26340 times)
Rad
Radministrator
Offline
Sufferin' succotash
Posts: 4090
Newport Beach, California
Back to top
Re: Logging in "for keeps" expires
Reply #15 -
Nov 29
th
, 2011 at 2:42pm
from a friend familiar with these kinds of things:
Quote:
Looking at the source code, this behaviour is built into Yabb2 for some reason. I've just taken a quick look at the 2.5 source and although it might not be the whole answer, it seems this is as-designed for YaBB2.
Look at AdminIndex.pl which controls most of the admin functions, and this early fragment:
require "$sourcedir/Subs.pl";
require "$sourcedir/System.pl";
require "$sourcedir/DateTime.pl";
require "$sourcedir/Load.pl";
&LoadCookie; # Load the user's cookie (or set to guest)
&LoadUserSettings; # Load user settings
This suggests which modules have the cookie processing, which relates to what user sessions are. Inside Sources/Load.pl we have this:
sub LoadUserSettings {
&LoadBoardControl;
$iamguest = $username eq 'Guest' ? 1 : 0;
if ($username ne 'Guest') {
&LoadUser($username);
if (!$maintenance || ${$uid.$username}{'position'} eq 'Administrator') {
$iammod = &is_moderator($username);
if (${$uid.$username}{'position'} eq 'Administrator' || ${$uid.$username}{'position'} eq 'Global Moderator' || $iammod) { $staff = 1; }
else { $staff = 0; }
$sessionvalid = 1;
if ($sessions == 1 && $staff == 1) {
$cursession = &encode_password($user_ip);
chomp $cursession;
if (${$uid.$username}{'session'} ne $cursession || ${$uid.$username}{'session'} ne $cookiesession) { $sessionvalid = 0; }
}
This bit shows a value $cursession which contains an encrypted copy of the $user_ip (which comes from the CGI REMOTE_ADDR which is the user's external IP visible from the webserver end) and this has to match the stored session in the user cookie as an extra check only applied to administrative users (presumably to prevent some kinds of attacks associated with cookie forgery or impersonation). For "staff", extra checks on the 'session' cookie to ensure that the IP hasn't changed are made, whereas normal user sessions don't get this check.
Using this kind of thing - encrypting with the user's IP as part of a cookie - is common in most web applications, but it's not normally done this particular way and in particular admins normally aren't treated specially. Instead, more robust techniques are employed (to say nothing of using https everywhere and/or using OpenID). Given that YaBB dates from a more innocent age in web-security terms, that's not surprising though.
IP Logged
Christer
Übermensch
Offline
Posts: 1360
Sweden
Back to top
Re: Logging in "for keeps" expires
Reply #16 -
Nov 30
th
, 2011 at 5:10am
Rad and all,
I thought that it had to do with my status as moderator but then, why reduce my "normal privileges" as a member (modifying my own posts) and not my "moderating privileges" (modifying other members posts) only?
This morning, I had a new IP-address and had to log out and re-log in. I checked which cookie changed and to my surprise, it was not named "radified-something.txt" but "U10TY0GS.txt"
From Rad's post:
Quote:
it seems this is as-designed for YaBB2
Maybe it is a recent forum software upgrade that brought this behaviour and the reason why I never noticed the IP-address changes before.
Quote:
This bit shows a value $cursession which contains an
encrypted copy of the $user_ip
(which comes from the CGI REMOTE_ADDR which is the user's external IP visible from the webserver end) and this has to match the stored session in the user cookie as an extra check only applied to administrative users (presumably to prevent some kinds of attacks associated with cookie forgery or impersonation).
For "staff", extra checks on the 'session' cookie to ensure that the IP hasn't changed are made, whereas normal user sessions don't get this check.
That's why I can't find my current IP = 213.113.122.213
That confirms that the behaviour is by design.
(I have not yet asked my provider why the IP-address changes "at random".)
Old chinese proverb:
If I hear - I forget, If I see - I remember, If I do - I understand
IP Logged
Christer
Übermensch
Offline
Posts: 1360
Sweden
Back to top
Re: Logging in "for keeps" expires
Reply #17 -
Nov 30
th
, 2011 at 5:27am
Quote:
it was not named "radified-something.txt" but "U10TY0GS.txt"
Maybe I should add that all cookies on my system (XP-pro) are named like that but before, they were named "sitename-something.txt". Probably a change to IE8 cookie management but when it was introduced, I don't know. It has obviously been a while since I checked the cookie folder.
I also checked the contents of "index.dat" which holds a reference "cookie file name" > "sitename-something".
Old chinese proverb:
If I hear - I forget, If I see - I remember, If I do - I understand
IP Logged
Pages:
1
2
‹
Previous Topic
|
Next Topic
›
« Home
‹ Board
Top of this page
Forum Jump »
Home
» 10 most recent Posts
» 10 most recent Topics
Rad Community Technical Discussion Boards (Computer Hardware + PC Software)
- Norton Ghost 15, 14, 12, 10, 9, + Norton Save + Restore (NS+R)
- Norton Ghost 2003, Ghost v8.x + Ghost Solution Suite (GSS) Discussion Board
- Cloning Programs (Except Norton Ghost)
- NightOwl's Bootable CD/DVD
- PC Hardware + Software (except Cloning programs)
Rad Community Non-Technical Discussion Boards
- The Water Cooler
- YaBB Forum Software + Rad Web Site ««
Radified Community Forums
» Powered by
YaBB 2.4
!
YaBB
© 2000-2009. All Rights Reserved.