[Home] [Downloads] [Search] [Help/forum]

Gammon Forum

See www.mushclient.com/spam for dealing with forum spam. Please read the MUSHclient FAQ!

[Folder]  Entire forum
-> [Folder]  Forum
. -> [Folder]  Problems
. . -> [Subject]  Login sessions
Home  |  Users  |  Search  |  FAQ
Username:
Register forum user name
Password:
Forgotten password?

Login sessions

It is now over 60 days since the last post. This thread is closed.     [Refresh] Refresh page


Posted by Twisol   USA  (2,257 posts)  [Biography] bio
Date Fri 25 Sep 2009 12:04 AM (UTC)

Amended on Fri 25 Sep 2009 12:06 AM (UTC) by Twisol

Message
A small bug I've found on these forums is that if I log in, my session cookie expires, and I log in again, it thinks I'm logged in twice (with the same credentials). My assumption is that the forum isn't invalidating its own session data after the timer period that the cookie should be invalidated after as well.


EDIT: Slightly relatedly, it would be nice if the login form at the upper-right had the tab-order set so I could tab from the username field to the password field, without having to pass over the link in-between. Almost every time I log in, I tab once, and hence hit the wrong link.

'Soludra' on Achaea

Blog: http://jonathan.com/
GitHub: http://github.com/Twisol
[Go to top] top

Posted by Nick Gammon   Australia  (21,607 posts)  [Biography] bio   Forum Administrator
Date Reply #1 on Sat 26 Sep 2009 01:19 AM (UTC)
Message
The cookie expires at the browser end, the forum doesn't know about the expiry. Now that it allows multiple logins it is likely you would have a few expired sessions around eventually.

Clicking the "Log Off" button would clear all old sessions. They won't do too much harm, unless someone happened to guess the cookie random token, which is pretty low probability, seeing how long it is.

As for the tabbing, some browsers skip over the link, but I'll see if I can re-order it in a way that does what you suggest. Remind me in a week if I forget as I am currently on holidays, and not at my usual PC.

- Nick Gammon

www.gammon.com.au, www.mushclient.com
[Go to top] top

Posted by Twisol   USA  (2,257 posts)  [Biography] bio
Date Reply #2 on Sat 26 Sep 2009 06:38 AM (UTC)

Amended on Sat 26 Sep 2009 06:52 AM (UTC) by Twisol

Message
Hmm, it seems like you could just add a section to the login code to clear outdated sessions. The user would never see the extra sessions listed because they're cleared out beforehand.

If an administrator of a copy of the forum software is worried about even older sessions clogging their database, likely ones that were never cleaned out because the user never re-logged-in, they could set a monthly cronjob to run clean all outdated sessions.

Another point I just thought of concerning the outdated session storage: if someone managed to hold on to a cookie's session value longer than intended, they would never be timed out, and hence remain logged in by some manner indefinitely (until they explicitly log out somewhere else). This worries me because it allows the possibility of cookie stealing, and thus getting a potentially indefinite free ticket into someone's user account on a copy of these forums. (Given, you log the IP and use that as well, but it's still a bit of a security breach; it's not hard to imitate another IP from what I know)


The tabbing should only require the use of the 'tabindex' attribute in the two fields. tabindex='1' for the username and tabindex='2' for the password.

'Soludra' on Achaea

Blog: http://jonathan.com/
GitHub: http://github.com/Twisol
[Go to top] top

Posted by Hanaisse   Canada  (114 posts)  [Biography] bio
Date Reply #3 on Sat 26 Sep 2009 03:30 PM (UTC)

Amended on Sat 26 Sep 2009 03:48 PM (UTC) by Hanaisse

Message
How exactly does the expiry work? I appear to have a somewhat different issue with logins.

Typically I only login when I find a post I would like to reply to. That means I could go for days or a week or more just lurking. The last time I logged in I remember the forum said I had 2 logins, which I found odd but didn't think anything of it. After reading this post the first time I checked my cookies, and there was no cookie from gammon.com.au. I logged in now just to see if it would show the 2 logins or be cleared and now it shows this;

You are logged on as: Hanaisse (3 logins)

It doesn't bother me, it's just a curiosity, or maybe a bug?

Edit: I just checked my profile where it views the sessions and it shows this;

Quote:
You are logged in at these locations:
Logged on date IP Address Domain
Fri 04 Sep 2009 05:14 AM xx.xxx.xxx.xxx www.gammon.com.au
Sat 26 Sep 2009 06:12 AM xx.xxx.xxx.xxx www.gammon.com.au
Wed 23 Sep 2009 04:38 AM xx.xxx.xxx.xxx www.gammon.com.au

You are currently at IP address: xx.xxx.xxx.xxx, using domain: www.gammon.com.au


(note: I have x'd out my IP for security reasons, but rest assured they are all the exact same IP and I only use one PC)

Shouldn't the Sept 04th session expired already?

Edit 2:
Quote:
Because of the way cookies are stored, the cookie on your web browser is linked to the "domain" that the cookie comes from, and thus changing from "www.gammon.com.au" to "gammon.com.au", or "mushclient.com" to "www.mushclient.com" all appeared to the web browser to be different sites.


I log in at http://www.gammon.com.au/forum - my current cookie says gammom.com.au

(sorry for the long post, just trying to give as much info as I can)

Edit 3: Welcome back Nick, hope you had a good trip :)

aka: Hana
Owner in Training of: Fury of the Gods
alm-dev.org:4000
[Go to top] top

Posted by Twisol   USA  (2,257 posts)  [Biography] bio
Date Reply #4 on Sat 26 Sep 2009 07:02 PM (UTC)

Amended on Sat 26 Sep 2009 07:05 PM (UTC) by Twisol

Message
Hehehe, he's still gone: "Remind me in a week".

EDIT: And that looks to be the same bug. Your cookies expire because they're given an expiry date by the forums when they're added, but the forums themselves store the data for the session. The cookie is just a key to the lock for that data. So your cookie expires, but the actual session still lives on in his database. Hence, if you log in but never log out, and just let your cookie expire, next time you log in it thinks you're logged in multiple times.

'Soludra' on Achaea

Blog: http://jonathan.com/
GitHub: http://github.com/Twisol
[Go to top] top

Posted by Nick Gammon   Australia  (21,607 posts)  [Biography] bio   Forum Administrator
Date Reply #5 on Wed 30 Sep 2009 04:48 AM (UTC)
Message
OK, the forum now keeps a record of the token expiry date, to the nearest day, on its database. It then expires old tokens when you attempt to log in, or view your tokens (in the View Profile page). It also doesn't accept out-of-date tokens to log in with. This keeps the forum software in sync, approximately, with the date stored in the cookie.

Also, the tabindex suggestion is implemented.

As an interim measure (for people who have already logged in), all tokens currently in force will expire in 7 days. After that, it will expire after the interval you set in your profile.

- Nick Gammon

www.gammon.com.au, www.mushclient.com
[Go to top] top

Posted by Twisol   USA  (2,257 posts)  [Biography] bio
Date Reply #6 on Thu 01 Oct 2009 01:53 AM (UTC)
Message
Awesome! Thanks Nick!

'Soludra' on Achaea

Blog: http://jonathan.com/
GitHub: http://github.com/Twisol
[Go to top] top

The dates and times for posts above are shown in Universal Co-ordinated Time (UTC).

To show them in your local time you can join the forum, and then set the 'time correction' field in your profile to the number of hours difference between your location and UTC time.


6,797 views.

It is now over 60 days since the last post. This thread is closed.     [Refresh] Refresh page

Go to topic:           Search the forum


[Go to top] top

Quick links: MUSHclient. MUSHclient help. Forum shortcuts. Posting templates. Lua modules. Lua documentation.

Information and images on this site are licensed under the Creative Commons Attribution 3.0 Australia License unless stated otherwise.

[Home]


Written by Nick Gammon - 5K   profile for Nick Gammon on Stack Exchange, a network of free, community-driven Q&A sites   Marriage equality

Comments to: Gammon Software support
[RH click to get RSS URL] Forum RSS feed ( https://gammon.com.au/rss/forum.xml )

[Best viewed with any browser - 2K]    [Hosted at FutureQuest]