Jump to content

Stronghold cookie rework


Guest BarnRacoon

Recommended Posts

Posted

Hi,

Any users that go through proxies to get to an IPB 2.2 site with stronghold cookies enabled will have continued problems since their IP might change on a per request basis. I know for one that South Africa has a whole array of transparent proxies that cache international traffic and because of this setting in 2.2, i for one cant remain logged into any ipb 2.2 site that uses stronghold cookies. Now i dont think its fair that I contact every single administrator and ask them to disable it, because its fundamentally a flaw in the way the stronghold cookie was written.

After looking at the code, i see that the cookie is made "strong" by using the first two octets of the ip address. This is fine as long as you are going through either 1 proxy server or no proxy server at all. What you should be doing is using the $_SERVER['HTTP_X_FORWARDED_FOR'] option. Or atleast checking if its set, then using that IP instead of the other $_SERVER['REMOTE_ADDR'] since that might change, but the X_FORWARDED_FOR will not change in most cases (provided the proxy/transparent cache is setup correctly).

Regards,
Ian

Posted

True, but it will at least help even a little with all users that are suffering the same fate as me :/



As an admin I would rather you be troubled, then have people find away around the stronghold cookie. I am sure there is a way, for you to use proxies but keep the same ip the entire time your visiting a website.

But don't expect very many administrators to disable the feature for you, unless they get alot of requests, I know personally I wouldn't do it.
Posted

Hence the reason that they require some more thought since it makes alot of boards useless...

There is unfortunately no way around this for us, since we cant control the transparent proxy servers or bypass them.

Posted

We, on the other hand, cannot sacrifice security completely for ease of use. There is a method for administrators to disable the feature. At this point, it is up to the admin whether they want to do it or not.

Posted

Seems like a usability versus security issue. It is up to you the admin to weigh your options. If you want to modify the cookie checking that is an option as well although it would be be, as stated, somewhat less secure than the current method and be unsupported outside the mod community.

Posted

Cookies arent working properly, regardless of whether it is stronghold or not and whether IP match is turned on or off. So something is just wrong, apparently. Unless maybe I didnt delete cookies when I turned IP match back off. Maybe that would have affected it.

Posted

Then, if you could, get out from behind those proxies.. Problem solved.


Transparent proxies - the only way for us to get out from them is to move out of the country...


We could add a per-user option to disable it, I guess.


That would be awesome, at least allow us to use some of the boards...


Cookies arent working properly, regardless of whether it is stronghold or not and whether IP match is turned on or off. So something is just wrong, apparently. Unless maybe I didnt delete cookies when I turned IP match back off. Maybe that would have affected it.


I also think they need some reworking
Posted

Transparent proxies - the only way for us to get out from them is to move out of the country...


That would be awesome, at least allow us to use some of the boards...


I also think they need some reworking



There are other methods, to not to use Transparent proxies, like change your government :devil:
Posted

Do they go over-board with the censorship too? I know some countries do, just forgot which ones. (Like, they block sites and stuff without your consent etc.)

Posted

I don't think this is related to the stronghold cookie or IP address, but I'm constantly getting logged out either every day or every other day when I have "Remember Me" on. I'm not sure what is going on... In the client center the "Remember Me" thing doesn't work at all.

Posted

An interesting solution might be to maintain a log of all users who have accessed the site while presenting valid cookie information along the lines of member_id, pass_hash (or whatever it is, haven't dealt with all of that stuff in ages) yet have failed the auth process, i.e. been logged out. If you have a huge log full of a variety of members who have failed to authenticate despite having the required cookie values, then it's probably a bad idea to enable stronghold cookies on your IPB. If you have a huge log full of only one or two members, you can attempt to address it with them privately.

Or, someone's trying desperately to hack you ;)

One thing I've come to terms with gradually is that users suck at reporting stuff. It's normally best to trap and record errors yourself, so you can deal with them effectively.

  • 6 months later...
Posted

Can anyone explain to me what exactly the Stronghold method does? All I know is that when I turn it on my mailbox gets flooded with mail from members who can't stay logged in..

Posted

Can anyone explain to me what exactly the Stronghold method does? All I know is that when I turn it on my mailbox gets flooded with mail from members who can't stay logged in..


If you have Stronghold cookies on, anytime a member's IP address changes, then he has to log in again. So if you don't have a static IP, you're going to be logging all the time.

In general members (w/o static IPs) really hate that, especially those that are on and off the forums all day long. And on top of that, we have the never-ending stream of: "I forgot my log in info" emails. So those will increase from the forgetful ones, with dynamic IPs.

The above is why I'm hoping this happens.
Brian
Posted

It also prevents a user from using multiple browsers with the same account - he or she cannot stay logged into the same account across browsers.

Posted

We could add a per-user option to disable it, I guess.



Why not a per-usergroup option?

The Stronghold cookie is only important for the Admin/-Moderatorgroup or other Groups with sensitive permissions from my point of view...

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...