December 13, 2006 in Feedback
Hi,Any users that go through proxies to get to an IPB 2.2 site with stronghold cookies enabled will have continued problems since their IP might change on a per request basis. I know for one that South Africa has a whole array of transparent proxies that cache international traffic and because of this setting in 2.2, i for one cant remain logged into any ipb 2.2 site that uses stronghold cookies. Now i dont think its fair that I contact every single administrator and ask them to disable it, because its fundamentally a flaw in the way the stronghold cookie was written.After looking at the code, i see that the cookie is made "strong" by using the first two octets of the ip address. This is fine as long as you are going through either 1 proxy server or no proxy server at all. What you should be doing is using the $_SERVER['HTTP_X_FORWARDED_FOR'] option. Or atleast checking if its set, then using that IP instead of the other $_SERVER['REMOTE_ADDR'] since that might change, but the X_FORWARDED_FOR will not change in most cases (provided the proxy/transparent cache is setup correctly).Regards,Ian
The problem is that X_FORWARDED_FOR can be faked with ease.
True, but it will at least help even a little with all users that are suffering the same fate as me :/
Hence the reason that they require some more thought since it makes alot of boards useless...There is unfortunately no way around this for us, since we cant control the transparent proxy servers or bypass them.
We, on the other hand, cannot sacrifice security completely for ease of use. There is a method for administrators to disable the feature. At this point, it is up to the admin whether they want to do it or not.
Seems like a usability versus security issue. It is up to you the admin to weigh your options. If you want to modify the cookie checking that is an option as well although it would be be, as stated, somewhat less secure than the current method and be unsupported outside the mod community.
We could add a per-user option to disable it, I guess.
Cookies arent working properly, regardless of whether it is stronghold or not and whether IP match is turned on or off. So something is just wrong, apparently. Unless maybe I didnt delete cookies when I turned IP match back off. Maybe that would have affected it.
Then, if you could, get out from behind those proxies.. Problem solved.
Transparent proxies - the only way for us to get out from them is to move out of the country...That would be awesome, at least allow us to use some of the boards...I also think they need some reworking
Transparent proxies - the only way for us to get out from them is to move out of the country...
That would be awesome, at least allow us to use some of the boards...
I also think they need some reworking
Thanks for that suggestion :huh: . Its not our government that does it, its the ISP that controlles the main international internet links...
Do they go over-board with the censorship too? I know some countries do, just forgot which ones. (Like, they block sites and stuff without your consent etc.)
No, there is no censorship or blocking of sites - its plainly there to reduce the traffic that has to flow across the link...
Oh okay, I was just curious.
i had to disable stronghold, 50% of board users were not able to stay logged in, me too... after disable everybody is happy...
I don't think this is related to the stronghold cookie or IP address, but I'm constantly getting logged out either every day or every other day when I have "Remember Me" on. I'm not sure what is going on... In the client center the "Remember Me" thing doesn't work at all.
An interesting solution might be to maintain a log of all users who have accessed the site while presenting valid cookie information along the lines of member_id, pass_hash (or whatever it is, haven't dealt with all of that stuff in ages) yet have failed the auth process, i.e. been logged out. If you have a huge log full of a variety of members who have failed to authenticate despite having the required cookie values, then it's probably a bad idea to enable stronghold cookies on your IPB. If you have a huge log full of only one or two members, you can attempt to address it with them privately.Or, someone's trying desperately to hack you ;)One thing I've come to terms with gradually is that users suck at reporting stuff. It's normally best to trap and record errors yourself, so you can deal with them effectively.
Can anyone explain to me what exactly the Stronghold method does? All I know is that when I turn it on my mailbox gets flooded with mail from members who can't stay logged in..
It also prevents a user from using multiple browsers with the same account - he or she cannot stay logged into the same account across browsers.
disable it and have a nice time! that's all, i think...
This topic is now archived and is closed to further replies.
Started 1 hour ago
Happy go Lucky
Started 2 hours ago
Started 26 minutes ago