Jump to content

Stronghold cookie rework

Guest BarnRacoon

By Guest BarnRacoon
in Feedback

Recommended Posts

BarnRacoon Apprentice

BarnRacoon

Posted
Posted

Hi,

Any users that go through proxies to get to an IPB 2.2 site with stronghold cookies enabled will have continued problems since their IP might change on a per request basis. I know for one that South Africa has a whole array of transparent proxies that cache international traffic and because of this setting in 2.2, i for one cant remain logged into any ipb 2.2 site that uses stronghold cookies. Now i dont think its fair that I contact every single administrator and ask them to disable it, because its fundamentally a flaw in the way the stronghold cookie was written.

After looking at the code, i see that the cookie is made "strong" by using the first two octets of the ip address. This is fine as long as you are going through either 1 proxy server or no proxy server at all. What you should be doing is using the $_SERVER['HTTP_X_FORWARDED_FOR'] option. Or atleast checking if its set, then using that IP instead of the other $_SERVER['REMOTE_ADDR'] since that might change, but the X_FORWARDED_FOR will not change in most cases (provided the proxy/transparent cache is setup correctly).

Regards,
Ian

Link to comment
Share on other sites
Dark Phantom Newbie

Dark Phantom

Posted
Posted

True, but it will at least help even a little with all users that are suffering the same fate as me :/



As an admin I would rather you be troubled, then have people find away around the stronghold cookie. I am sure there is a way, for you to use proxies but keep the same ip the entire time your visiting a website.

But don't expect very many administrators to disable the feature for you, unless they get alot of requests, I know personally I wouldn't do it.
Link to comment
Share on other sites
Fast Lane Rookie

Fast Lane

Posted
Posted

Seems like a usability versus security issue. It is up to you the admin to weigh your options. If you want to modify the cookie checking that is an option as well although it would be be, as stated, somewhat less secure than the current method and be unsupported outside the mod community.

Link to comment
Share on other sites
BarnRacoon Apprentice

BarnRacoon

Posted
Posted

Then, if you could, get out from behind those proxies.. Problem solved.


Transparent proxies - the only way for us to get out from them is to move out of the country...


We could add a per-user option to disable it, I guess.


That would be awesome, at least allow us to use some of the boards...


Cookies arent working properly, regardless of whether it is stronghold or not and whether IP match is turned on or off. So something is just wrong, apparently. Unless maybe I didnt delete cookies when I turned IP match back off. Maybe that would have affected it.


I also think they need some reworking
Link to comment
Share on other sites
Dark Phantom Newbie

Dark Phantom

Posted
Posted

Transparent proxies - the only way for us to get out from them is to move out of the country...


That would be awesome, at least allow us to use some of the boards...


I also think they need some reworking



There are other methods, to not to use Transparent proxies, like change your government :devil:
Link to comment
Share on other sites
Luke Mentor

Luke

Posted
Posted

I don't think this is related to the stronghold cookie or IP address, but I'm constantly getting logged out either every day or every other day when I have "Remember Me" on. I'm not sure what is going on... In the client center the "Remember Me" thing doesn't work at all.

Link to comment
Share on other sites
ellawella Explorer

ellawella

Posted
Posted

An interesting solution might be to maintain a log of all users who have accessed the site while presenting valid cookie information along the lines of member_id, pass_hash (or whatever it is, haven't dealt with all of that stuff in ages) yet have failed the auth process, i.e. been logged out. If you have a huge log full of a variety of members who have failed to authenticate despite having the required cookie values, then it's probably a bad idea to enable stronghold cookies on your IPB. If you have a huge log full of only one or two members, you can attempt to address it with them privately.

Or, someone's trying desperately to hack you ;)

One thing I've come to terms with gradually is that users suck at reporting stuff. It's normally best to trap and record errors yourself, so you can deal with them effectively.

Link to comment
Share on other sites
  • 6 months later...
enosb Explorer

enosb

Posted
Posted

Can anyone explain to me what exactly the Stronghold method does? All I know is that when I turn it on my mailbox gets flooded with mail from members who can't stay logged in..


If you have Stronghold cookies on, anytime a member's IP address changes, then he has to log in again. So if you don't have a static IP, you're going to be logging all the time.

In general members (w/o static IPs) really hate that, especially those that are on and off the forums all day long. And on top of that, we have the never-ending stream of: "I forgot my log in info" emails. So those will increase from the forgetful ones, with dynamic IPs.

The above is why I'm hoping this happens.
Brian
Link to comment
Share on other sites
lOgOl Explorer

lOgOl

Posted
Posted

We could add a per-user option to disable it, I guess.



Why not a per-usergroup option?

The Stronghold cookie is only important for the Admin/-Moderatorgroup or other Groups with sensitive permissions from my point of view...
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Invision Community © 2024 IPS, Inc.
×
×
  • Create New...