BarnRacoon Posted December 13, 2006 Posted December 13, 2006 Hi,Any users that go through proxies to get to an IPB 2.2 site with stronghold cookies enabled will have continued problems since their IP might change on a per request basis. I know for one that South Africa has a whole array of transparent proxies that cache international traffic and because of this setting in 2.2, i for one cant remain logged into any ipb 2.2 site that uses stronghold cookies. Now i dont think its fair that I contact every single administrator and ask them to disable it, because its fundamentally a flaw in the way the stronghold cookie was written.After looking at the code, i see that the cookie is made "strong" by using the first two octets of the ip address. This is fine as long as you are going through either 1 proxy server or no proxy server at all. What you should be doing is using the $_SERVER['HTTP_X_FORWARDED_FOR'] option. Or atleast checking if its set, then using that IP instead of the other $_SERVER['REMOTE_ADDR'] since that might change, but the X_FORWARDED_FOR will not change in most cases (provided the proxy/transparent cache is setup correctly).Regards,Ian
Management Matt Posted December 13, 2006 Management Posted December 13, 2006 The problem is that X_FORWARDED_FOR can be faked with ease.
BarnRacoon Posted December 13, 2006 Posted December 13, 2006 True, but it will at least help even a little with all users that are suffering the same fate as me :/
Dark Phantom Posted December 13, 2006 Posted December 13, 2006 True, but it will at least help even a little with all users that are suffering the same fate as me :/As an admin I would rather you be troubled, then have people find away around the stronghold cookie. I am sure there is a way, for you to use proxies but keep the same ip the entire time your visiting a website.But don't expect very many administrators to disable the feature for you, unless they get alot of requests, I know personally I wouldn't do it.
BarnRacoon Posted December 13, 2006 Posted December 13, 2006 Hence the reason that they require some more thought since it makes alot of boards useless...There is unfortunately no way around this for us, since we cant control the transparent proxy servers or bypass them.
bfarber Posted December 13, 2006 Posted December 13, 2006 We, on the other hand, cannot sacrifice security completely for ease of use. There is a method for administrators to disable the feature. At this point, it is up to the admin whether they want to do it or not.
.Sephiroth. Posted December 13, 2006 Posted December 13, 2006 True, but it will at least help even a little with all users that are suffering the same fate as me :/Then, if you could, get out from behind those proxies.. Problem solved.
Fast Lane Posted December 13, 2006 Posted December 13, 2006 Seems like a usability versus security issue. It is up to you the admin to weigh your options. If you want to modify the cookie checking that is an option as well although it would be be, as stated, somewhat less secure than the current method and be unsupported outside the mod community.
Management Matt Posted December 13, 2006 Management Posted December 13, 2006 We could add a per-user option to disable it, I guess.
TestingSomething Posted December 14, 2006 Posted December 14, 2006 Cookies arent working properly, regardless of whether it is stronghold or not and whether IP match is turned on or off. So something is just wrong, apparently. Unless maybe I didnt delete cookies when I turned IP match back off. Maybe that would have affected it.
BarnRacoon Posted December 14, 2006 Posted December 14, 2006 Then, if you could, get out from behind those proxies.. Problem solved.Transparent proxies - the only way for us to get out from them is to move out of the country...We could add a per-user option to disable it, I guess.That would be awesome, at least allow us to use some of the boards...Cookies arent working properly, regardless of whether it is stronghold or not and whether IP match is turned on or off. So something is just wrong, apparently. Unless maybe I didnt delete cookies when I turned IP match back off. Maybe that would have affected it.I also think they need some reworking
Dark Phantom Posted December 14, 2006 Posted December 14, 2006 Transparent proxies - the only way for us to get out from them is to move out of the country...That would be awesome, at least allow us to use some of the boards...I also think they need some reworkingThere are other methods, to not to use Transparent proxies, like change your government :devil:
BarnRacoon Posted December 15, 2006 Posted December 15, 2006 Thanks for that suggestion :huh: . Its not our government that does it, its the ISP that controlles the main international internet links...
.KX Posted December 15, 2006 Posted December 15, 2006 Do they go over-board with the censorship too? I know some countries do, just forgot which ones. (Like, they block sites and stuff without your consent etc.)
BarnRacoon Posted December 15, 2006 Posted December 15, 2006 No, there is no censorship or blocking of sites - its plainly there to reduce the traffic that has to flow across the link...
MaK'77 Posted December 19, 2006 Posted December 19, 2006 i had to disable stronghold, 50% of board users were not able to stay logged in, me too... after disable everybody is happy...
Luke Posted December 19, 2006 Posted December 19, 2006 I don't think this is related to the stronghold cookie or IP address, but I'm constantly getting logged out either every day or every other day when I have "Remember Me" on. I'm not sure what is going on... In the client center the "Remember Me" thing doesn't work at all.
ellawella Posted December 19, 2006 Posted December 19, 2006 An interesting solution might be to maintain a log of all users who have accessed the site while presenting valid cookie information along the lines of member_id, pass_hash (or whatever it is, haven't dealt with all of that stuff in ages) yet have failed the auth process, i.e. been logged out. If you have a huge log full of a variety of members who have failed to authenticate despite having the required cookie values, then it's probably a bad idea to enable stronghold cookies on your IPB. If you have a huge log full of only one or two members, you can attempt to address it with them privately.Or, someone's trying desperately to hack you ;)One thing I've come to terms with gradually is that users suck at reporting stuff. It's normally best to trap and record errors yourself, so you can deal with them effectively.
enosb Posted June 22, 2007 Posted June 22, 2007 We could add a per-user option to disable it, I guess.Is there a possibility this might happen?Thank you,Brian
Mesmer Posted June 22, 2007 Posted June 22, 2007 Can anyone explain to me what exactly the Stronghold method does? All I know is that when I turn it on my mailbox gets flooded with mail from members who can't stay logged in..
enosb Posted June 23, 2007 Posted June 23, 2007 Can anyone explain to me what exactly the Stronghold method does? All I know is that when I turn it on my mailbox gets flooded with mail from members who can't stay logged in..If you have Stronghold cookies on, anytime a member's IP address changes, then he has to log in again. So if you don't have a static IP, you're going to be logging all the time. In general members (w/o static IPs) really hate that, especially those that are on and off the forums all day long. And on top of that, we have the never-ending stream of: "I forgot my log in info" emails. So those will increase from the forgetful ones, with dynamic IPs.The above is why I'm hoping this happens.Brian
.Timmy Posted June 23, 2007 Posted June 23, 2007 It also prevents a user from using multiple browsers with the same account - he or she cannot stay logged into the same account across browsers.
lOgOl Posted June 23, 2007 Posted June 23, 2007 We could add a per-user option to disable it, I guess.Why not a per-usergroup option? The Stronghold cookie is only important for the Admin/-Moderatorgroup or other Groups with sensitive permissions from my point of view...
MaK'77 Posted June 23, 2007 Posted June 23, 2007 disable it and have a nice time! that's all, i think...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.