[FEEDBACK] Logging on

[zigs]

I had one member who could not stay logged in , but once cookies were disabled in admincp he was fine, BUT I had one member who was using MSN explorer, and he would log in and it say thanks for logging in, then when he was taken to main forum page he would be logged out, even though the online list showed him online, and he hasnt been able to post since BUT he wont change browsers :huh:

[stobbo]

I've seen it happen here, Invisionize, my own board and others. I only ever access these sites from the same PC in the same location. It

seems

to be random - sometimes I have to login, sometimes I don't (I've never actually tried timing this).

I use Firefox 2.0.0.1 and have no desire to switch browser just to see if it fixes the problem.

You shouldn't need to, as it works perfectly with Firefox 2.0.0.1 here.

[tenaki]

Has happened a couple of times this week, upgraded my own forum today and was logged out after about 1hr.

Worse though is the client area which never remembers me and I always have to delete my cookies then enter my password

[robirming]

Same computer, same location.

Same here.

I would say that if I visit this site 4 days in a row, I will have to login again 1 of those times.

[Genestoy]

What browser are you guys using? I found that if you have more than one browser on your machine and you have only deleted all the cookies on just one browser they seem to be picking them up from other browsers. So go to each browser and delete all the history and cookies. Worked for me and I never have to login here again or my own boards.

[compindustries]

[sonny26]

Ok everyday i get more complaints from my members they are both aol users i know it from their ip's here are they ; stronghold off ...

u wernt on msn so this is the only way i can contact u!!

i have a problem wif forums its letting me log in but wen i write a comment on a topic it doesnt let me and says

Sorry, an error occurred. If you are unsure on how to use a feature, or don't know why you got this error message, try looking through the help files for more information.

another member

sonny. i cant used forums. i cant post anything or send pm`s. if you could

email me edited@yahoo.co.uk

and let me know whats goin on that would be fab. cheers hun xxxx

and these are really one of my active members their both post count is more than 1000 so you there is totally something wrong >_<

[Sire]

I just had to login again. I'm using Opera 9.x

Seems like it's about once a week, that I need to do it. This is the only computer I use to login, and the only location I login from. My IP# is still the same as it has been for months. It's not a big deal, just providing feedback in case it helps troubleshoot anything.

[stobbo]

Ok everyday i get more complaints from my members they are both aol users i know it from their ip's here are they ; stronghold off ...

another member

and these are really one of my active members their both post count is more than 1000 so you there is totally something wrong >_<

In Security Settings have you got IP Matching off?

[Mat Barrie]

Hmm, this forum occasionally does this to me too (every, say, four days or so) which is somewhat annoying. Before it comes up, let me cover all the bases:

Statically assigned IP address. I can't change IP, and noone else can use mine.
Internet Explorer 7. NO, I am not switching to Firefox.
Do not visit from work. I'm bad enough with spending too much time browsing the web on government time/resources, don't need help.
Not a cache problem.

[sonny26]

In Security Settings have you got IP Matching off?

Yeah I am so angry everything set to no >_< I just got another email saying they cant stayed logged in >_<
I dont know ips but you should find a solution for that >_<

[tenaki]

Done it again to me on here tonight for no reason that I can tell

Also had two members email me on my board saying they can't stay logged in, as soon as they browse off it logs them off.

[Brandon C]

This is an occasional problem for me as well, but I don't experience it often.

Useragent: Mac OS X using Safari 2.0.4.

[bfarber]

I can't reproduce at all. *sigh*

I've been testing this in IE and Firefox, on multiple sites (from tickets where users have been saying they're having this issue) and just cannot reproduce no matter what.

On the most recent ticket, I've added some advanced logging to the class_session file to try narrow it down - but the user I'm working with says he does visit from home and work both, so that could explain it for him in particular. We'll see what we come up with - but when you can't *reproduce* a bug, it's next to impossible to fix it.

[robirming]

Actually, I haven't had it since I wrote my last comment here.
Seems to work fine for me now. :)

[Will L.]

I can't reproduce at all. *sigh*

I've been testing this in IE and Firefox, on multiple sites (from tickets where users have been saying they're having this issue) and just cannot reproduce no matter what.

On the most recent ticket, I've added some advanced logging to the class_session file to try narrow it down - but the user I'm working with says he does visit from home and work both, so that could explain it for him in particular. We'll see what we come up with - but when you can't *reproduce* a bug, it's next to impossible to fix it.

this is same thing I am still getting on my site all members have it on my forums and on here and every single 2.2 they and I visit

you or someone closed my ticket and it was never solved

99% of my members login from 1 location and 1 browser

only 1 has dialup and he has to login same amount as everyone else

[RawkBob]

I've only been logging on from 1 place and having the problem... i just disabled the stronghold cookie to see if that has any effect... If you would like to monitor my forums, not very active though, to aid the bug hunt just drop me a line...

[tenaki]

I have also disabled Create a stronghold auto-log in cookie? and a couple of members have said it seems better. Not sure if it is related but it happened twice after logging into my seperate CMS.

[Chris.Papaioannou]

When I contacted support for logging out issues, I was eventually told that :

"The stronghold cookie is designed based on geographic location.. Certain ISPs do things in such a way as it just will not work."

We had terrible issues with it, and since disabling stronghold, it seems to be completely fixed.

[Strange_Will]

[MikeChristopher]

I had this problem on my site for ages but only came around when we were using converge - whilst using it people kept getting logged out at random times even sometimes just after a while of loggin in previously. It kept getting irritating as had to keep logging in each time tried to do anything. Removed the board out of the converge system and has been ok again since. Very strange.

How many others have the board linked to a converge system?

[robirming]

It just happened to me now again.

Same computer and internet access as always, last vist here 2 days ago (I think), using Firefox 2.0 on Mac OS X, no strange firewall software installed or things like that.

[matthiaspaul]

Many users in our board have problems to stay logged in as well. They usually log-in with "Remember me?" set on, but still they are often not remembered after relatively short periods of time (some hours), sometimes even minutes.

For the records:

- Stronghold Cookie: enabled
- Enable X_FORWARDED_FOR IP matching? No
- Member's log in key: Expiration after 3 days
- Reset member's log in key upon each log in? Yes
- Session Expiration (in seconds): 1800s
- Match user's IP Address during session validation: Yes
- Match user's browser during session validation: Yes
- We don't use Converge

So far there is no clear picture in regard to the circumstances or trigger conditions when this happens. But let me brainstorm a bit:

Many people receive an error (not-logged-in), when they write a reply to a previous post and stay in the editor window for too long. If you press "Send", you will then receive an error, prompting you to log-in again (inconvenience and risk to loose the reply). But if you use the browser's "Refresh" button to first refresh the page and only afterwards press "Send", everything is okay, the user is magically logged in again (most of the time, that is) and his post accepted. How is this possible, if, apparently, the session has already timed out? Given that this works (at least as long as the browser does not clear the form when refreshing the page - some browsers do, unfortunately), it should be possibe to solve this particular problem by letting the form editor itself periodically send "keep-alives" to the server or such, ideally by intercepting local keyboard and mouse activity and retrigger an internal timeout (so that a timeout still occurs if the user leaves the machine unattended for a while)... (Isn't something like this utilitized to not timeout a session while you run Post Rebuild in the ACP, at least, I recall that I always received timeouts until I switched scripts on?) Or if this isn't possible (as no client-sided scripting languages could be used), couldn't the server associate different session timeouts with normal use of the board (short timeouts such as 900s) and form editor usage (long timeouts 3600s), of course, configurable in the ACP?

This would not solve the problem of seemlingly randomly being logged out out of a sudden, but it would at least help the problem of being logged out while editing.

Given that there are various criteria which could be combined and used for user session identification purposes, wouldn't it be possible to fine-tune the behaviour by adding some configurable (or even dynamically adapting on a user-by-user basis) threshold times, so if one of the criteria changes (for example the IP address) within some grace time, but all the others are still the same, still assume a valid session and retrigger the corresponding timeouts, update matching keys? Or, the server could keep records for each user; for users who's IP addresses change frequently while they have no log of unsuccessful login-attempts due to false passwords, the server could relax the IP address matching to some degree, whilst for users, who's IP addresses almost never change or who had to try various passwords before they were accepted, it could use stronger methods. In practice this would by far not result in the same security level as in the present implementation, but it would still be stronger than disabling all the security features at all. Or if not the server itself, but the admin could explicitly set some members to a "relaxed mode", if they report problems and have earned some reputation in the community already.

I hope these still unboiled ideas could help to think out and bring forward a practical solution without forcing admins to disable some of these nice new security settings... Too many boards have been cracked in the past year already...

Greetings,

Matthias

[matthiaspaul]

Or if this isn't possible (as no client-sided scripting languages could be used), couldn't the server associate different session timeouts with normal use of the board (short timeouts such as 900s) and form editor usage (long timeouts 3600s), of course, configurable in the ACP?

Additional idea:

Individual session timeouts etc. configurable on group or even member basis. For example, admins may have shorter timeouts than normal members, as they are living with a somewhat higher risk of being targetted by a cracker. Or, another example, a short session timeout could be set for all members but those few, who complain and cannot be helped other than by longer timeouts. Still better than having to allow longer timeouts for all...

Greetings,

Matthias

[Mat Barrie]

It's just randomly done it to me again, so once a week (or more) for no apparent reason it logs me out. VERY irritating.