[FEEDBACK] Logging on

[Mat Barrie]

Yeah, I'm afraid it doesn't quite work that way. There's an excessive number of changes between the versions...too many to make it "easy" to just know which code changed that is causing people problems.

We tightened up security proactively, but there has to be some sort of common denominator for those users now experiencing problems. It could be browser plugins, specific browser security settings, firewalls on user's pcs, or any number of things (given that the problem obviously doesn't affect everyone). That is why we need to find what is causing the problem.

Aight. Here's a chunk of information I don't consider relevant, that you might.

Firewall Software: None.
Browser Version: Internet Explorer 7.0 (minor version 5730.11.xpsp2_gdr2.050301-1519)
Windows Version: XP Service Pack 2 Professional (minor version 2600.xpsp2_gdr2.050301-1519)
Router Hardware: 3Com OfficeConnect 3CRWE754G72-A
Firewall Hardware: SonicWall SOHO3 (Firmware Version 6.5.0.4 - no active support to obtain latest update)

Browser Security Settings: Default
Plugins Installed: Adobe PDF Reader, IGN/FilePlanet Download Manager, MS Fiddler, FoxyTunes (IE Version), Sun Java, QuickTime, RealPlayer (how'd that get installed?), Reget Deluxe, Shockwave Flash Object, Windows Messenger, and a bajillion Microsoft XML objects.

[bfarber]

Those having login problems try this

Go to ACP, Tools & Settings, Security & Privacy

Change

Member's log in key: Expiration

to

"Do not expire (not recommended)"

and see if you continue to have persistent login problems on your own site.

[bfarber]

Oh, and note you should clear your cookies and re-login ;)

[Chris.Papaioannou]

Still having issues after trying the above. However for me in general it seems to be every few hours, or if I even just close my browser (tested in both IE and Opera so doubt thats a browser issue).

I have a static broadband IP connection, and its AOL (thank god).

I'm no expert at all, but its almost as if its not even using cookie information, its just using a browser session. At least it has some characteristics of that type of auth/user tracking being used ... while I doubt it is, Im just saying thats what it seems like to the end user.

Hopefully you guys will be able to find out whats causing this for what seems a fair few people. However if you are looking to install logging scripts into forums and whatnot to help you figure it out (Im sure you mentioned you would be doing this), you can shout if you want to use the one Im having issues with, active, though not as large as some others aroud there.

Another thing Ive just realised. Is I can stay logged into the ACP fine, through closing my browser, and reopening it (with it opening the same pages as were open when it closed), and Im still logged in. Not sure if they use much different in their systems, but odd that I can stay logged in there, but not on the main forum. Ah well.

Best of luck.

[bfarber]

Still having issues after trying the above. However for me in general it seems to be every few hours, or if I even just close my browser (tested in both IE and Opera so doubt thats a browser issue).

I have a static broadband IP connection, and its AOL (thank god).

I'm no expert at all, but its almost as if its not even using cookie information, its just using a browser session. At least it has some characteristics of that type of auth/user tracking being used ... while I doubt it is, Im just saying thats what it seems like to the end user.

Hopefully you guys will be able to find out whats causing this for what seems a fair few people. However if you are looking to install logging scripts into forums and whatnot to help you figure it out (Im sure you mentioned you would be doing this), you can shout if you want to use the one Im having issues with, active, though not as large as some others aroud there.

Another thing Ive just realised. Is I can stay logged into the ACP fine, through closing my browser, and reopening it (with it opening the same pages as were open when it closed), and Im still logged in. Not sure if they use much different in their systems, but odd that I can stay logged in there, but not on the main forum. Ah well.

Best of luck.

You're having a separate issue from the others reported if you can't even close your browser, reopen it and be logged in. Indeed it sounds like the cookies are not setting properly - I recommend doublechecking your cookie info in the ACP

[Sire]

I just had to login again. I'm using Opera 9.x

Seems like it's about once a week, that I need to do it. This is the only computer I use to login, and the only location I login from. My IP# is still the same as it has been for months. It's not a big deal, just providing feedback in case it helps troubleshoot anything.

For the purpose of following up, I don't believe that I've needed to login again until just now.

Same browser, same IP #, etc..

Normal cookie expiration?

[bfarber]

If you are talking about HERE, we did not change the setting I mentioned at the end of page 4

[Sire]

Yes, I meant HERE. Just providing feedback that I do need to continue to login. I just needed to login again. If that's normal, then so be it. If not, I'm just trying to give you some feedback in case you are actively trying to troubleshoot it.

[Sire]

Those having login problems try this

Change

Member's log in key: Expiration

to

"Do not expire (not recommended)"

and see if you continue to have persistent login problems on your own site.

I switched to a Macbook and using Firefox I can't stay logged in at all like I used to. I'm trying this setting out. Will report my findings. Most of the cookie settings after a fresh login aren't set to expire for a year, and some were at end of session like session_id.

[bfarber]

I switched to a Macbook and using Firefox I can't stay logged in at all like I used to. I'm trying this setting out. Will report my findings. Most of the cookie settings after a fresh login aren't set to expire for a year, and some were at end of session like session_id.

I've received reports that in 2.2.2 if you have it set to Never Expire you can't stay logged in. If you updated to 2.2.2, try reverting it back to 7 days (then clear your cookies and log back in).

I haven't investigated the bug report yet.

[tenaki]

Come on guys this is getting really frustrating now. Myself and my members can't stay logged in at all. Even if I just browse off and come back it logs me out.

I have submitted a support ticket but this is far far worse than it was with 2.2.1 or whatever it was and as far as deleting cookies goes if I have to tell my members to do that again they will go nuts frankly.

PS I have to login here as well but not as often

[tenaki]

I've received reports that in 2.2.2 if you have it set to Never Expire you can't stay logged in. If you updated to 2.2.2, try reverting it back to 7 days (then clear your cookies and log back in).

bfarber that does seem to be working so far although I only changed the setting earlier tonight it has worked so far

[bfarber]

Hello, I understand the frustration - the problem on my end comes down to tracking the underlying issue (as I can't really reproduce it).

It has been reported that the login key expire "never" will cause you not to be able to stay logged in with 2.2.2. I will update the bug tracker report with a fix once I check into it. However, the other bug that prompted the original suggestion to set that to never has been fixed, so I do recommend everyone revert, as it will add an extra layer of security to your board now (that it is working as one would expect).

[Harbinger]

If you ask me the stronghold cookie needs rewriting to at least take account of the potential range of the first 2 octets of the IP address, I use PHP Whois to display the whois record of the member on another section of my site but I also use this to grab the potential IP range of the user from the array for something else. Something like this could be done with the stronghold cookie. I've tested this and it seems to be working ok:

1. Create a whois directory in your forum root and upload the contents of the phpwhois-4.1.2 folder into it
2. Open sources/ipsclass.php and find this:
   

   	/*-------------------------------------------------------------------------*/
   	// Stronghold: Check cookie
   	/*-------------------------------------------------------------------------*/
   
   	/**
   	* Checks auto-log in strong hold cookie
   	*
   	* @param	int     Member's ID
   	* @param	string	Member's log in key
   	* @return	boolean
   	*/
   
   	function stronghold_check_cookie( $member_id, $member_log_in_key )
   	{
   		//-----------------------------------------
   		// Check...
   		//-----------------------------------------
   
   		if ( ! isset($this->vars['cookie_stronghold']) OR ! $this->vars['cookie_stronghold'] )
   		{
   			return TRUE;
   		}
   
   		//-----------------------------------------
   		// INIT
   		//-----------------------------------------
   
   		$ip_octets  = explode( ".", $this->my_getenv('REMOTE_ADDR') );
   		$crypt_salt = md5( $this->vars['sql_pass'].$this->vars['sql_user'] );
   		$cookie     = $this->my_getcookie( 'ipb_stronghold' );
   
   		//-----------------------------------------
   		// Check
   		//-----------------------------------------
   
   		if ( ! $cookie )
   		{
   			return FALSE;
   		}
   
   		//-----------------------------------------
   		// Put it together....
   		//-----------------------------------------
   
   		$stronghold = md5( md5( $member_id . "-" . $ip_octets[0] . '-' . $ip_octets[1] . '-' . $member_log_in_key ) . $crypt_salt );
   
   		//-----------------------------------------
   		// Check against cookie
   		//-----------------------------------------
   
   		return $cookie == $stronghold ? TRUE : FALSE;
   	}
   
   	/*-------------------------------------------------------------------------*/
   	// Stronghold: Create and set cookie
   	/*-------------------------------------------------------------------------*/
   
   	/**
   	* Creates an auto-log in strong hold cookie
   	*
   	* @param	int     Member's ID
   	* @param	string	Member's log in key
   	* @return	boolean
   	*/
   
   	function stronghold_set_cookie( $member_id, $member_log_in_key )
   	{
   		//-----------------------------------------
   		// Check...
   		//-----------------------------------------
   
   		if ( ! isset($this->vars['cookie_stronghold']) OR ! $this->vars['cookie_stronghold'] )
   		{
   			return FALSE;
   		}
   
   		//-----------------------------------------
   		// INIT
   		//-----------------------------------------
   
   		$ip_octets  = explode( ".", $this->my_getenv('REMOTE_ADDR') );
   		$crypt_salt = md5( $this->vars['sql_pass'].$this->vars['sql_user'] );
   
   		//-----------------------------------------
   		// Put it together....
   		//-----------------------------------------
   
   		$stronghold = md5( md5( $member_id . "-" . $ip_octets[0] . '-' . $ip_octets[1] . '-' . $member_log_in_key ) . $crypt_salt );
   
   		//-----------------------------------------
   		// Set cookie
   		//-----------------------------------------
   
   		$this->my_setcookie( 'ipb_stronghold', $stronghold, 1 );
   
   		return TRUE;
   	}

3. Change it to:

   	/*-------------------------------------------------------------------------*/
   	// Stronghold: Check cookie
   	/*-------------------------------------------------------------------------*/
   
   	/**
   	* Checks auto-log in strong hold cookie
   	*
   	* @param	int     Member's ID
   	* @param	string	Member's log in key
   	* @return	boolean
   	*/
   
   	function stronghold_check_cookie( $member_id, $member_log_in_key )
   	{
   		//-----------------------------------------
   		// Check...
   		//-----------------------------------------
   
   		if ( ! isset($this->vars['cookie_stronghold']) OR ! $this->vars['cookie_stronghold'] )
   		{
   			return TRUE;
   		}
   
   		//-----------------------------------------
   		// INIT
   		//-----------------------------------------
   
   		require_once(ROOT_PATH."whois/whois.main.php");
   		$whois = new Whois();
   		$result = $whois->Lookup($this->my_getenv('REMOTE_ADDR'));
   		$iplist=explode(" - ", ($result["regrinfo"]["network"]["inetnum"]));
   		$ip_octets = explode(".", $iplist[0].".".$iplist[1]);
   		$crypt_salt = md5( $this->vars['sql_pass'].$this->vars['sql_user'] );
   		$cookie     = $this->my_getcookie( 'ipb_stronghold' );
   
   		//-----------------------------------------
   		// Check
   		//-----------------------------------------
   
   		if ( ! $cookie )
   		{
   			return FALSE;
   		}
   
   		//-----------------------------------------
   		// Put it together....
   		//-----------------------------------------
   
   		$stronghold = md5( md5( $member_id . "-" . $ip_octets[0] . '-' . $ip_octets[1] . '-' . $ip_octets[4] . '-' . $ip_octets[5] . '-' . $member_log_in_key ) . $crypt_salt );
   
   		//-----------------------------------------
   		// Check against cookie
   		//-----------------------------------------
   
   		return $cookie == $stronghold ? TRUE : FALSE;
   	}
   
   	/*-------------------------------------------------------------------------*/
   	// Stronghold: Create and set cookie
   	/*-------------------------------------------------------------------------*/
   
   	/**
   	* Creates an auto-log in strong hold cookie
   	*
   	* @param	int     Member's ID
   	* @param	string	Member's log in key
   	* @return	boolean
   	*/
   
   	function stronghold_set_cookie( $member_id, $member_log_in_key )
   	{
   		//-----------------------------------------
   		// Check...
   		//-----------------------------------------
   
   		if ( ! isset($this->vars['cookie_stronghold']) OR ! $this->vars['cookie_stronghold'] )
   		{
   			return FALSE;
   		}
   
   		//-----------------------------------------
   		// INIT
   		//-----------------------------------------
   
   		require_once(ROOT_PATH."whois/whois.main.php");
   		$whois = new Whois();
   		$result = $whois->Lookup($this->my_getenv('REMOTE_ADDR'));
   		$iplist=explode(" - ", ($result["regrinfo"]["network"]["inetnum"]));
   		$ip_octets = explode(".", $iplist[0].".".$iplist[1]);
   		$crypt_salt = md5( $this->vars['sql_pass'].$this->vars['sql_user'] );
   
   		//-----------------------------------------
   		// Put it together....
   		//-----------------------------------------
   
   		$stronghold = md5( md5( $member_id . "-" . $ip_octets[0] . '-' . $ip_octets[1] . '-' . $ip_octets[4] . '-' . $ip_octets[5] . '-' . $member_log_in_key ) . $crypt_salt );
   
   		//-----------------------------------------
   		// Set cookie
   		//-----------------------------------------
   
   		$this->my_setcookie( 'ipb_stronghold', $stronghold, 1 );
   
   		return TRUE;
   	}

That should be everything, here is an example:

Database Username = dbuser
Database Password = dbpass
Users Member ID: 1234
Users IP Range: 123.45.67.89 - 123.47.255.255
Users member_login_key: 1234567890abcdef1234567890abcdef

result of md5("dbpassdbuser") = 51efbee1c15070103816ae7f43fe81f1

Makeup of the stronghold md5 hash
md5( md5( "1234-123-45-123-47-1234567890abcdef1234567890abcdef" ) . "51efbee1c15070103816ae7f43fe81f1" )

Resulting md5 hash for the cookie = 8ee0cae2b78cb394f9bca1c3b7ab9e45

This stronghold cookie is technically not as secure as the standard cookie but it could only be used by someone that is within the same IP range as you ie someone on the same ISP / living in the same area. I'm not sure if phpwhois' licence is compatible with IPB being that it is a commercial product but even so it at least gives you guys an idea on which direction you could potentially head in and it doesn't stop any of us implementing it. :D

[PleaseDeleteThisAccount]

Don't know if anyone has said this yet, but scan your computer for spyware/viruses. I was having the same problem a while back with my computer, and after I scanned it was fine. In fact, I don't even remember the last time I manually logged in.

[jucs]

I have seen this too. And, users reporting it too.

It appears random to me. All of a sudden out of the blue, I have to re-login.

[tenaki]

Random logut now, no apparant reason for it.

[Y Y Y]

Hi, i encountered the same problems described below and i think the problem could be Googles little spyware called "Web Accelerator." I couldnt get rid of all the trouble no matter which browser i tried. The forum-software wouldn't let me log in, kicked me out, listed me online when i was not, etc. I thought Firefix would fix it but to no avail, seemed even worse to me. I switched it off, deleted my cookies and it worked right away, all trouble is completely gone.
This is an excerpt from Wikipedia:

Privacy issues

A controversy arose with the original implementation of the accelerator as some users found that their

personal website cookies were being shared with other users

accessing the same page. For example, some users were able to view pages such as forum control panels containing personal information from other users, and it was therefore possible to spoof a post as another user. Secure websites were unaffected as the Google Accelerator did not scan sites protected by https.

When the Web Accelerator was taken offline only six days after its original introduction, it was suspected to be in reaction to the security concerns; however, Google cited on the Google Accelerator website that it was taken down because their servers had reached their maximum capacity.[1] Google restored the accelerator service on March 12, 2006.

[sandrawws]

I haven't had any problems whatsoever :rolleyes:

[Y Y Y]

I haven't had any problems whatsoever :rolleyes:

Well, then it must be fine! :rolleyes:

When users could spoof posts or access the controls of other users due to shared cookies something must be in the bush, also this log-in trouble came out of the blue, which is more than suspicious. I don't know when and why things happen but at least it worked for me, and it used to be so bad that i couldn't post at all. :pirate: