sparc Posted April 19, 2007 Posted April 19, 2007 A while back i remember reading that people having cookie issues were asked to disable the stronghold cookie setting.Is this no longer the case in the new release of 2.3?
bfarber Posted April 19, 2007 Posted April 19, 2007 I never have trouble on any site with the stronghold cookie enabled - it's only a problem if your IP changes regularly (beyond the first 2 octets).There were OTHER cookie issues identified and fixed for 2.3 however.
Luke Posted April 19, 2007 Posted April 19, 2007 Brandon was the IP thing done in 2.1 at all? If so I think I may disable it... I think some of my community is having a hard time staying on...
bfarber Posted April 19, 2007 Posted April 19, 2007 No, the IP address matching in the stronghold cookie was done with the initial launch of 2.2.0.
MrWante Posted April 19, 2007 Posted April 19, 2007 I probably just have another issue that I'm confusing this one with! :)
Luke Posted April 19, 2007 Posted April 19, 2007 No, the IP address matching in the stronghold cookie was done with the initial launch of 2.2.0.So if I disabled this stronghold cookie it would behave almost like 2.1 did and if I take my laptop from work to home I wouldn't be logged out constantly?
bfarber Posted April 19, 2007 Posted April 19, 2007 That depends on some other settings (i.e. reset member's login key) but generally, yes.
Luke Posted April 20, 2007 Posted April 20, 2007 Let me tell you something... After upgrading I swear we lost like 50-75% of our active member average... After I disabled that stronghold cookie it jumped up to near our normal peek in just a few hours! Now it's only about 10-15% less.
TCWT Posted April 20, 2007 Posted April 20, 2007 stronghold cookie is evil, it should be disabled by default.
TestingSomething Posted April 20, 2007 Posted April 20, 2007 Let me tell you something... After upgrading I swear we lost like 50-75% of our active member average... After I disabled that stronghold cookie it jumped up to near our normal peek in just a few hours! Now it's only about 10-15% less.I turned stronghold off while back because I figured people would stay logged out. Of course now my sites are dead totally, and I am not sure if it is simply them dying on their own or because I switched to email address login because converge requires that. That is the bad thing about converge. I may switch it back and not worry about using converge.
Dr. Awesome Posted April 20, 2007 Posted April 20, 2007 Would this cause automatic logging out when a person was to just close their browser window? And depending on the Brand of Browser they were using at the moment in time?
TestingSomething Posted April 20, 2007 Posted April 20, 2007 Would this cause automatic logging out when a person was to just close their browser window? And depending on the Brand of Browser they were using at the moment in time?The stronghold cookie should not really cause them to be logged out just by closing the browser, assumignt hey ahve it set to remember them. But I had that problem a while back when my site was a 2.1 site. I finally figured out the problem on my own for my case. I had a lot of modifications and somehow I apprently did one incorrectly in the class_sessions file (I think it was that file) and somehow it was causing logouts regardless of the remember me setting.The only way the stronghold one would log people out I think is if their IP changes or possibly if they change browser like you said. Not sure about that one.
Luke Posted April 20, 2007 Posted April 20, 2007 And with a member who's DSL company changes their IP every 24 hours... They can get VERY irritated!
Dr. Awesome Posted April 20, 2007 Posted April 20, 2007 The stronghold cookie should not really cause them to be logged out just by closing the browser, assumignt hey ahve it set to remember them. But I had that problem a while back when my site was a 2.1 site. I finally figured out the problem on my own for my case. I had a lot of modifications and somehow I apprently did one incorrectly in the class_sessions file (I think it was that file) and somehow it was causing logouts regardless of the remember me setting.The only way the stronghold one would log people out I think is if their IP changes or possibly if they change browser like you said. Not sure about that one.Even with Remember me they would get logged out. The largest problem of them all is they complained both IE and FX were giving the same problem. If I'm logged into there with FX and go with IE and come here I'm not logged in. Regardless of FX and IE both using the same cookies directory, I think. And with a member who's DSL company changes their IP every 24 hours... They can get VERY irritated!:lol: Sorry, but that's just too ridiculous.
bfarber Posted April 23, 2007 Posted April 23, 2007 The stronghold cookie is based on just the first 2 octets of the IP - even on EXTREMELY odd DSL connections where your IP changes frequently, it's usually only the last (or sometimes the last 2) octets, so it's still not usually an issue.It would be an issue if you visited work, and then home, especially with a laptop.The idea is if XSS got through *somehow*, and someone stole your cookie, they wouldn't be able to use your cookies because the IP would be much different, and then the cookies would immediately get overwritten. I have stronghold enabled on ALL my test sites and never have problems. YMMV
TestingSomething Posted April 23, 2007 Posted April 23, 2007 WHta's weird is my DSL used to change my first parts of my IP yet now my IP seems to never change. No clue why.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.