Dave Smith Instruments Lifeboat

[anigbrowl]

I'm having to log in over and over again to post on different forums. Logins also seem to time out very quickly, eg earlier I spent 30-40 minutes writing a technical message but when I hit Submit I was asked to log in again, and of course it threw away everything in the edit buffer I don't have any cookie blocking going on, and it doesn't seem like dsi-lifeboat.com is sending cookies anyway. Is there any way to check? 'Keep me logged in' doesn't seem to be working either. I think this is a phpBB issue, I've come across this on other forums that run on that platform as well when they're getting off the ground. IIRC it might be an anti-spam/flooding default.

[Razmo]

Same here... a bit anoying really

[chysn]

I'm sorry for the trouble. The cookie domain was still set to the temporary domain that I was using during the first week of the forum's operation. I've updated it to the new domain, so the sessions should be more reliable now.

Also, since people do tend to write technical and involved posts, I upped the session timeout to two hours.

I appreciate you bringing issues to my attention.

[dslsynth]

That was a really quick fix, chysn! Great work, man!

[anigbrowl]

Cool beans! I really appreciate you taking the time and $ effort to set this up, so my complaint is directed at phpBB rather than you!

[chysn]

That's very kind, but it was totally my oversight.

[snowcrash]

Also, since people do tend to write technical and involved posts, I upped the session timeout to two hours.

You can set the session timeout to one year without any troubles. It also has the benefit, that people won't send their password in clear text each time they visit the forum.

[dslsynth]

You can set the session timeout to one year without any troubles. It also has the benefit, that people won't send their password in clear text each time they visit the forum.

Having year long session timeout is not a good idea. Two hours are fine. One hour could probably do it as well as people simply can use the preview button to keep the session alive. The trouble with very long session timeouts is that if a session is left open (crash, user error) it can be a security risk. So moderate session timeouts are just fine with me.

[snowcrash]

Persistent sessions are common and besides there's a bunch of other security risks that weigh in much more. Like entering your password in cleartext (no ssh here) every time you visit a forum is one of them. As well as common user-induced security risks like reusing passwords etc... Maybe there are some other considerations when it come to phpBB and session management, but I don't see much risk in keeping the sessions active for a longer time.

Having people hitting preview to keep the session active is not user friendly at all. And in general session times under 24h are just unnecessarily paranoid with no benefit at all. So setting it to 48h or one week could be a healthy compromise.

[dslsynth]

Agree that there are many potential security problems with an unencrypted web platform such as phpBB. However it doesn't change my view on long session times for the reasons states above. It may just be one less door wide open but its still one less door wide open. Others may think differently and that is why we have this discussion. Besides doesn't the forum software support persistent sessions for those that want so via a login option?

[chysn]

You can set the session timeout to one year without any troubles. It also has the benefit, that people won't send their password in clear text each time they visit the forum.

If somebody is snooping your traffic, it doesn't matter how frequently you send your password, because snooping the session ID will be just as good (er... just as bad) with a super-long session. The only real solution to that is SSL, which the old forum never used, gearslutz doesn't use, and I'm not likely to use here.

The considerations regarding session length should balance the risk of unattended computers (or users leaving without logging out) versus the convenience of spending a long time writing a single post. For now, two hours seems like the correct balance of those things.

[snowcrash]

Besides doesn't the forum software support persistent sessions for those that want so via a login option?

Sorry, I'm an idiot, I was solely talking about (an assumed) timeout for the persistent sessions. Complete misunderstanding as I didn't properly read the initial post. If I had, I would have noticed cookies are missing, rendering the "keep me logged in" functionality useless.

My fault, you guys are completely right in every point.