Logging in/out/cookies

Topics about this forum, including requests, complaints, etc.

Logging in/out/cookies

Postby anigbrowl » Thu Jul 03, 2014 6:27 pm

I'm having to log in over and over again to post on different forums. Logins also seem to time out very quickly, eg earlier I spent 30-40 minutes writing a technical message but when I hit Submit I was asked to log in again, and of course it threw away everything in the edit buffer :| I don't have any cookie blocking going on, and it doesn't seem like dsi-lifeboat.com is sending cookies anyway. Is there any way to check? 'Keep me logged in' doesn't seem to be working either. I think this is a phpBB issue, I've come across this on other forums that run on that platform as well when they're getting off the ground. IIRC it might be an anti-spam/flooding default.
anigbrowl
 
Posts: 9
Joined: Thu Jul 03, 2014 8:17 am

Re: Logging in/out/cookies

Postby Razmo » Thu Jul 03, 2014 7:10 pm

Same here... a bit anoying really :)
User avatar
Razmo
 
Posts: 487
Joined: Sun Jun 29, 2014 7:29 pm

Re: Logging in/out/cookies

Postby chysn » Thu Jul 03, 2014 7:12 pm

I'm sorry for the trouble. The cookie domain was still set to the temporary domain that I was using during the first week of the forum's operation. I've updated it to the new domain, so the sessions should be more reliable now.

Also, since people do tend to write technical and involved posts, I upped the session timeout to two hours.

I appreciate you bringing issues to my attention.
DSI: Evolver #1431
Other Synths: Moog Little Phatty Stage II (Red), Arturia MicroBrute
Other Hardware: Alesis MMT-8, Korg Volca Beats
DAW: Reaper for OSX through PreSonus AudioBox USB
chysn
Site Admin
 
Posts: 256
Joined: Sun Jun 22, 2014 12:58 am
Location: Metro Detroit, Michigan, USA

Re: Logging in/out/cookies

Postby dslsynth » Thu Jul 03, 2014 7:37 pm

That was a really quick fix, chysn! Great work, man! :-)
User avatar
dslsynth
 
Posts: 296
Joined: Sun Jun 22, 2014 4:45 pm
Location: Denmark

Re: Logging in/out/cookies

Postby anigbrowl » Thu Jul 03, 2014 10:19 pm

Cool beans! I really appreciate you taking the time and $ effort to set this up, so my complaint is directed at phpBB rather than you!
anigbrowl
 
Posts: 9
Joined: Thu Jul 03, 2014 8:17 am

Re: Logging in/out/cookies

Postby chysn » Thu Jul 03, 2014 10:58 pm

That's very kind, but it was totally my oversight.
DSI: Evolver #1431
Other Synths: Moog Little Phatty Stage II (Red), Arturia MicroBrute
Other Hardware: Alesis MMT-8, Korg Volca Beats
DAW: Reaper for OSX through PreSonus AudioBox USB
chysn
Site Admin
 
Posts: 256
Joined: Sun Jun 22, 2014 12:58 am
Location: Metro Detroit, Michigan, USA

Re: Logging in/out/cookies

Postby snowcrash » Tue Jul 08, 2014 3:02 pm

chysn wrote:Also, since people do tend to write technical and involved posts, I upped the session timeout to two hours.

You can set the session timeout to one year without any troubles. It also has the benefit, that people won't send their password in clear text each time they visit the forum.
Poly Evolver Keyboard, Desktop Evolver, Minimoog Voyager OS, Micromoog, Roland SH101, KORG MS20 Mini, Arturia Minibrute/Microbrute, Elektron A4, Korg Wavestation SR, Korg ESX/EMX, Roland RS-09, Hohner String Melody II, Yamaha AN1x and a couple more. If you have questions about those synths feel free to ask me in a new thread.
User avatar
snowcrash
 
Posts: 16
Joined: Wed Jul 02, 2014 11:06 am

Re: Logging in/out/cookies

Postby dslsynth » Tue Jul 08, 2014 3:18 pm

snowcrash wrote:You can set the session timeout to one year without any troubles. It also has the benefit, that people won't send their password in clear text each time they visit the forum.

Having year long session timeout is not a good idea. Two hours are fine. One hour could probably do it as well as people simply can use the preview button to keep the session alive. The trouble with very long session timeouts is that if a session is left open (crash, user error) it can be a security risk. So moderate session timeouts are just fine with me.
User avatar
dslsynth
 
Posts: 296
Joined: Sun Jun 22, 2014 4:45 pm
Location: Denmark

Re: Logging in/out/cookies

Postby snowcrash » Tue Jul 08, 2014 4:37 pm

Persistent sessions are common and besides there's a bunch of other security risks that weigh in much more. Like entering your password in cleartext (no ssh here) every time you visit a forum is one of them. As well as common user-induced security risks like reusing passwords etc... Maybe there are some other considerations when it come to phpBB and session management, but I don't see much risk in keeping the sessions active for a longer time.

Having people hitting preview to keep the session active is not user friendly at all. And in general session times under 24h are just unnecessarily paranoid with no benefit at all. So setting it to 48h or one week could be a healthy compromise.
Poly Evolver Keyboard, Desktop Evolver, Minimoog Voyager OS, Micromoog, Roland SH101, KORG MS20 Mini, Arturia Minibrute/Microbrute, Elektron A4, Korg Wavestation SR, Korg ESX/EMX, Roland RS-09, Hohner String Melody II, Yamaha AN1x and a couple more. If you have questions about those synths feel free to ask me in a new thread.
User avatar
snowcrash
 
Posts: 16
Joined: Wed Jul 02, 2014 11:06 am

Re: Logging in/out/cookies

Postby dslsynth » Tue Jul 08, 2014 4:48 pm

Agree that there are many potential security problems with an unencrypted web platform such as phpBB. However it doesn't change my view on long session times for the reasons states above. It may just be one less door wide open but its still one less door wide open. Others may think differently and that is why we have this discussion. Besides doesn't the forum software support persistent sessions for those that want so via a login option?
User avatar
dslsynth
 
Posts: 296
Joined: Sun Jun 22, 2014 4:45 pm
Location: Denmark

Re: Logging in/out/cookies

Postby chysn » Tue Jul 08, 2014 7:19 pm

snowcrash wrote:You can set the session timeout to one year without any troubles. It also has the benefit, that people won't send their password in clear text each time they visit the forum.


If somebody is snooping your traffic, it doesn't matter how frequently you send your password, because snooping the session ID will be just as good (er... just as bad) with a super-long session. The only real solution to that is SSL, which the old forum never used, gearslutz doesn't use, and I'm not likely to use here.

The considerations regarding session length should balance the risk of unattended computers (or users leaving without logging out) versus the convenience of spending a long time writing a single post. For now, two hours seems like the correct balance of those things.
DSI: Evolver #1431
Other Synths: Moog Little Phatty Stage II (Red), Arturia MicroBrute
Other Hardware: Alesis MMT-8, Korg Volca Beats
DAW: Reaper for OSX through PreSonus AudioBox USB
chysn
Site Admin
 
Posts: 256
Joined: Sun Jun 22, 2014 12:58 am
Location: Metro Detroit, Michigan, USA

Re: Logging in/out/cookies

Postby snowcrash » Wed Jul 09, 2014 4:12 pm

dslsynth wrote:Besides doesn't the forum software support persistent sessions for those that want so via a login option?

Sorry, I'm an idiot, I was solely talking about (an assumed) timeout for the persistent sessions. Complete misunderstanding as I didn't properly read the initial post. If I had, I would have noticed cookies are missing, rendering the "keep me logged in" functionality useless.

My fault, you guys are completely right in every point.
Poly Evolver Keyboard, Desktop Evolver, Minimoog Voyager OS, Micromoog, Roland SH101, KORG MS20 Mini, Arturia Minibrute/Microbrute, Elektron A4, Korg Wavestation SR, Korg ESX/EMX, Roland RS-09, Hohner String Melody II, Yamaha AN1x and a couple more. If you have questions about those synths feel free to ask me in a new thread.
User avatar
snowcrash
 
Posts: 16
Joined: Wed Jul 02, 2014 11:06 am


Return to Meta Forum



Who is online

Users browsing this forum: No registered users and 1 guest

cron