If you find one, please let me know. I need to login each time I come to the site.
Let me never fall into the vulgar mistake of dreaming that I am persecuted whenever I am contradicted.
~Ralph Waldo Emerson
"I was just the one with the most unsolicited sombrero." - Traegus
Quote:
"Remember me" is deliberately broken. Apparently, someone has decided that forcing people to enter their passwords every few hours increases security.
|
Originally Posted by Le Blanc
I have been gone for a while and It appears that the forum still can't seem to "remember me" regardless of the box being checked or not. Has anybody figured out a fix for this?
|
Quote:
|
Originally Posted by Katie V
"Remember me" is deliberately broken. Apparently, someone has decided that forcing people to enter their passwords every few hours increases security.
|
Is that really true? Or is it just a rumor? I don't remember any developer saying this (including Zwill or any other member of community team), so I'm thinking this may just be rumor.
Zwisntinchargeoftheforumsoftware told us that the timeout was set to 8 hours intentionally by the Seattle web team for security.
We found through our own testing that some of the cookies were being deleted when the browser was closed.
This is why if you close the browser and then immediately re-open it you will have to log in again.
If the game spit out 20 dollar bills people would complain that they weren't sequentially numbered. If they were sequentially numbered people would complain that they weren't random enough.
Black Pebble is my new hero.
Quote:
|
Originally Posted by Texas Justice
Zwisntinchargeoftheforumsoftware told us that the timeout was set to 8 hours intentionally by the Seattle web team for security.
|
Did he? I remember him saying that the Seattle web team set the time-out to 24 hours, which caused their software to throw "out of memory" errors, so they set it to 8 hours instead which they felt might be good enough. I don't recall anyone from Paragon Studios ever saying anything about security.
Not that it's terribly important, but the "security" meme popped up just recently here, and I don't recall it being mentioned by a dev. So I was just trying to clarify.
Personally, I assumed it was a resource issue. "We don't have time to get inside vBulletin and do it correctly, so we just hacked it." That's what I understood. But if someone has some more specific information, lay it on me.
Quote:
There is also apparently some security issue solved by having a session invalidated if you have a change of IP address.|
Originally Posted by Texas Justice
Zwisntinchargeoftheforumsoftware told us that the timeout was set to 8 hours intentionally by the Seattle web team for security.
We found through our own testing that some of the cookies were being deleted when the browser was closed. This is why if you close the browser and then immediately re-open it you will have to log in again. |
After all, NOBODY posts from a mobile web device.
-Rajani Isa, posted from my iPhone
Orc&Pie No.53230 There is an orc, and somehow, he got a pie. And you are hungry.
www.repeat-offenders.net
Negaduck: I see you found the crumb. I knew you'd never notice the huge flag.
I think this may be why one of the things Zwisareallyniceguylettingmemakefunofhisname is trying to get done is to upgrade the version of vBulletin that we are using.
If the game spit out 20 dollar bills people would complain that they weren't sequentially numbered. If they were sequentially numbered people would complain that they weren't random enough.
Black Pebble is my new hero.
Quote:
Odd, my mobile is about the only thing I access the forums with that doesn't log me out.
|
Originally Posted by Rajani Isa
There is also apparently some security issue solved by having a session invalidated if you have a change of IP address.
After all, NOBODY posts from a mobile web device. -Rajani Isa, posted from my iPhone |
In Paragon City since June 2005.
Omghax!!!
Quote:
Part of my issue is I go out and about at work, which has wifi.|
Originally Posted by Feefa J
Odd, my mobile is about the only thing I access the forums with that doesn't log me out.
|
So I keep going from Wifi->Cell->Wifi and have an IP change each time (even if just between the same two).
Orc&Pie No.53230 There is an orc, and somehow, he got a pie. And you are hungry.
www.repeat-offenders.net
Negaduck: I see you found the crumb. I knew you'd never notice the huge flag.
Quote:
Ah, not quite the same thing then, I'm using a 3G connection.|
Originally Posted by Rajani Isa
Part of my issue is I go out and about at work, which has wifi.
So I keep going from Wifi->Cell->Wifi and have an IP change each time (even if just between the same two). |
We have a solution then (at least for in Session log outs). Everyone simply needs to access the forums using Opera 10 for Symbian over a UK mobile phone network. Problem solved!
In Paragon City since June 2005.
Quote:
Invalidating your session if your IP address changes is a standard technique to prevent session-stealing attacks. Unlike the repeat-login nonsense, it's a real solution to a real problem.
|
Originally Posted by Rajani Isa
There is also apparently some security issue solved by having a session invalidated if you have a change of IP address.
After all, NOBODY posts from a mobile web device. |
I've always wondered why cookies were secure, even when they were transmitted in plain text. I guess my instincts were right; they aren't. Thanks for that link, Katie V.
Quote:
I've just never heard of it being an issue here.|
Originally Posted by Katie V
Invalidating your session if your IP address changes is a standard technique to prevent session-stealing attacks. Unlike the repeat-login nonsense, it's a real solution to a real problem.
|
It used to be fine with changing IPs. If they're worried about the password being jacked, well, they're the ones that made us use the same for the game.
Orc&Pie No.53230 There is an orc, and somehow, he got a pie. And you are hungry.
www.repeat-offenders.net
Negaduck: I see you found the crumb. I knew you'd never notice the huge flag.
Quote:
I still loathe that change, but love the forums too much to not to come here.
|
Originally Posted by Rajani Isa
I've just never heard of it being an issue here.
It used to be fine with changing IPs. If they're worried about the password being jacked, well, they're the ones that made us use the same for the game. |
Why Blasters? Empathy Sucks.
So, you want to be Mental?
What the hell? Let's buff defenders.
Tactics are for those who do not have a big enough hammer. Wisdom is knowing how big your hammer is.
Quote:
It's actually not. I don't want to go into a lecture about hacking, but if someone has enough access to your computer to steal your session cookie, they have enough access to spoof your IP address. (Or worst-case scenario, actually run a hidden web client on your machine using your legitimate IP address.)|
Originally Posted by Katie V
Invalidating your session if your IP address changes is a standard technique to prevent session-stealing attacks. Unlike the repeat-login nonsense, it's a real solution to a real problem.
|
Depending on invalidating sessions based on IP address only thwarts legitimate people accessing your site. And I honestly don't think it's mobile phone users who are affected most; mobile IP addresses actually stay more stable than you probably think they would. It's mostly people who use laptops and/or tablets from more than one location. Log in from home, get a session cookie. Log in from Starbucks, *bam!*, session invalidated.
To be brutally honest, I sometimes think that Paragon Studios staff get jerked around by their service providers--even within their own company--a bit too often. I'm not saying that security is easy; even the Titan Network sites got hacked last October. Still, these are issues that a lot of companies deal with every day, and obviously, they don't all require Fort Knox security. It's just easier for someone to tell the non-web experts, "Um... yeah, it's a security issue," than to code a site using security best practices.
EDIT: As pointed out by Father Xmas below, the login transaction on the forums is actually handled via HTTPS, so mea culpa on the following two paragraphs; they are incorrect. Nevertheless, I'll leave them in as quoted text, lest anyone think I'm trying to appear like I'm never wrong about anything.
Quote:
|
Requiring us to log in every time we access the forums makes not just the forums less secure, but the game less secure. The forums run over plain ol' http, not encrypted https. If someone has access to your computer or a sniffer on your network, every time you log in to the forums, they have a trivially easy opportunity to simply pull your username and password--the same username and password you use to access the game--right out of the HTTP GET request. If there were any security concern, it should be that they want you transmit your username and password as least often as possible, not more. It's a bit comedic to me that a web hosting company and/or department would express concern over and take ineffective (and inconvenient) steps to supposedly prevent session hijacking when they don't even take the basic precaution of requiring SSL, thus allowing login information shared between the forums and the game itself to be transmitted in clear text. 
|
P.S. For what it's worth, the game itself uses encryption, so when you log in to play, your information is being transmitted securely and can't be picked up "off the wire" like logging into the forums can.
We've been saving Paragon City for eight and a half years. It's time to do it one more time.
(If you love this game as much as I do, please read that post.)
Quote:
|
Originally Posted by TonyV
Giving them a benefit of a doubt, though, I don't recall anyone saying the session thing was because of a security concern; I don't recall them really ever giving a reason for it.
|
Quote:
|
Originally Posted by Zwillinger
I hear you, and I understand what you're saying, but to play devil's advocate; we also tie your forum account to your game account, which is why we want to err on the side of security in this case.
|
(further details in that thread; Zwilly posts multiple times)
Paragon Wiki: http://www.paragonwiki.com
City Info Terminal: http://cit.cohtitan.com
Mids Hero Designer: http://www.cohplanner.com
Quote:
|
Originally Posted by Dispari
I don't know why Dink thinks she's not as sexy as Jay was. In 5 posts she's already upstaged his entire career.
|
TonyV - I seem to recall the original issue was Z, or his immediate predecessor, was trying to be helpful, and get them to set the logout to 30 days. SOMETHING in that broke something in the system, and not only was the change reverted, but that's when they put us on the "8 hour session" with the borked(? At least, we've never been told it's intentional) cookies that are self-terminate on browser close.
Orc&Pie No.53230 There is an orc, and somehow, he got a pie. And you are hungry.
www.repeat-offenders.net
Negaduck: I see you found the crumb. I knew you'd never notice the huge flag.
TonyV, the login is an HTTPS transaction, I'm on dial-up so I can see things in "slow motion".
Still the change to make us use the same login/password as the game bugs me to no end.
Father Xmas - Level 50 Ice/Ice Tanker - Victory
$725 and $1350 parts lists --- My guide to computer components
Tempus unum hominem manet
Yeah, that's actually a good point. Why make us log in with "real" passwords other than to actually access our NCsoft account?
Actually the NCsoft account *is* on a separate password. So why can't the forum be too? (Other than, of course, for the obvious reason: resources). If COH forums 2.0 ever happens it would be nice to be able to "bind" a user name and password to a separate CoH account (or accounts, some folks have more than one) and let us use *different* account names and passwords. (Something to add to the list 'o requested features there, I think.)
And it does appear that the login form is trying to use https. Perhaps TonyV knows that process is flawed or bugged, but it seems to be trying at least.
Code:
That's the start of the login form, not going to bore you with the whole thing.
<!-- login form --> <form action="https://boards.cityofheroes.com/login.php?do=login" method="post"> <script type="text/javascript" src="clientscript/vbulletin_md5.js?v=387"></script> <table cellpadding="0" cellspacing="3" border="0"> <tr> ....
Quote:
I corrected my post early this morning...
|
Originally Posted by gameboy1234
Perhaps TonyV knows that process is flawed or bugged, but it seems to be trying at least.
|
We've been saving Paragon City for eight and a half years. It's time to do it one more time.
(If you love this game as much as I do, please read that post.)
Quote:
Not the advanced testing part, but I can confirm that if the entire browser session is closed or I'm idle for too long, then I have to relog. Granted, I let the browser remember logins so there's less typing, but it still happens. Many times I'll have typed up long helpful things and find that during the period of time that I was typing, I had actually become logged out. Thus I try to remember to copy each and every reply I make so that I don't have to rewrite each time just in case.
|
Originally Posted by Texas Justice
Zwisntinchargeoftheforumsoftware told us that the timeout was set to 8 hours intentionally by the Seattle web team for security.
We found through our own testing that some of the cookies were being deleted when the browser was closed. This is why if you close the browser and then immediately re-open it you will have to log in again. |
That's the random log out bug. Seperate from the 8hr or until closing the browser do we part bit.
Orc&Pie No.53230 There is an orc, and somehow, he got a pie. And you are hungry.
www.repeat-offenders.net
Negaduck: I see you found the crumb. I knew you'd never notice the huge flag.
I have been gone for a while and It appears that the forum still can't seem to "remember me" regardless of the box being checked or not. Has anybody figured out a fix for this?
Le Blanc 50 Dark/Dark Scrap
High Huntress 50 Archery/NRG Blast
And a goatload of others. On a goatload of servers.
Official Rickroller of Hero Con 1