Login sessions

Posted by Twisol on Fri 25 Sep 2009 12:04 AM — 7 posts, 33,687 views.

USA #0
A small bug I've found on these forums is that if I log in, my session cookie expires, and I log in again, it thinks I'm logged in twice (with the same credentials). My assumption is that the forum isn't invalidating its own session data after the timer period that the cookie should be invalidated after as well.


EDIT: Slightly relatedly, it would be nice if the login form at the upper-right had the tab-order set so I could tab from the username field to the password field, without having to pass over the link in-between. Almost every time I log in, I tab once, and hence hit the wrong link.
Amended on Fri 25 Sep 2009 12:06 AM by Twisol
Australia Forum Administrator #1
The cookie expires at the browser end, the forum doesn't know about the expiry. Now that it allows multiple logins it is likely you would have a few expired sessions around eventually.

Clicking the "Log Off" button would clear all old sessions. They won't do too much harm, unless someone happened to guess the cookie random token, which is pretty low probability, seeing how long it is.

As for the tabbing, some browsers skip over the link, but I'll see if I can re-order it in a way that does what you suggest. Remind me in a week if I forget as I am currently on holidays, and not at my usual PC.
USA #2
Hmm, it seems like you could just add a section to the login code to clear outdated sessions. The user would never see the extra sessions listed because they're cleared out beforehand.

If an administrator of a copy of the forum software is worried about even older sessions clogging their database, likely ones that were never cleaned out because the user never re-logged-in, they could set a monthly cronjob to run clean all outdated sessions.

Another point I just thought of concerning the outdated session storage: if someone managed to hold on to a cookie's session value longer than intended, they would never be timed out, and hence remain logged in by some manner indefinitely (until they explicitly log out somewhere else). This worries me because it allows the possibility of cookie stealing, and thus getting a potentially indefinite free ticket into someone's user account on a copy of these forums. (Given, you log the IP and use that as well, but it's still a bit of a security breach; it's not hard to imitate another IP from what I know)


The tabbing should only require the use of the 'tabindex' attribute in the two fields. tabindex='1' for the username and tabindex='2' for the password.
Amended on Sat 26 Sep 2009 06:52 AM by Twisol
Canada #3
How exactly does the expiry work? I appear to have a somewhat different issue with logins.

Typically I only login when I find a post I would like to reply to. That means I could go for days or a week or more just lurking. The last time I logged in I remember the forum said I had 2 logins, which I found odd but didn't think anything of it. After reading this post the first time I checked my cookies, and there was no cookie from gammon.com.au. I logged in now just to see if it would show the 2 logins or be cleared and now it shows this;

You are logged on as: Hanaisse (3 logins)

It doesn't bother me, it's just a curiosity, or maybe a bug?

Edit: I just checked my profile where it views the sessions and it shows this;

Quote:
You are logged in at these locations:
Logged on date IP Address Domain
Fri 04 Sep 2009 05:14 AM xx.xxx.xxx.xxx www.gammon.com.au
Sat 26 Sep 2009 06:12 AM xx.xxx.xxx.xxx www.gammon.com.au
Wed 23 Sep 2009 04:38 AM xx.xxx.xxx.xxx www.gammon.com.au

You are currently at IP address: xx.xxx.xxx.xxx, using domain: www.gammon.com.au


(note: I have x'd out my IP for security reasons, but rest assured they are all the exact same IP and I only use one PC)

Shouldn't the Sept 04th session expired already?

Edit 2:
Quote:
Because of the way cookies are stored, the cookie on your web browser is linked to the "domain" that the cookie comes from, and thus changing from "www.gammon.com.au" to "gammon.com.au", or "mushclient.com" to "www.mushclient.com" all appeared to the web browser to be different sites.


I log in at http://www.gammon.com.au/forum - my current cookie says gammom.com.au

(sorry for the long post, just trying to give as much info as I can)

Edit 3: Welcome back Nick, hope you had a good trip :)
Amended on Sat 26 Sep 2009 03:48 PM by Hanaisse
USA #4
Hehehe, he's still gone: "Remind me in a week".

EDIT: And that looks to be the same bug. Your cookies expire because they're given an expiry date by the forums when they're added, but the forums themselves store the data for the session. The cookie is just a key to the lock for that data. So your cookie expires, but the actual session still lives on in his database. Hence, if you log in but never log out, and just let your cookie expire, next time you log in it thinks you're logged in multiple times.
Amended on Sat 26 Sep 2009 07:05 PM by Twisol
Australia Forum Administrator #5
OK, the forum now keeps a record of the token expiry date, to the nearest day, on its database. It then expires old tokens when you attempt to log in, or view your tokens (in the View Profile page). It also doesn't accept out-of-date tokens to log in with. This keeps the forum software in sync, approximately, with the date stored in the cookie.

Also, the tabindex suggestion is implemented.

As an interim measure (for people who have already logged in), all tokens currently in force will expire in 7 days. After that, it will expire after the interval you set in your profile.
USA #6
Awesome! Thanks Nick!