Security problem with 2.20??

Do you know if they skip logging out when they are done browsing the forum? If so, you might want to check this thread and add your weight towards getting this fixed.

nope .. even when they log out, they get the problem ...

They all log out? if even one, like the one they appear to end up logged in as, don't, you might have what I have. Not that I wish that on anyone.

Re: Security problem with 2.20??

You're going to have problems if there are several users with the same IP address (due to the proxy server) best that you check over your Admin Cp's and play around with the Cookies settings for your users.

not all ..one guy may logout .. while some of the rest are login .. but when the guy who logout tries to login .. he sometimes gets to someone else account instead ..

This happens not only to one person but a few of them ..

Yep, that's a common problem, although they have sofar refused to acknowledge it's a problem related to vBulletin; instead they blame external sources, like proxies and browsers, even though I've already disproved that these external sources are at fault.

Sure sounds like another Whopping security issue. Apparently I misunderstood your posts in the other forum Fusion. I did not realize your users were getting logged in as OTHER users too. I hope they are addressing this issue.

Re: Re: Security problem with 2.20??

What can i set for the cookies?

Re: Re: Re: Security problem with 2.20??

i'm not a developer so can't really comment on the issue.. all i know is that this problem of logging into other users accounts is indeed a proxy issue.. alot of my forum members access my vB forums from school or work pcs and they are all behind a proxy or firewall of some sort and did experience that problem sometimes - why sometime? because of how their school or workplace configured their proxy/firewall.

for one member i had in the past he would access at work behind a firewall and had no problems. .. and then his employer changed something with the firewall and then he couldn't access the forums until he changed to browse using cookies..

For that reason i have disabled browse using sessions and members are defaulted to browse using cookies.

To convert all your member's option to browse using cookies

1. backup database and close forum
2. in phpmyadmin type this query to update all users to user table to browse using cookies
3. in modifyoptions and register adult and register coppa templates comment out the check box for browse using sessions and default select browse using cookies..

i haven't had any of these problems since.

George, if you read the other thread, you might catch that I found another web-app that uses sessions in much the same manner as vBulletin, When setup to mimic the route I take to this site, where I first spotted this problem, I was amazed to see that it did not exhibit the same problem.Therefore I'm not ready to buy yet another explanation that it's proxy-related, when the two apps uses the same proxy. Granted, going for cookies is one way, but at best this looks linked to how vBulletin uses sessions, not the fact that it is using sessions.

By the by, even Hotmail.com manages to correctly check for a "re-login" on return to their site without logging out. They too use sessions, and yes, it's the same proxy. How much more will it take for people to accept there's a flaw here? Do I have to unpack my rubber-coated sledge-hammer?

Ahhh, it is so nice to be able to reply!

This is not a proxy problem: lacking any expiration HTTP directives, a proxy server may download some information, which will be considered "fresh". That is, subsequent requests to the same URL may be returned as is. Obviously, PHP scripts should be modified to return by default HTTP responses that mark the web server's response stale (i.e. not fresh) from the start. I can't help in modifying the PHP scripts myself, but I can help in specifying exactly which directives should be send when:

• A user not logged is browsing the forums
• A logged in user is browsing the forums
• A user is accessing his private areas (userCP etc)

...and so on.


The current problems are two:

• Administrators wishing to pre-expire information in order to alleviate this problems, embed some Cache-Control/Pragma/Expires directives within the page returned to the client. This is useless because proxies can not "see" this information and because having this info within HTML does not mandate any special handling even for browsers.
• An expiration mechanism must be enforced, in acccordance with what is given in the first paragraph. IOW, all PHP scripts return pages which are valid only for the moment a user performs a forum access! This behaviour should not be user-overriden, in order to comply with semantic correctness of any intervening cache: something should be cached and should validated if its content is of a continuously changing nature. This doesn't mean that content of a page should not be cached by a proxy, but rather that subsequent requests should validated with the server vBulletin is running on.

See also the "Second/Third problem..." comments in avatar.php HTTP expiration problem. BTW, this last thread is not resolved yet AFAIK.

Summarizing: this is a vBulletin problem and the HTTP response must be modified accordingly.

Some examples of what should be included in the HTTP response, depending on certain conditions:

1. Forum browsing, with a Set-Cookie sent in the HTTP response, user not logged-on:
   
   Cache-Control: no-cache="set-cookie", must-revalidate, max-age=0
   Pragma: no-cache
   Expires: Thu, 01 Jan 1970 00:00:00 GMT
   
2. Forum browsing, with no cookies sent in the HTTP response, user not logged-on. Since not Set-Cookie HTTP fields are sent now in server responses (since Cookie HTTP fields are sent in the HTTP request) the following modifications should be needed here:
   
   Cache-Control: must-revalidate, max-age=0
   Pragma: no-cache
   Expires: Thu, 01 Jan 1970 00:00:00 GMT
   
3. Any forum action, when the user is logged-on and a response is sent which includes a Set-Cookie field (except usercp related actions like PMs etc):
   
   Cache-Control: no-cache="set-cookie", private, must-revalidate, max-age=0
   Pragma: no-cache
   Expires: Thu, 01 Jan 1970 00:00:00 GMT
   
4. Any forum action (except usercp related actions like PMs etc), when the user is logged-on and the response does not include any Set-Cookie directives. Since no cookies are send this time, the response should be modified as follows:
   
   Cache-Control: private, must-revalidate, max-age=0
   Pragma: no-cache
   Expires: Thu, 01 Jan 1970 00:00:00 GMT
   
5. User control panel operations (user logged in, of course):
   Cache-Control: no-store
   Pragma: no-cache
   Expires: Thu, 01 Jan 1970 00:00:00 GMT
   
6. Information that should be valid for limited time and is not confidential can be treated differently. For example, avatars could be allowed to be cached for a day or so:
   Cache-Control: max-age=86400
   Expires: <now+1day>
   
   
   now above is the current date, while the result <now+1day> means "the date resulting from adding one day to time of the Date: HTTP field, in RFC date format".

Notes

• The use of private in 3-4 is correct in the sense that if someone browses a vBulletin board using a proxy and that proxy is configured to be for public use (that is public) then the information will simply no be cached at. In public/shared proxy caches, retrieving a web server response that contains a private directive will have a no-store effect, as in example 5. Why don't put a no-store in the first palce you might ask. Because in some cases, one might have configured a private proxy cache for his/her own use. In that case, caching should be allowed, but the information retrieved should of course be considered stale (the max-age=0) from the start and upon subsequent accesses to the same URL the proxy server should perform a check with the vBulletin server (the must-revalidate directive) to test whether the content is valid.
• HTTP/1.1 clients/caches will not use the Pragma/Expires field, since Cache-Control has a priority. On the other hand, HTTP/1.0 clients/caches will certainly understand Pragma/Expires (some HTTP/1.0 caches/clients do understand Cache-Control though). Therefore all three fields are needed here.

Phew! I think I deserve a hot cup of coffee now!

I have just uploaded a new sessions.php file to this server to see if I might have found something. Can you test if the problem is still occuring.

Also, you can only compare vBulletin with other pieces of software if that software offers a cookie-free option. I am not sure about Hotmail, but I am pretty sure you would not be able to log in if you did not have cookies turned on.

It is the cookie-free option that seems to be creating this problem, I think.

John