Potential security problem

Do you happen to use MSIE? MSIE sometimes doesn't clear the cache by logging out...I had that sometimes, too.

I do (V5.5), but the machine was rebooted in the interim. In short, this HAS to be addressed, double-quick!

BUMP

For now, since bumping this topic wont help much, just dont use that computer until its figured out.

As FAR as I know, its a end user thing and how "IE" is setup on that particular computer. YOU can alter the way it accepts cookies in the Tools > Internet Options settings under Security. You can have it prompt you to "accept" cookies or not. Or just use Netscape (which has easier Cookies to handle).

That's all good and well, WizyWyg. Now RE-read my initial post, and you'll see that a) it's a public computer, as such the end-user can do precious little to alter the way the browser handles cookies. b) it's not a browser issue at all.

It's up to the program, in this case vB, to account for ALL possible effects the various browsers may have on its usage. To say change the cookies or use another browser just doesn't cut it. When you have cookies and automatic logins set to no in the user-profile, you have to be able to expect that this is what will happen; regardless of how the computer is set up-ie. the settings is supposed to be a means to override "local" settings. If not, what use is it to have these options?

Mods, please move this to the Bugs forum ASAP and get it looked at!

We'll move this to the bugs forum when it can be verified. Thus far I have not been able to reproduce it at all.

Well, I am, repeatedly, and from the replies to the thread, it looks like I'm not alone. Try harder.

I don't see anyone confirming this besides yourself...

Okay, since you havent stated that if you're closing hte browser when done, but just when you return to the board, it still shows you logged in.

Turning everything to off (cookies and automatically logged in) I am presented with the "log in" page when I close the browser and reopen to visit the forum

But........

If I leave the board and come back an hour later (without closing the browser during that time) then yeah, it shows me as "still logged in" giving me the time I was last there.

You have to find out what the "exact" settings on that public computer is (what has been disabled from the browser) and if "closing" the browser is not an option, then that's where the problem lies. Since its not "working on cookies" to keep you logged in, then its definitely a "sessions" thing (when someone leaves the site, the session should die). A little PHP coding should do the trick.


The ONLY time I can recreate your problem is if I dont close the browser after viewing the board and then surfing elsewhere and then coming back.

But IF i do close it, and come back, I have to "log in".

Edit: This was tested both on IE 5.5 and Netscape 6.0 and I get the same results on both.

You might wanna try vbulletin.org for hack in the meantime to kill the sessions.

Well, since the computer is rebooted between attempts, somebody tell me how much more "clean" one can make it? Again, as the machine is public, and running a limited version of Windows 2000, the user doesn't have any way to check if cookies are saved, or even refuse them if that's the case. That's why it's imperative that something is done to ensure that these settings work as expected.

Yes, Wyziwyg, upon returning the main page asks you to login, The problem shows up if you don't login, and rather access anything (forums, user control panel etc), that's when a stored session is reclaimed. I didn't time the span, since the reboot should've cleaned up things.

I'm at a loss as to what happens, but that's really secondary, as I feel vB should have considered such and made sure the session is considered invalid, sort of like an automatic logout.

Not one of you can claim this is normal, even if it appears I'm the only one affected presently.

I guess orca doesn't count then.

Are you saying that if you log out of the board, and the computer is rebooted, that you can surf to the board, and you are still showed as logged in, without having to enter a username and password? That is scary. I had a similar problem with ezboard. Whenever I would click log out, and then hit the back button, it still showed me as logged in. Then if I clicked the log out link a second time, it would take me to the main forum page, and showed that I was not logged in, Then, I had to close all instances of the browser, because I could still hit the back button and be showed as logged in. If I just closed the browser, or clicked the log out link once, and closed the browser, I could still surf to the board, and be showed as logged in. This was a lot of hassle, and I hope if this problem is similar, that it is addressed. I have a library computer that I can test this on. I will make a follow-up post in a few minutes...

Testing Logout

After clicking the log out link, and closing the browser, and then opening browser and returning to this forum, I could not access the control panel or post, without logging in again. This was tested using NT 4.0 and Netscrape 4.08

Don't have IE on this PC to test this on.

Hope this helps.