D. V. Devnull Posted September 30, 2013 Share Posted September 30, 2013 Okay, this is annoying... It has been a whole weekend without connecting to the forum server, so it should have flushed my remote session and rendered my local cookies completely invalid, that way I would know to flush my cookie stack at my end when failing all else. Has something around the forums changed about login policies due to the last update, or perhaps some attribute about the cookie that totally threw everything off a cliff, or just something else I can't see on my own? :blink: :wall: I could really use some info here, as I'm hesitant to touch my cookie stack without knowing enough about what's going on... :? ~Mr. D. V. "Doing a double-post facedesk/facewall over this..." Devnull and normally with a cool mind.(Warning: This user can be VERY confusing to some people... And talks in 3rd person for the timebeing due to how insane they are... Sometimes even to themself.) Link to comment Share on other sites More sharing options...
D. V. Devnull Posted October 7, 2013 Share Posted October 7, 2013 Please pardon this turning into a triple-post due to time (another 7 days) elapsed, but are the Admins still watching for bug reports and information here? I've got yet another update as I start to go completely nuts... :wacko: I just flushed any cookie mentioning "member_id" and/or "pass_hash" that had a zero value, and then attempted to sign out, only to find my login status change back to logged in after restarting my browser again. The two cookies remaining that won't self-flush have a domain value of ".forum.tip.it", as well as they keep getting their lifetime reset on page travels, and the domain I'm getting on two that appear when I click to sign out have a domain of ".tip.it"... All four of these cookies have a name of "tif_member_id" or "tif_pass_hash" present on them, and it appears the server is accepting from either domain prefix/suffix. It should only take from one or the other and tell the invalid domain name form to flush, clearing the session entry on the server's table at the same time, preventing all backdoor access of accounts by unwanted third parties. As it stands, I haven't seen any recent posts that I hadn't typed as of yet, but this is worrying me to no end. :ohnoes: Would any Admin versed in knowledge of this subject please post back to this thread as soon/quickly as they safely can? I'll just be face-to-desk until I hear from anyone that can help. :( ~D. V. "Ready to lose my mental marbles... Help, Please?!?" Devnull (p.s.: Has this thread reached the point where part of this needs to be split into the "Forum Suggestions/Updates/Discussions" area?) and normally with a cool mind.(Warning: This user can be VERY confusing to some people... And talks in 3rd person for the timebeing due to how insane they are... Sometimes even to themself.) Link to comment Share on other sites More sharing options...
Xena_Dragon Posted October 8, 2013 Share Posted October 8, 2013 Just letting you know @MageUK has been poked about this. He's the only wizard around here that can safely digest forum cookies. Until he responds, please try not hitting your desk too hard... Link to comment Share on other sites More sharing options...
MageUK Posted October 8, 2013 Author Share Posted October 8, 2013 Please pardon this turning into a triple-post due to time (another 7 days) elapsed, but are the Admins still watching for bug reports and information here? I've got yet another update as I start to go completely nuts... :wacko: I just flushed any cookie mentioning "member_id" and/or "pass_hash" that had a zero value, and then attempted to sign out, only to find my login status change back to logged in after restarting my browser again. The two cookies remaining that won't self-flush have a domain value of ".forum.tip.it", as well as they keep getting their lifetime reset on page travels, and the domain I'm getting on two that appear when I click to sign out have a domain of ".tip.it"... All four of these cookies have a name of "tif_member_id" or "tif_pass_hash" present on them, and it appears the server is accepting from either domain prefix/suffix. It should only take from one or the other and tell the invalid domain name form to flush, clearing the session entry on the server's table at the same time, preventing all backdoor access of accounts by unwanted third parties. As it stands, I haven't seen any recent posts that I hadn't typed as of yet, but this is worrying me to no end. :ohnoes: Would any Admin versed in knowledge of this subject please post back to this thread as soon/quickly as they safely can? I'll just be face-to-desk until I hear from anyone that can help. :( ~D. V. "Ready to lose my mental marbles... Help, Please?!?" Devnull (p.s.: Has this thread reached the point where part of this needs to be split into the "Forum Suggestions/Updates/Discussions" area?)You seem oddly concerned about security for someone running a web browser that is 11 versions and 14 months out of date. That being said, I've changed the cookie name and domain to be more specific, this is going to result in everyone being logged out but should clear up any problems with these old cookies, you can delete them if you wish. The new cookies are prefixed with tifc_. As per usual, if you visit the account problem page, this will completely log you out of the forum, this is intentional and for good reason. 2 Link to comment Share on other sites More sharing options...
D. V. Devnull Posted October 8, 2013 Share Posted October 8, 2013 (edited) You seem oddly concerned about security for someone running a web browser that is 11 versions and 14 months out of date. That being said, I've changed the cookie name and domain to be more specific, this is going to result in everyone being logged out but should clear up any problems with these old cookies, you can delete them if you wish. The new cookies are prefixed with tifc_. As per usual, if you visit the account problem page, this will completely log you out of the forum, this is intentional and for good reason.I don't have control of browser updates here, which is exactly why I'm concerned about security. As you already know, I use NoScript and ABP both, as well as a few other things to help do everything I can to prevent abuse of this old browser. :geek: Anyway, I've noticed my login session bounce properly from your change to the cookie setup and flushed my cookies in response to it. Thank you for making those cookies not be a headache anymore! I'm feeling an extreme amount less nuts, finally being able to sign out once again. :thumbsup: I am left with a question, however, which is that I'm wondering why the 'pass_hash'-suffixed cookie was an exact match of contents between both the old one and the newest one after the upgrade and changes? Maybe I'm crazy, but I would have thought that the hashes for everyone change after a patch to prevent sniffing and abuse? :-k ~D. V. "I try to keep it bolted down... Thanks! Wait, why's this?" Devnull (Edit by post author due to lack of mental thought clarity in the second paragraph... This should be the only edit.) Edited October 8, 2013 by D. V. Devnull and normally with a cool mind.(Warning: This user can be VERY confusing to some people... And talks in 3rd person for the timebeing due to how insane they are... Sometimes even to themself.) Link to comment Share on other sites More sharing options...
MageUK Posted October 9, 2013 Author Share Posted October 9, 2013 Why would your pass hash change? Did you change your password? If not, it's not going to change. If someone managed to sniff your cookies you have a lot more to worry about than them getting hold of that hash. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now