IPB cookies

[pkk]

I hate logging in every time, after I visited this forum from a different computer.

Seems like it is a security function, because I only have this problem on this site (visiting no other IPBoard).

I have no idea if it can be turned off...

[notjarvis]

QUOTE (pkk @ Nov 7 2009, 09:00 PM) I hate logging in every time, after I visited this forum from a different computer.

Seems like it is a security function, because I only have this problem on this site (visiting no other IPBoard).

I have no idea if it can be turned off...

Thats strange cos I never have this problem.

I log in from multiple computers on a regular basis and I don't often need to relohgin....

[Adam4]

QUOTE (notjarvis @ Nov 7 2009, 10:05 PM) Thats strange cos I never have this problem.

I log in from multiple computers on a regular basis and I don't often need to relohgin....

[madpeople]

I have the logout problem. Further to that, logging in once on Computer B can mean that I need to login every time I visit on Computer A for a long time after.

FF 3.5.5 / 3.5.3

[Tigereye]

As pkk speculated, this is a security feature of IPB and is on by default.

I can disable it. Actually, come to think of it, considering our entire forum is in the clear (no SSL cert used) there's no real security gained by this setting...
If someone can sniff your sessionID, they can sniff your password while logging into the forum anyways.If someone wants to force you to log into your account, they can invalidate your session for you, forcing you to log in (so they can sniff your password in plaintext)If someone is at your computer copying your cookie from your harddrive, they can copy your browser passwords too using any number of local attacks.
I'll turn this off when I get home which should allow a session to persist regardless of IP.

I believe the result would be: you'll need to log in once from that machine and then your cookie will save your login session until you clear cookies on that machine. Logging in on another machine would duplicate the cookie there without invalidating the first machine's cookie.

If we ever enable SSL on our forum (which wouldn't add any value except for the ZLs and myself), I'll reconsider this setting, but for now it doesn't add any real security.

In the meantime:Community leaders (ZLs, SLs, etc): watch where you log into our forum. Script-kiddies love sniffing Everyone: I recommend you use a different password for this forum than everything else (including ASGS).
--TE
(PS: for those of you who are suddenly worried, we've lived like this for the last 8-9 years so don't sweat it)

[pkk]

QUOTE (Tigereye @ Nov 10 2009, 04:25 AM) (PS: for those of you who are suddenly worried, we've lived like this for the last 8-9 years so don't sweat it)

Nope, we didn't. We live with that feature, since pook switched from phpnuke/phpbb to IPB in June 2006.

Seems like nobody else took care of it.

[Tigereye]

Neither of the PHPnuke or phpbb forums were protected with an SSL certificate, so we've had unencrypted forums for the last 8-9 years. I don't even think the Microsoft Gaming Zone had a cert back when Allegiance was on it

--TE

[Dorjan]

I just assumed this was the security feature by IP so never complained. It'll save me from having to log in everyday at home / work.

Thanks TE / pkk

[Cadillac]

Can you delete this thread now, I've been tormented enough.

[pkk]

QUOTE (Cookie Monster @ Nov 20 2009, 06:04 PM) Can you delete this thread now, I've been tormented enough.

Nope, someone turned that setting back on...