Announcement

Collapse
No announcement yet.

Members still having login problems

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Well, I'm sure there have been changes to many files since 2.2.2 and 2.2.3, but as far as I can tell, the only file that deals with validating user sessions is sessions.php.

    Suppose someone sent you a link:

    Hey check out this funny thread!
    http://www.yourforums/bbs/showthread.php?s = asasdf2341wdq324132df&threadid=1234

    You now have the user's sessionhash and without validating the user's IP address, you would be recognized with the credentials of the person who sent you the link, probably with them not realizing it.

    The problem with AOL and other ISPs that use multiple proxies to browse the web for their users is that as you navigate through the site, different requests will be sent for you from different proxy server IP addresses, so that the IP address vBulletin sees the user coming from differs with virtually every page they visit. vBulletin treats this as invalid session hash and, depending on what your permissions are set to and what the user is trying to do, shows a nopermission screen requesting them to log in.

    Therein lies the problem
    Last edited by Paul; Fri 8 Nov '02, 8:36am.

    Comment


    • #17
      Just what I thought. I did a quick poll of users and a majority of them are using an ISP with Internet Explorer; not AOL. And yet, I still have users that either can't login (keep getting kicked back to the login screen) or can't stay logged in (going to post a reply for example and then getting the login screen).

      This is just 24hrs of poll replies:

      AOL - 6
      IE - 57
      NN - 5
      Other - 5

      I've got 2,597 users and I get enough e-mails about login problems that it's significant. Just doesn't seem to happen on any of the other boards I've installed, such as phpBB and IkonBoard.

      Comment


      • #18
        Originally posted by LoveShack
        Well, I'm sure there have been changes to many files since 2.2.2 and 2.2.3, but as far as I can tell, the only file that deals with validating user sessions is sessions.php.

        Suppose someone sent you a link:

        Hey check out this funny thread!
        http://www.yourforums/bbs/showthread.php?s = asasdf2341wdq324132df&threadid=1234

        You now have the user's sessionhash and without validating the user's IP address, you would be recognized with the credentials of the person who sent you the link, probably with them not realizing it.

        The problem with AOL and other ISPs that use multiple proxies to browse the web for their users is that as you navigate through the site, different requests will be sent for you from different proxy server IP addresses, so that the IP address vBulletin sees the user coming from differs with virtually every page they visit. vBulletin treats this as invalid session hash and, depending on what your permissions are set to and what the user is trying to do, shows a nopermission screen requesting them to log in.

        Therein lies the problem
        Wow! You sure know alot about VBulletin.... very cool!

        Comment


        • #19
          Oh, another thought: So, if the AOL user uses IE instead of the AOL Browser do they still have this proxy prob?

          Otherwise, I could send an email to all the AOL users and tell them to use IE/NN to surf the boards instead of the AOL Browser. I could add this to my tips too. What do you think?

          Comment


          • #20
            Originally posted by themonarch
            Oh, another thought: So, if the AOL user uses IE instead of the AOL Browser do they still have this proxy prob?

            Otherwise, I could send an email to all the AOL users and tell them to use IE/NN to surf the boards instead of the AOL Browser. I could add this to my tips too. What do you think?
            That seems to be the only known workaround at this time--it appears that only AOL's browsers use AOL's proxies. This will only work for AOL users though. Other ISPs that use multiple proxies will have the same problem no matter what browser they use.

            Glad I could help

            Comment


            • #21
              Originally posted by themonarch
              Wow! You sure know alot about VBulletin.... very cool!
              I'm not really a vBulletin expert--I just play one on TV

              Comment


              • #22
                Too funny! "I just play one on TV"

                Thanks a bunch LoveShack - you're awesome! I'll email all my AOHe** users and give them the 411.

                Peace and prosperity to the VBulletin brotherhood (and sistahood)!

                Comment


                • #23
                  OK...I will partially buy into that theory BUT (always a but) what about when a user is using cookies only? The session is stored in the cookie and not passed via a url as you browse the site. So when you send a link to another user it would have http://www.xyz.com/index.php?s= & whatever=... without a sessionhash in it. So why would this behaviour be programmed into the cookie routine? I can see why it is built into the non cookie routine now but not the cookie one.

                  All this cookie talk...I'm gonna run downstairs and get some cookies and hopefully by the time I get back somebody will have answered this question.
                  Marc
                  -------

                  Comment


                  • #24
                    I think we'd need to get a developer's input on why sessions are tracked the way they currently are. I know they're working on trying to solve this issue by using other methods within sessions.php, but I'm not sure how successful they've been.

                    Off the top of my head, my guess for checking the session variable is a security issue. When vBulletin gets a value for the sessionhash, it checks it with the sessionhash stored in the cookie (if present). If these don't match, it uses the one in the URL.

                    Once I'm finished dusting I'll open up sessions.php and stare at the code and try to think up scenarios.

                    I'm glad that such an interest has been taken in this issue--I think it's important we figure out how to fix it. Blaming things on corrupt cookies everytime a user has to log in multiple times is a ridiculous approach in my opinion.

                    Comment


                    • #25
                      What about having it check the cookie then if no good than it can use a default (approved) sessionhash instead of pulling it from the url?

                      Comment


                      • #26
                        Well...you have to wonder why Amazon and Yahoo and such sites have no problems ever like this. There must be a reasonable solution to this.
                        Marc
                        -------

                        Comment


                        • #27
                          They're not using PHP, for 1 thing - not to pooh pooh php or anything, since I use it all the time.

                          Comment


                          • #28
                            This has nothing to do with the limitations of php--it's simply a design issue with vBulletin itself. Sites such as Amazon and Yahoo! also have resources available to them that are not available to most sites running vBulletin.

                            Comment


                            • #29
                              Anything amazon or yahoo are running php is capable of doing the same thing at least from the browsers viewpoint in one way or another. PHP can handle cookies using functions or you can build your own and create your own headers if you have to. I doubt php is so flawed that it cannot handle cookies properly or that an issue as basic as tracking a user cannot be done flawlessly.
                              Marc
                              -------

                              Comment


                              • #30
                                Ok, still having problems

                                And the login problems continue for me:

                                I've received 12 emails today from users having problems logging in or staying logged in (for example replying to a post)....

                                they are coming from all sorts of domains, not just aol... (actually only 1 aol user this time).

                                When will this problem ever get a viable solution? I upgrade and run a hack-free board and the problems still continue......

                                Comment

                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                Working...
                                X