FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum » How To » Sessions!
Show: Today's Messages :: Polls :: Message Navigator
Switch to threaded view of this topic Create a new topic Submit Reply
Sessions! [message #26017] Thu, 30 June 2005 18:47 Go to next message
dennisp is currently offline  dennisp   Belize
Messages: 49
Registered: December 2004
Location: Belize
Karma: 0
Member
Hiya Ilia...

Question:

Lets say that a user logs in to a forum without using cookies.
After logging in, the url looks something like this....

www.xyz.com/forum/index.php?rid=&S=35df55299d2717d8c737cc86fc1880da

ok now lets say i cut out the '?rid=&S=35df55299d2717d8c737cc86fc1880da' part so that the url looks like this:

www.xyz.com/forum/index.php and i hit enter in my browser...acording to the forum i am logged out now....
I understand this..

Lets say i paste back this part.... '?rid=&S=35df55299d2717d8c737cc86fc1880da'
so that the url again looks like this...
'www.xyz.com/forum/index.php?rid=&S=35df55299d2717d8c737cc86fc1880da'

and i hit enter in my browser..... and follow that link....

Voila, I am logged in again........

I understand this as well....

Now what i want to know is.....what mechanism do you use to prevent the following..

1)Let say i just copied just the part after the index.php in the url....('?rid=&S=35df55299d2717d8c737cc86fc1880da') and went to another computer and typed in www.xyz.com/forum/index.php and appended the copied part..so that it looked like 'www.xyz.com/forum/index.php?rid=&S=35df55299d2717d8c737cc86fc1880da'
and hit enter on the browser on this other computer......

I noticed that the forum does not consider me logged in..even though the session in '?rid=&S=35df55299d2717d8c737cc86fc1880da' still exists....

How do you go about doing this??

EDIT-----------------------------------------------------------

Here is what happened.....after a little bit of experimenting....

I logged on to fudforum on one machine using firefox....cookies were disabled in firefox...and the use cookies option was de-selected while logging in to fudforum...
After logging in..
the url changes from

www.abc.com/forum/index.php
to
www.abc.com/forum/index.php?rid=&S=477ea0865fdc2e70ca0ee4cba0faa7c6

Next what i did was..open up....IE on the same computer...and i tried going to the following url...
www.abc.com/forum/index.php?rid=&S=477ea0865fdc2e70ca0ee4cba0faa7c6

FudForum...considered me as NOT-LOGGED_IN.......

Then i went on another computer that is on the same network and also connects to the internet thru the same router....
This computer also has XP.....
i opened up firefox with cookies disabled on this computer and pasted the link
www.abc.com/forum/index.php?rid=&S=477ea0865fdc2e70ca0ee4cba0faa7c6
and voila...i was considered logged in...????

Now i opened IE on this second computer....and pasted the link
www.abc.com/forum/index.php?rid=&S=477ea0865fdc2e70ca0ee4cba0faa7c6
but Fudforum considered me to be not logged in....????

Could you please exlpain.....

best regards..

Dennis

[Updated on: Thu, 30 June 2005 20:19]

Report message to a moderator

Re: Sessions! [message #26018 is a reply to message #26017] Thu, 30 June 2005 20:25 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
The forum uses a browser signature to validate the session. Because browser signature between IE and Firefox does not match session is rejected.

FUDforum Core Developer
Re: Sessions! [message #26019 is a reply to message #26018] Thu, 30 June 2005 21:20 Go to previous messageGo to next message
dennisp is currently offline  dennisp   Belize
Messages: 49
Registered: December 2004
Location: Belize
Karma: 0
Member
Is there anything else other than browser signature that is checked to validate a session????

thanks...
Re: Sessions! [message #26020 is a reply to message #26019] Thu, 30 June 2005 21:23 Go to previous message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
There is a sequence key validation, but it's only used for actions. You can however turn on additional validations based on IP for example.

FUDforum Core Developer
  Switch to threaded view of this topic Create a new topic Submit Reply
Previous Topic: Re-download from NNTP
Next Topic: Handling of Daylight Savings Time
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sun Nov 24 19:59:14 GMT 2024

Total time taken to generate the page: 0.02260 seconds