FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum » How To » Sessions!
Show: Today's Messages :: Unread Messages :: Show Polls :: Message Navigator
| Subscribe to topic | Bookmark topic 
Switch to threaded view of this topic Create a new topic Submit Reply
Sessions! [message #26017] Thu, 30 June 2005 14:47 Go to next message
dennisp is currently offline  dennisp   Belize
Messages: 49
Registered: December 2004
Location: Belize
Karma: 0
Member
add to buddy list
ignore all messages by this user
Hiya Ilia...

Question:

Lets say that a user logs in to a forum without using cookies.
After logging in, the url looks something like this....

www.xyz.com/forum/index.php?rid=&S=35df55299d2717d8c737cc86fc1880da

ok now lets say i cut out the '?rid=&S=35df55299d2717d8c737cc86fc1880da' part so that the url looks like this:

www.xyz.com/forum/index.php and i hit enter in my browser...acording to the forum i am logged out now....
I understand this..

Lets say i paste back this part.... '?rid=&S=35df55299d2717d8c737cc86fc1880da'
so that the url again looks like this...
'www.xyz.com/forum/index.php?rid=&S=35df55299d2717d8c737cc86fc1880da'

and i hit enter in my browser..... and follow that link....

Voila, I am logged in again........

I understand this as well....

Now what i want to know is.....what mechanism do you use to prevent the following..

1)Let say i just copied just the part after the index.php in the url....('?rid=&S=35df55299d2717d8c737cc86fc1880da') and went to another computer and typed in www.xyz.com/forum/index.php and appended the copied part..so that it looked like 'www.xyz.com/forum/index.php?rid=&S=35df55299d2717d8c737cc86fc1880da'
and hit enter on the browser on this other computer......

I noticed that the forum does not consider me logged in..even though the session in '?rid=&S=35df55299d2717d8c737cc86fc1880da' still exists....

How do you go about doing this??

EDIT-----------------------------------------------------------

Here is what happened.....after a little bit of experimenting....

I logged on to fudforum on one machine using firefox....cookies were disabled in firefox...and the use cookies option was de-selected while logging in to fudforum...
After logging in..
the url changes from

www.abc.com/forum/index.php
to
www.abc.com/forum/index.php?rid=&S=477ea0865fdc2e70ca0ee4cba0faa7c6

Next what i did was..open up....IE on the same computer...and i tried going to the following url...
www.abc.com/forum/index.php?rid=&S=477ea0865fdc2e70ca0ee4cba0faa7c6

FudForum...considered me as NOT-LOGGED_IN.......

Then i went on another computer that is on the same network and also connects to the internet thru the same router....
This computer also has XP.....
i opened up firefox with cookies disabled on this computer and pasted the link
www.abc.com/forum/index.php?rid=&S=477ea0865fdc2e70ca0ee4cba0faa7c6
and voila...i was considered logged in...????

Now i opened IE on this second computer....and pasted the link
www.abc.com/forum/index.php?rid=&S=477ea0865fdc2e70ca0ee4cba0faa7c6
but Fudforum considered me to be not logged in....????

Could you please exlpain.....

best regards..

Dennis

[Updated on: Thu, 30 June 2005 16:19]

Report message to a moderator

Re: Sessions! [message #26018 is a reply to message #26017] Thu, 30 June 2005 16:25 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
add to buddy list
ignore all messages by this user
The forum uses a browser signature to validate the session. Because browser signature between IE and Firefox does not match session is rejected.

FUDforum Core Developer
Re: Sessions! [message #26019 is a reply to message #26018] Thu, 30 June 2005 17:20 Go to previous messageGo to next message
dennisp is currently offline  dennisp   Belize
Messages: 49
Registered: December 2004
Location: Belize
Karma: 0
Member
add to buddy list
ignore all messages by this user
Is there anything else other than browser signature that is checked to validate a session????

thanks...
Re: Sessions! [message #26020 is a reply to message #26019] Thu, 30 June 2005 17:23 Go to previous message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
add to buddy list
ignore all messages by this user
There is a sequence key validation, but it's only used for actions. You can however turn on additional validations based on IP for example.

FUDforum Core Developer
Quick Reply
Formatting Tools:   
  Switch to threaded view of this topic Create a new topic
Previous Topic: Re-download from NNTP
Next Topic: Handling of Daylight Savings Time
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Tue Oct 17 05:52:48 EDT 2017

Total time taken to generate the page: 0.00734 seconds