|
|
| Re: Session Id in URL and Cookies [message #15690 is a reply to message #15684] |
Wed, 31 December 2003 19:32   |
Ilia
Messages: 13241
Registered: January 2002
Karma: 0
|
Senior Member
Administrator
Core Developer |
|
|
You can disable URL sessions, they are mostly there for people who's browsers reject or do not support cookies.
There is no risk by posting a URL with a session as part of it, the only 'problem' is that it makes the URL unnecessarily long.
The URL sent via e-mail use rview redirect that allows the topic/message to be displayed in the format based on the recepient preferences (flat or threaded).
In most cases you can simply replace the t=msg/tree with t=rview.
FUDforum Core Developer
|
|
|
|
| Re: Session Id in URL and Cookies [message #15704 is a reply to message #15690] |
Fri, 02 January 2004 12:49 |
wfjmueller
Messages: 95
Registered: December 2003
Location: Darmstadt, Germany
Karma: 0
|
Member |
|
|
| Ilia wrote on Wed, 31 December 2003 20:32 |
You can disable URL sessions, they are mostly there for people who's browsers reject or do not support cookies.
|
Great, but how ? The login dialog under 2.5.2 had a "Use cookie" checkbox, but under 2.6.0 I don't see it anymore. Also, when I login to a 2.5.2 forum, with "Use cookie" enabled, I still get a "S=...." appended to all URL's. I checked that cookies where enabled and working, even that the cookie held the current session id string.
|
|
|
|
|
|
| Re: Session Id in URL and Cookies [message #15714 is a reply to message #15706] |
Fri, 02 January 2004 15:57 |
Ilia
Messages: 13241
Registered: January 2002
Karma: 0
|
Senior Member
Administrator
Core Developer |
|
|
S != SQ. SQ string cannot be disabled and will always be part of the URL. Passing of the sessions via URL can be disabled via the admin control panel. Look @ the sessions section.
FUDforum Core Developer
|
|
|
|
|
|
| Re: Session Id in URL and Cookies [message #15806 is a reply to message #15804] |
Mon, 05 January 2004 15:56 |
Ilia
Messages: 13241
Registered: January 2002
Karma: 0
|
Senior Member
Administrator
Core Developer |
|
|
In 2.6.0 you can make cookies expire just as quickly as URL sessions by enabling "Use Session Cookies".
FUDforum Core Developer
|
|
|
|
|
|
| Re: Session Id in URL and Cookies [message #15819 is a reply to message #15810] |
Mon, 05 January 2004 18:33 |
Ilia
Messages: 13241
Registered: January 2002
Karma: 0
|
Senior Member
Administrator
Core Developer |
|
|
That's true, however the same is true for URL sessions to a smaller extent. If you leave the computer on a forum page and within a few minutes another user uses that terminal they'll be able to use the forum as the user who didn't logout.
FUDforum Core Developer
|
|
|
|
|
|
| Re: Session Id in URL and Cookies [message #15826 is a reply to message #15825] |
Tue, 06 January 2004 01:09 |
Ilia
Messages: 13241
Registered: January 2002
Karma: 0
|
Senior Member
Administrator
Core Developer |
|
|
The real solution here is user awareness. Users should always remember to logout and if they can't be bothered to do so, at least when they login, leave the "use cookies" checkbox unchecked.
FUDforum Core Developer
|
|
|
|
| Re: Session Id in URL and Cookies [message #15845 is a reply to message #15825] |
Tue, 06 January 2004 15:02 |
Gribnif
Messages: 82
Registered: December 2003
Karma: 0
|
Member |
|
|
| Ilia wrote on Mon, 05 January 2004 13:33 |
That's true, however the same is true for URL sessions to a smaller extent. If you leave the computer on a forum page and within a few minutes another user uses that terminal they'll be able to use the forum as the user who didn't logout.
|
Yes, I realize that. However, as I said, the difference is that in order to become the previous user when only URL-based IDs are used, I have to intentionally go back in the browser's history.
But when cookies are used, as soon as I hit the forum's homepage, I become the previous user.
That's an important distinction, IMHO.
| mocara wrote on Mon, 05 January 2004 20:04 |
Surely the timeout can be kept as low as a person is reasonably likely to read the forum without clicking on a link? 2 minutes?
|
This doesn't work, because people often take more than 2 minutes to write a reply (like this one). I can recall using another board with this timeout set too low, and being frustrated when I hit the submit button, only to be told my session had timed out.
|
|
|
|
|
|
|
|
| Re: Session Id in URL and Cookies [message #15856 is a reply to message #15847] |
Wed, 07 January 2004 03:11 |
Ilia
Messages: 13241
Registered: January 2002
Karma: 0
|
Senior Member
Administrator
Core Developer |
|
|
| Gribnif wrote on Tue, 06 January 2004 10:19 |
| Ilia wrote on Mon, 05 January 2004 20:09 |
The real solution here is user awareness. Users should always remember to logout and if they can't be bothered to do so, at least when they login, leave the "use cookies" checkbox unchecked.
|
Just what does this checkbox do? I removed it from the quicklogin form in my version of the template, and FUD still sets the cookie, and still automatically logs me in when I return to the home page. (I made sure to delete the old cookie before doing this test.)
|
If you removed the checkbox and you allow URL sessions that should prevent usage of cookies for session tracking.
FUDforum Core Developer
|
|
|
|
|
|
| Re: Session Id in URL and Cookies [message #15891 is a reply to message #15864] |
Thu, 08 January 2004 17:59 |
Ilia
Messages: 13241
Registered: January 2002
Karma: 0
|
Senior Member
Administrator
Core Developer |
|
|
The cookie is 'set', but is not used. As soon as the browser is closed that cookie will be removed. Since if cookies are disabled the cookie date will be set in the past, meaning it'll expire instantly on browser closure.
FUDforum Core Developer
|
|
|
|
|
|
| Re: Session Id in URL and Cookies [message #15897 is a reply to message #15896] |
Thu, 08 January 2004 19:14 |
Ilia
Messages: 13241
Registered: January 2002
Karma: 0
|
Senior Member
Administrator
Core Developer |
|
|
The cookie is set BEFORE the user even logs in. And it cannot be destroyed until the browser closes. I cannot destroy it not because I don't want to, but because there is no way for me to do it.
The cookie's contents are empty, so it's presense is not an issue.
FUDforum Core Developer
|
|
|
|
| Re: Session Id in URL and Cookies [message #17314 is a reply to message #15714] |
Wed, 24 March 2004 15:36 |
spyder
Messages: 5
Registered: March 2004
Karma: 0
|
Junior Member |
|
|
| Quote: |
SQ string cannot be disabled and will always be part of the URL. Passing of the sessions via URL can be disabled via the admin control panel. Look @ the sessions section.
|
It looks to me as if the SQ string doesn't serve an obvious purpose. I tested several of the URLs without it, still everything fine. To please users and search engines (I use PATH_INFO style URLs) I would like to get rid of the SQ string.
Can this be done? And if yes, how can I do it?
Finally I'm going to get rid of index.php by means of mod-rewrite throught .htaccess, so I'm ending up with a URL like
http://my.domain/forum/f/1/2/
Any objections?
Thank you in advance
[Updated on: Wed, 24 March 2004 15:38] Report message to a moderator |
|
|
|
| Re: Session Id in URL and Cookies [message #17319 is a reply to message #17314] |
Thu, 25 March 2004 16:01 |
Ilia
Messages: 13241
Registered: January 2002
Karma: 0
|
Senior Member
Administrator
Core Developer |
|
|
SQ is a very important internal mechanism that performs session security. Removing will create problems.
FUDforum Core Developer
|
|
|
|
| Re: Session Id in URL and Cookies [message #17330 is a reply to message #15684] |
Fri, 26 March 2004 03:09 |
spyder
Messages: 5
Registered: March 2004
Karma: 0
|
Junior Member |
|
|
| Quote: |
SQ is a very important internal mechanism that performs session security. Removing will create problems.
|
What kind of problems? And how can I overcome them?
Nice URLs is one of the most importent features for me. I'm willing to tweak a great deal to remove everything that looks like a session. If I cannot solve this point, the software will probably render useless to me, because it will turn away search engines like google.
Why can't the session information be transported through cookies? My users are used to the fact, that logging into my forum is possible only with javascript and cookies allowed. I could cut off the SQ value from every link on a page after rendering its html and store it as a cookie, and I might read it from the cookies and instill it into the URL by means of mod_rewrite.
I'm just curious what I have to care for?
Is the SQ value changing throughout a session, and if so, when will this happen?
[Updated on: Fri, 26 March 2004 03:12] Report message to a moderator |
|
|
|
|
|
| @ Ilia [message #17386 is a reply to message #15684] |
Sun, 28 March 2004 01:23 |
spyder
Messages: 5
Registered: March 2004
Karma: 0
|
Junior Member |
|
|
I understand, that SQ is important for session security. But unfortunately it also compromises my search engine ranking. What kind of session compromise could happen without SQ? I have not seen any other forum software yet with this kind of double security.
If the SQ is the same on every link on a given page, then it could also be passed to the browser as a cookie. Furthermore, the browser would give it back to the server with the next request. I'm willing to write this patch myself, I just would like to know, whether there is any gross misunderstanding on my side.
Thank you for your time and...
btw: this piece of software seems to rock.
[Updated on: Sun, 28 March 2004 01:23] Report message to a moderator |
|
|
|
|
|
|
|
| Re: @ Ilia [message #17524 is a reply to message #17523] |
Thu, 01 April 2004 22:43 |
Ilia
Messages: 13241
Registered: January 2002
Karma: 0
|
Senior Member
Administrator
Core Developer |
|
|
|
No it's majority of software in general. Virtually every major PHP package I am familiar with has this vulnerability.
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]