Author |
Topic  |
ruirib
Snitz Forums Admin
    
Portugal
26364 Posts |
Posted - 20 May 2002 : 05:32:39
|
I have the fix applied to my forum (now running version 4.0Beta3 Patch04) and I can lock topics.
------------------------------------------------- Installation Guide | Do's and Dont's | MODs |
 |
|
Chiz
Junior Member
 
245 Posts |
Posted - 20 May 2002 : 05:39:24
|
I just tried locking and unlocking a topic in our forum with no problems. I think the fix is ok.
My websites: PalmVenue :: PV Mobile My Snitz MODs: Categorized Icons
|
 |
|
crash
Advanced Member
    
Netherlands
2064 Posts |
Posted - 20 May 2002 : 05:42:19
|
yes. what i think is the problem is that the cookie with the admin credentials isn't "saved/remembered" when a popup box is called. i don't know what you did or shuffled in inc_top_short.asp, but it looks like the credentials are not coming with the popup.
the popup displays a link to where you can re-authenticate, but this is a javascript link which points to the previous page, so that won't due...
i replaced the new one with the older version and it works now. but since there is this hole in it, i would really like to have my file fixed...
 Crash's Site | Crash is from 
|
 |
|
RichardKinser
Snitz Forums Admin
    
USA
16655 Posts |
Posted - 20 May 2002 : 05:51:48
|
Did you just replace your original inc_top_short.asp with the new one? Do you know if your original was was modified in any way? If it was, just replacing it will undoubtedly cause problems. Try just applying the changes to your original file. |
 |
|
crash
Advanced Member
    
Netherlands
2064 Posts |
Posted - 20 May 2002 : 05:56:15
|
okay, i will try to apply the changes manually. are these changes the ones described above in this topic?
 Crash's Site | Crash is from 
|
 |
|
RichardKinser
Snitz Forums Admin
    
USA
16655 Posts |
|
crash
Advanced Member
    
Netherlands
2064 Posts |
Posted - 20 May 2002 : 06:32:49
|
Richard, i added the changes manually to inc_top_short.asp and the file is working corectly now.
thank you for your time!
 Crash's Site | Crash is from 
|
 |
|
RichardKinser
Snitz Forums Admin
    
USA
16655 Posts |
Posted - 20 May 2002 : 06:34:48
|
you're welcome. |
 |
|
Jeepaholic
Average Member
  
USA
697 Posts |
Posted - 23 May 2002 : 04:52:40
|
Hey... I'm running 3.1SR2 and the inc_top_short file (I just inserted the entire file...the SR2 one was quite small in comparison <grin>) seems to be checking cookies in a different way. The problem I'm noticing is that pop_mail gives the following message:
* You Must be logged on to send a message
I tried hunting around to see if anyone's posted anything on this, but didn't run across anything. Any thoughts? Thanks for help with an old version... 
Al Bsharah Jeepaholics Anonymous |
 |
|
Davio
Development Team Member
    
Jamaica
12217 Posts |
Posted - 23 May 2002 : 11:02:09
|
Isn't there an option in the Admin options that allows you to set whether users have to be logged in to send an email from the forum, or they can be logged out to send an email.
Unless you are saying that pop_mail isn't identifying that you are logged in, after the changes you made?
«------------------------------------------------------» Want to know when the next version comes out, as soon as possible? Join our Mailing Lists ! |
 |
|
Jeepaholic
Average Member
  
USA
697 Posts |
Posted - 23 May 2002 : 11:43:58
|
Sorry for being unclear, yes...users are logged in and are unable to send mail via the pop-up because it doesn't correctly identify that they're logged in.
Al Bsharah Jeepaholics Anonymous |
 |
|
RichardKinser
Snitz Forums Admin
    
USA
16655 Posts |
Posted - 23 May 2002 : 12:02:30
|
I'm pretty sure that the cookie was different in v3.1sr2 than it is in v3.1sr4 & v3.3.03. I don't think it used strUniqueID, but used strCookieURL instead. |
 |
|
Jeepaholic
Average Member
  
USA
697 Posts |
Posted - 23 May 2002 : 14:42:47
|
I made those changes Richard, and that seemed to do the trick. Thanks!
Al Bsharah Jeepaholics Anonymous |
 |
|
Matt8109
New Member

64 Posts |
Posted - 23 May 2002 : 17:26:29
|
I am only a begginer at ASP so please forgive me if what I say is really really dumb. But instead of checking with the database every time a page is requested, couldn't you check the name and password once with the database when you log in. Then if the name and password entered are correct, move them into session variables. One every page, you could then check the session variables against the cookie. If the user is inactive for x amount of time, then that info will be deleted. So if the session username and password = "" then you could check it against the database and log them back in again. That way, they cant edit the session information, as it is on the server, and you know that it is the correct username and password, so if they dont match, you know they changed the cookie.
So the code would flow like this
Login page:
Get username & Password.
Check against the database.
If true Then Load that data into session Username & Session Password.
If Flase, then ask them again.
Then In Inc_top.asp
If session Username & Password<>Cookie Username & Password Clear the cookie and ask to log back in again
Else If session Username & Password="" Then Check cookie against database. If cookie Username & Password=DB username & Password Then Set Session Username & Password to = DB Username & Password Else If Cookie Username & Password<>DB Username & Password Then Clear Cookie & Ask them to log in again. End If End If
Wouldn't this be much faster then asking the DB every page? And most people aren't inactive for more than 20 minutes, unless writing long posts. And if they do go inactive you could just check the DB again and load it back into the session info.
Or am I totally wrong?
|
 |
|
ProGen
Starting Member
6 Posts |
Posted - 23 May 2002 : 18:16:04
|
It is possible to manipulate session cookies so it is vital that passwords are checked before every vital operation.
|
 |
|
Topic  |
|