Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Snitz Forums 2000 DEV-Group
 DEV Bug Reports (Open)
 (v3.1SR4)&(v3.3.xx) security related bug - cookie
 New Topic  Topic Locked
 Printer Friendly
Previous Page | Next Page
Author Previous Topic Topic Next Topic
Page: of 4

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 20 May 2002 :  05:32:39  Show Profile  Send ruirib a Yahoo! Message
I have the fix applied to my forum (now running version 4.0Beta3 Patch04) and I can lock topics.

-------------------------------------------------
Installation Guide | Do's and Dont's | MODs
Go to Top of Page

Chiz
Junior Member

245 Posts

Posted - 20 May 2002 :  05:39:24  Show Profile
I just tried locking and unlocking a topic in our forum with no problems. I think the fix is ok.

My websites: PalmVenue :: PV Mobile
My Snitz MODs: Categorized Icons
Go to Top of Page

crash
Advanced Member

Netherlands
2064 Posts

Posted - 20 May 2002 :  05:42:19  Show Profile  Visit crash's Homepage
yes. what i think is the problem is that the cookie with the admin credentials isn't "saved/remembered" when a popup box is called. i don't know what you did or shuffled in inc_top_short.asp, but it looks like the credentials are not coming with the popup.

the popup displays a link to where you can re-authenticate, but this is a javascript link which points to the previous page, so that won't due...

i replaced the new one with the older version and it works now. but since there is this hole in it, i would really like to have my file fixed...



Crash's Site | Crash is from
Go to Top of Page

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 20 May 2002 :  05:51:48  Show Profile
Did you just replace your original inc_top_short.asp with the new one? Do you know if your original was was modified in any way? If it was, just replacing it will undoubtedly cause problems. Try just applying the changes to your original file.
Go to Top of Page

crash
Advanced Member

Netherlands
2064 Posts

Posted - 20 May 2002 :  05:56:15  Show Profile  Visit crash's Homepage
okay, i will try to apply the changes manually. are these changes the ones described above in this topic?



Crash's Site | Crash is from
Go to Top of Page

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 20 May 2002 :  06:05:41  Show Profile
the changes to inc_top_short.asp are in my reply right after where Frutzle asked about them:

http://forum.snitz.com/forum/topic.asp?TOPIC_ID=28244#133048
Go to Top of Page

crash
Advanced Member

Netherlands
2064 Posts

Posted - 20 May 2002 :  06:32:49  Show Profile  Visit crash's Homepage
Richard, i added the changes manually to inc_top_short.asp and the file is working corectly now.

thank you for your time!



Crash's Site | Crash is from
Go to Top of Page

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 20 May 2002 :  06:34:48  Show Profile
you're welcome.
Go to Top of Page

Jeepaholic
Average Member

USA
697 Posts

Posted - 23 May 2002 :  04:52:40  Show Profile  Visit Jeepaholic's Homepage
Hey... I'm running 3.1SR2 and the inc_top_short file (I just inserted the entire file...the SR2 one was quite small in comparison <grin>) seems to be checking cookies in a different way. The problem I'm noticing is that pop_mail gives the following message:

* You Must be logged on to send a message

I tried hunting around to see if anyone's posted anything on this, but didn't run across anything. Any thoughts? Thanks for help with an old version...

Al Bsharah
Jeepaholics Anonymous
Go to Top of Page

Davio
Development Team Member

Jamaica
12217 Posts

Posted - 23 May 2002 :  11:02:09  Show Profile
Isn't there an option in the Admin options that allows you to set whether users have to be logged in to send an email from the forum, or they can be logged out to send an email.

Unless you are saying that pop_mail isn't identifying that you are logged in, after the changes you made?

«------------------------------------------------------»
Want to know when the next version comes out,
as soon as possible? Join our Mailing Lists !
Go to Top of Page

Jeepaholic
Average Member

USA
697 Posts

Posted - 23 May 2002 :  11:43:58  Show Profile  Visit Jeepaholic's Homepage
Sorry for being unclear, yes...users are logged in and are unable to send mail via the pop-up because it doesn't correctly identify that they're logged in.

Al Bsharah
Jeepaholics Anonymous
Go to Top of Page

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 23 May 2002 :  12:02:30  Show Profile
I'm pretty sure that the cookie was different in v3.1sr2 than it is in v3.1sr4 & v3.3.03. I don't think it used strUniqueID, but used strCookieURL instead.
Go to Top of Page

Jeepaholic
Average Member

USA
697 Posts

Posted - 23 May 2002 :  14:42:47  Show Profile  Visit Jeepaholic's Homepage
I made those changes Richard, and that seemed to do the trick. Thanks!

Al Bsharah
Jeepaholics Anonymous
Go to Top of Page

Matt8109
New Member

64 Posts

Posted - 23 May 2002 :  17:26:29  Show Profile  Visit Matt8109's Homepage
I am only a begginer at ASP so please forgive me if what I say is really really dumb. But instead of checking with the database every time a page is requested, couldn't you check the name and password once with the database when you log in. Then if the name and password entered are correct, move them into session variables. One every page, you could then check the session variables against the cookie. If the user is inactive for x amount of time, then that info will be deleted. So if the session username and password = "" then you could check it against the database and log them back in again. That way, they cant edit the session information, as it is on the server, and you know that it is the correct username and password, so if they dont match, you know they changed the cookie.


So the code would flow like this



Login page:

Get username & Password.

Check against the database.

If true Then
Load that data into session Username & Session Password.

If Flase, then ask them again.




Then In Inc_top.asp

If session Username & Password<>Cookie Username & Password
Clear the cookie and ask to log back in again

Else If session Username & Password="" Then
Check cookie against database.
If cookie Username & Password=DB username & Password Then
Set Session Username & Password to = DB Username & Password
Else If Cookie Username & Password<>DB Username & Password Then
Clear Cookie & Ask them to log in again.
End If
End If


Wouldn't this be much faster then asking the DB every page? And most people aren't inactive for more than 20 minutes, unless writing long posts. And if they do go inactive you could just check the DB again and load it back into the session info.

Or am I totally wrong?

Go to Top of Page

ProGen
Starting Member

6 Posts

Posted - 23 May 2002 :  18:16:04  Show Profile
It is possible to manipulate session cookies so it is vital that passwords are checked before every vital operation.

Go to Top of Page
Page: of 4 Previous Topic Topic Next Topic  
Previous Page | Next Page
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.11 seconds. Powered By: Snitz Forums 2000 Version 3.4.07