| Author |
 Topic  |
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
 Posted - 20 May 2002 : 05:32:39
|
I have the fix applied to my forum (now running version 4.0Beta3 Patch04) and I can lock topics.
-------------------------------------------------
Installation Guide | Do's and Dont's | MODs |
 |
|
|
Chiz
Junior Member
245 Posts |
Posted - 20 May 2002 : 05:39:24
|
I just tried locking and unlocking a topic in our forum with no problems. I think the fix is ok.
My websites: PalmVenue :: PV Mobile
My Snitz MODs: Categorized Icons
|
|
|
|
crash
Advanced Member
Netherlands
2064 Posts |
Posted - 20 May 2002 : 05:42:19
|
yes. what i think is the problem is that the cookie with the admin credentials isn't "saved/remembered" when a popup box is called. i don't know what you did or shuffled in inc_top_short.asp, but it looks like the credentials are not coming with the popup.
the popup displays a link to where you can re-authenticate, but this is a javascript link which points to the previous page, so that won't due...
i replaced the new one with the older version and it works now. but since there is this hole in it, i would really like to have my file fixed...
Crash's Site | Crash is from 
|
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 20 May 2002 : 05:51:48
|
| Did you just replace your original inc_top_short.asp with the new one? Do you know if your original was was modified in any way? If it was, just replacing it will undoubtedly cause problems. Try just applying the changes to your original file. |
|
|
|
crash
Advanced Member
Netherlands
2064 Posts |
Posted - 20 May 2002 : 05:56:15
|
okay, i will try to apply the changes manually. are these changes the ones described above in this topic?
Crash's Site | Crash is from
|
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
|
|
crash
Advanced Member
Netherlands
2064 Posts |
Posted - 20 May 2002 : 06:32:49
|
Richard, i added the changes manually to inc_top_short.asp and the file is working corectly now.
thank you for your time!
Crash's Site | Crash is from
|
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 20 May 2002 : 06:34:48
|
| you're welcome. |
|
|
|
Jeepaholic
Average Member
USA
697 Posts |
Posted - 23 May 2002 : 04:52:40
|
Hey... I'm running 3.1SR2 and the inc_top_short file (I just inserted the entire file...the SR2 one was quite small in comparison <grin>) seems to be checking cookies in a different way. The problem I'm noticing is that pop_mail gives the following message:
* You Must be logged on to send a message
I tried hunting around to see if anyone's posted anything on this, but didn't run across anything. Any thoughts? Thanks for help with an old version... 
Al Bsharah
Jeepaholics Anonymous |
|
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 23 May 2002 : 11:02:09
|
Isn't there an option in the Admin options that allows you to set whether users have to be logged in to send an email from the forum, or they can be logged out to send an email.
Unless you are saying that pop_mail isn't identifying that you are logged in, after the changes you made?
«------------------------------------------------------»
Want to know when the next version comes out,
as soon as possible? Join our Mailing Lists ! |
|
|
|
Jeepaholic
Average Member
USA
697 Posts |
Posted - 23 May 2002 : 11:43:58
|
Sorry for being unclear, yes...users are logged in and are unable to send mail via the pop-up because it doesn't correctly identify that they're logged in.
Al Bsharah
Jeepaholics Anonymous |
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 23 May 2002 : 12:02:30
|
| I'm pretty sure that the cookie was different in v3.1sr2 than it is in v3.1sr4 & v3.3.03. I don't think it used strUniqueID, but used strCookieURL instead. |
|
|
|
Jeepaholic
Average Member
USA
697 Posts |
Posted - 23 May 2002 : 14:42:47
|
I made those changes Richard, and that seemed to do the trick. Thanks!
Al Bsharah
Jeepaholics Anonymous |
|
|
|
Matt8109
New Member
64 Posts |
Posted - 23 May 2002 : 17:26:29
|
I am only a begginer at ASP so please forgive me if what I say is really really dumb. But instead of checking with the database every time a page is requested, couldn't you check the name and password once with the database when you log in. Then if the name and password entered are correct, move them into session variables. One every page, you could then check the session variables against the cookie. If the user is inactive for x amount of time, then that info will be deleted. So if the session username and password = "" then you could check it against the database and log them back in again. That way, they cant edit the session information, as it is on the server, and you know that it is the correct username and password, so if they dont match, you know they changed the cookie.
So the code would flow like this
Login page:
Get username & Password.
Check against the database.
If true Then
Load that data into session Username & Session Password.
If Flase, then ask them again.
Then In Inc_top.asp
If session Username & Password<>Cookie Username & Password
Clear the cookie and ask to log back in again
Else If session Username & Password="" Then
Check cookie against database.
If cookie Username & Password=DB username & Password Then
Set Session Username & Password to = DB Username & Password
Else If Cookie Username & Password<>DB Username & Password Then
Clear Cookie & Ask them to log in again.
End If
End If
Wouldn't this be much faster then asking the DB every page? And most people aren't inactive for more than 20 minutes, unless writing long posts. And if they do go inactive you could just check the DB again and load it back into the session info.
Or am I totally wrong?
|
|
|
|
ProGen
Starting Member
6 Posts |
Posted - 23 May 2002 : 18:16:04
|
It is possible to manipulate session cookies so it is vital that passwords are checked before every vital operation.
|
|
|
|
Topic |
|
Topic Locked
