As I suspected, for my issue and some of my users. After uninstalling the Google Wave Frame for IE, I no longer have this issue.
3.8.4 PL2 users are having cookie / re-login issues
Collapse
This topic is closed.
X
X
-
Comment
-
Getting the same problem here ParkD
I've changed the prefix from BB to UOF, restarted mysql and apache (just incase, as I use XCache) and cleared my own cookies
In firefox, I've had to login twice since, but not today, but with IE8, I have to login each time I open the browser.
Numerous people are having the same problem and it's only since upgrading the forum with the latest security patch.
(I'm not using Googlewave mind you, so not sure what it is heh)Comment
-
I got the same problems the moment I upgraded to the latest 3.8.4 PL2. My members are MOANING loudly. I have been through clearing cookies with them but they are still having to continually log in are being logged out after opening a post or refreshing a page. Does anyone have a solution yet? ThanksComment
-
Comment
-
I see a lot of people are having cookie-related issues since patch upgrade, which is quite understandable considering that the cookie salt value got changed. What surprises me is that no official word has been given, no warning to forum admins that their all of their members will lose their previous autologin cookie upon the upgrade.Comment
-
Yes that is surprising that we did not have a heads up about the cookies, but even more surprising that a solution is not yet available. I have followed all the advice in the couple of threads running on this topic and I still have the issues. Spose I'll have to open a ticket.
I see a lot of people are having cookie-related issues since patch upgrade, which is quite understandable considering that the cookie salt value got changed. What surprises me is that no official word has been given, no warning to forum admins that their all of their members will lose their previous autologin cookie upon the upgrade.Comment
-
This is busting my balls as well. I don't see why we should have to individually open a ticket over it when it is a common issue. Just fix it and give us a PL3 if necessary.Anybody who says "it can't be done" will usually be interrupted by somebody who is already doing it.Comment
-
The issue was that the license key for each vB install was used as the salt for cookies, this string was very short and could be brute forced so they moved to a longer string and as an added step they are randomly generating it on each download of the zip file.
Now there is a fix (kind of): you can save the original cookie hash you have running on your forums right now and you can manually change that constant on each upgrade so the previous cookies are still valid. This could open you up to security issues though. You need to balance the security of your community to the inconvenience of having to log back in after each upgrade.👍 1Comment
-
True. Here is a question: Why do they add the cookie salt as a hard-coded value? Why not generate it on the fly (by using some pseudo random function) during installation with the option to allow for changing it through AdminCP?Comment
-
I'm not really sure what we will do on our forums, we have several large sites and having to always apply the same cookie hash during an upgrade really seems like a nightmare so we too may have to put up with users complaining about cookies not working properly after each upgrade. Or maybe there is a better way of handling this that I don't see and it will be released during the next patch cycle. It's quite possible this was a quick fix to get the fix pushed out quickly since it would be pretty trivial to brute force a vB license key.Comment
-
Having to login after an upgrade is not so bad, but having to continually log in, and getting logged off every few minutes is a little more than an inconvenience. Any idea why some/plenty of members are having these issues (especially with Chrome) ThanksComment
-
Have you ever changed the cookie domain or cookie path settings under Options in AdminCP? Maybe someone logged in before you changed that setting and had an old hash and logging back in didn't clear out the old cookies. If the problem persists past them clearing cookies then you might try uploading the files again since that would indicate other issues that aren't just cookie related.
Modifications and plugins could also cause some problems like this.Comment
-
There really won't be a fix for this, in fact this will be the gift that just keeps on giving. If you look at the cookie salt each time you download vBulletin it changes, so the cookies become invalid on every upgrade now.
The issue was that the license key for each vB install was used as the salt for cookies, this string was very short and could be brute forced so they moved to a longer string and as an added step they are randomly generating it on each download of the zip file.
Now there is a fix (kind of): you can save the original cookie hash you have running on your forums right now and you can manually change that constant on each upgrade so the previous cookies are still valid. This could open you up to security issues though. You need to balance the security of your community to the inconvenience of having to log back in after each upgrade.
And clearing cookies is a nasty option. Having to clear cookies to get one site back on the straight and narrow when it's going to affect your access to untold numbers of other sites is just unacceptable... especially when clearing cookies doesn't do any good for the one site in question.Anybody who says "it can't be done" will usually be interrupted by somebody who is already doing it.Comment
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Comment