3.8.4 PL2 users are having cookie / re-login issues

Collapse
This topic is closed.
X
X
 
  • Time
  • Show
Clear All
new posts
  • parkd
    New Member
    • Apr 2009
    • 7
    • 3.8.x

    #16
    As I suspected, for my issue and some of my users. After uninstalling the Google Wave Frame for IE, I no longer have this issue.

    Comment

    • parkd
      New Member
      • Apr 2009
      • 7
      • 3.8.x

      #17
      Originally posted by parkd
      As I suspected, for my issue and some of my users. After uninstalling the Google Wave Frame for IE, I no longer have this issue.

      I asked one of my users that also had this problem to remove the wave frame and his issue went away.

      Comment

      • Deimos
        Senior Member
        • Oct 2002
        • 1517
        • 3.8.x

        #18
        Getting the same problem here ParkD
        I've changed the prefix from BB to UOF, restarted mysql and apache (just incase, as I use XCache) and cleared my own cookies
        In firefox, I've had to login twice since, but not today, but with IE8, I have to login each time I open the browser.
        Numerous people are having the same problem and it's only since upgrading the forum with the latest security patch.
        (I'm not using Googlewave mind you, so not sure what it is heh)

        Comment

        • jimjam
          Senior Member
          • Jul 2007
          • 217
          • 3.6.x

          #19
          I got the same problems the moment I upgraded to the latest 3.8.4 PL2. My members are MOANING loudly. I have been through clearing cookies with them but they are still having to continually log in are being logged out after opening a post or refreshing a page. Does anyone have a solution yet? Thanks

          Comment

          • Paul M
            Former Lead Developer
            vB.Com & vB.Org
            • Sep 2004
            • 9886

            #20
            Originally posted by acwatts
            How do you tell users to delete cookies after the browser is closed, the delete cookies option is built in to the browser. ?
            You can delete them from the cookies folder (for IE anyway, not sure about FF).
            Baby, I was born this way

            Comment

            • AlexanderT
              Senior Member
              • Mar 2003
              • 992

              #21
              I see a lot of people are having cookie-related issues since patch upgrade, which is quite understandable considering that the cookie salt value got changed. What surprises me is that no official word has been given, no warning to forum admins that their all of their members will lose their previous autologin cookie upon the upgrade.

              Comment

              • jimjam
                Senior Member
                • Jul 2007
                • 217
                • 3.6.x

                #22
                Yes that is surprising that we did not have a heads up about the cookies, but even more surprising that a solution is not yet available. I have followed all the advice in the couple of threads running on this topic and I still have the issues. Spose I'll have to open a ticket.

                Originally posted by AlexanderT
                I see a lot of people are having cookie-related issues since patch upgrade, which is quite understandable considering that the cookie salt value got changed. What surprises me is that no official word has been given, no warning to forum admins that their all of their members will lose their previous autologin cookie upon the upgrade.

                Comment

                • bigwater
                  Senior Member
                  • Jan 2007
                  • 592

                  #23
                  This is busting my balls as well. I don't see why we should have to individually open a ticket over it when it is a common issue. Just fix it and give us a PL3 if necessary.
                  Anybody who says "it can't be done" will usually be interrupted by somebody who is already doing it.

                  Comment

                  • The Prohacker
                    Senior Member
                    • Apr 2001
                    • 1212
                    • 3.8.x

                    #24
                    Originally posted by bigwater
                    This is busting my balls as well. I don't see why we should have to individually open a ticket over it when it is a common issue. Just fix it and give us a PL3 if necessary.
                    There really won't be a fix for this, in fact this will be the gift that just keeps on giving. If you look at the cookie salt each time you download vBulletin it changes, so the cookies become invalid on every upgrade now.

                    The issue was that the license key for each vB install was used as the salt for cookies, this string was very short and could be brute forced so they moved to a longer string and as an added step they are randomly generating it on each download of the zip file.

                    Now there is a fix (kind of): you can save the original cookie hash you have running on your forums right now and you can manually change that constant on each upgrade so the previous cookies are still valid. This could open you up to security issues though. You need to balance the security of your community to the inconvenience of having to log back in after each upgrade.

                    Comment

                    • AlexanderT
                      Senior Member
                      • Mar 2003
                      • 992

                      #25
                      Originally posted by The Prohacker
                      You need to balance the security of your community to the inconvenience of having to log back in after each upgrade.
                      True. Here is a question: Why do they add the cookie salt as a hard-coded value? Why not generate it on the fly (by using some pseudo random function) during installation with the option to allow for changing it through AdminCP?

                      Comment

                      • The Prohacker
                        Senior Member
                        • Apr 2001
                        • 1212
                        • 3.8.x

                        #26
                        Originally posted by AlexanderT
                        True. Here is a question: Why do they add the cookie salt as a hard-coded value? Why not generate it on the fly (by using some pseudo random function) during installation with the option to allow for changing it through AdminCP?
                        Honestly that is one way I would handle it, if you believe the hash was compromised that is easy enough to regenerate and a great reason to force everyone to log back in. There are several methods to securely handle saved login credentials. I really think this was a knee-jerk reaction and that randomly changing the cookie hash on each download generation will create a lot of havoc (see above posts for the common complaints). The likelihood of someone brute forcing a 25+ character string is quite low, they added the randomization to virtually eliminate the chances but it's a step too far. I had hoped vB might have adopted a DB driven approach in v4 but I just checked the code and it's exactly the same.

                        I'm not really sure what we will do on our forums, we have several large sites and having to always apply the same cookie hash during an upgrade really seems like a nightmare so we too may have to put up with users complaining about cookies not working properly after each upgrade. Or maybe there is a better way of handling this that I don't see and it will be released during the next patch cycle. It's quite possible this was a quick fix to get the fix pushed out quickly since it would be pretty trivial to brute force a vB license key.

                        Comment

                        • jimjam
                          Senior Member
                          • Jul 2007
                          • 217
                          • 3.6.x

                          #27
                          Originally posted by The Prohacker
                          You need to balance the security of your community to the inconvenience of having to log back in after each upgrade.
                          Having to login after an upgrade is not so bad, but having to continually log in, and getting logged off every few minutes is a little more than an inconvenience. Any idea why some/plenty of members are having these issues (especially with Chrome) Thanks

                          Comment

                          • The Prohacker
                            Senior Member
                            • Apr 2001
                            • 1212
                            • 3.8.x

                            #28
                            Originally posted by jimjam
                            Having to login after an upgrade is not so bad, but having to continually log in, and getting logged off every few minutes is a little more than an inconvenience. Any idea why some/plenty of members are having these issues (especially with Chrome) Thanks
                            I run Chrome and I haven't ran into any of these type of issues, I stay logged in to our forums pretty consistently. And I really haven't seen any complaints on our communities of this either.

                            Have you ever changed the cookie domain or cookie path settings under Options in AdminCP? Maybe someone logged in before you changed that setting and had an old hash and logging back in didn't clear out the old cookies. If the problem persists past them clearing cookies then you might try uploading the files again since that would indicate other issues that aren't just cookie related.

                            Modifications and plugins could also cause some problems like this.

                            Comment

                            • m5m5m5
                              Senior Member
                              • Dec 2006
                              • 115

                              #29
                              Man, what's happening to vbulletin???? This is NOT a small issue, members are complaining. yet there is no official patch to fix this. Or no warning? come on!

                              Comment

                              • bigwater
                                Senior Member
                                • Jan 2007
                                • 592

                                #30
                                Originally posted by The Prohacker
                                There really won't be a fix for this, in fact this will be the gift that just keeps on giving. If you look at the cookie salt each time you download vBulletin it changes, so the cookies become invalid on every upgrade now.

                                The issue was that the license key for each vB install was used as the salt for cookies, this string was very short and could be brute forced so they moved to a longer string and as an added step they are randomly generating it on each download of the zip file.

                                Now there is a fix (kind of): you can save the original cookie hash you have running on your forums right now and you can manually change that constant on each upgrade so the previous cookies are still valid. This could open you up to security issues though. You need to balance the security of your community to the inconvenience of having to log back in after each upgrade.
                                I'm certainly not complaining about having to log in after each upgrade. I even explain to my users when they complain after having to log in after each upgrade that it's just a function of the upgrade. However this is ridiculous. This is having to log in every time you come back to the board regardless of whether you've checked "remember me" or not... and it's having to log back in if you go to take some friends to the pool and it takes more than 5 minutes.

                                And clearing cookies is a nasty option. Having to clear cookies to get one site back on the straight and narrow when it's going to affect your access to untold numbers of other sites is just unacceptable... especially when clearing cookies doesn't do any good for the one site in question.
                                Anybody who says "it can't be done" will usually be interrupted by somebody who is already doing it.

                                Comment

                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                Working...