1. forum error
- Posted by useless Aug 30, 2009
- 996 views
I just got this after clicking "Post":
Security Violation You have attempted to perform an action beyond your security level. If you feel this is an error, please contact the site admins. Please use your browser's back button to continue using a different area of the web site.
Thank you!
useless
2. Re: forum error
- Posted by jeremy (admin) Aug 30, 2009
- 1004 views
I just got this after clicking "Post":
Security Violation You have attempted to perform an action beyond your security level. If you feel this is an error, please contact the site admins. Please use your browser's back button to continue using a different area of the web site.
Hm. How did you post this? Did you have to log back in? It seems the forum didn't recognize your user cookie.
Jeremy
3. Re: forum error
- Posted by useless Aug 30, 2009
- 960 views
I just got this after clicking "Post":
Security Violation You have attempted to perform an action beyond your security level. If you feel this is an error, please contact the site admins. Please use your browser's back button to continue using a different area of the web site.
Hm. How did you post this? Did you have to log back in? It seems the forum didn't recognize your user cookie.
Jeremy
Yes, i went back to forum and logged in. Thereafter, all was fine. Hmmm, we have weather here atm, is it possible a snafu in the connection caused me to have a new ip address before i clicked Post, and that's why it wasn't recognised?
useless
4. Re: forum error
- Posted by jeremy (admin) Aug 30, 2009
- 990 views
Yes, i went back to forum and logged in. Thereafter, all was fine. Hmmm, we have weather here atm, is it possible a snafu in the connection caused me to have a new ip address before i clicked Post, and that's why it wasn't recognised?
Yes, that is very possible. One way the system prevents snatching of a simple user cookie is to compare your current IP to that of the IP when the session was created. This is not full proof by itself, but there are other checks in place. So, if your IP changed, then it would have caused this problem.
Jeremy
5. Re: forum error
- Posted by CoJaBo Aug 31, 2009
- 948 views
One way the system prevents snatching of a simple user cookie is to compare your current IP to that of the IP when the session was created. This is not full proof by itself, but there are other checks in place. So, if your IP changed, then it would have caused this problem.
Jeremy
As I mentioned before, IP-based authentication is a really bad idea... At the very least, there needs to be a checkbox on the login form to turn it off (IMHO, the default should be off, since noone is going to know what it means).
6. Re: forum error
- Posted by jeremy (admin) Aug 31, 2009
- 929 views
As I mentioned before, IP-based authentication is a really bad idea... At the very least, there needs to be a checkbox on the login form to turn it off (IMHO, the default should be off, since noone is going to know what it means).
It's not at all IP based authentication. Once you are authenticated (by a session cookie) it compares, in addition to cookie/session based authentication the IP address.
Jeremy
7. Re: forum error
- Posted by jimcbrown (admin) Aug 31, 2009
- 881 views
As I mentioned before, IP-based authentication is a really bad idea... At the very least, there needs to be a checkbox on the login form to turn it off (IMHO, the default should be off, since noone is going to know what it means).
It's not at all IP based authentication. Once you are authenticated (by a session cookie) it compares, in addition to cookie/session based authentication the IP address.
Jeremy
Indeed. On the old forum, I was able to stay logged into the forum on two seperate computers at the same time, as long as they showed up with the same ip (via NAT).
Now, when I log into one, then check the other computer, it is logged out.
8. Re: forum error
- Posted by CoJaBo Aug 31, 2009
- 828 views
As I mentioned before, IP-based authentication is a really bad idea... At the very least, there needs to be a checkbox on the login form to turn it off (IMHO, the default should be off, since noone is going to know what it means).
It's not at all IP based authentication. Once you are authenticated (by a session cookie) it compares, in addition to cookie/session based authentication the IP address.
Jeremy
The problem isn't with authentication in this case, its about blocking legit users. Home IP addresses change anywhere from a few minutes to several months, and it makes no sense to force those people to have to log in to post and again after they have finished typing just to provide a very minimal increase in security.
Even worse, certain ISPs, businesses, and wifi hotspots served from a pool of proxies may not be able to access the forum at all- their IP changes with every request.