Previous Thread
Next Thread
Print Thread
Hop To
Joined: Jun 2008
Posts: 92
Likes: 1
M
Journeyman
Journeyman
M Offline
Joined: Jun 2008
Posts: 92
Likes: 1
I was having trouble extending the cookie lifetime setting in:

MASTER SETTINGS > PRIMARY > COOKIE LIFETIME

After grepping the code, I found that the following files hard-code a 1-week maximum (version 7.7.1).

I honestly believe that the configured setting set by the admin should be preserved. I hope this can be updated in a future release.

Thanks in advance for considering this suggestion.

Here is the code:
PHP Code
if ($config['COOKIE_LIFETIME'] > 2592000) $config['COOKIE_LIFETIME'] = 2592000; 

List of files:

Code
admin/loginas.php # Line 64
install/install.php # Sets default value. Don't know if it resets existing setting.
install/createtable.php # Line 2581
libs/html.inc.php # Line 1502
scripts/changebasic.inc.php # Line 642


Today they call you "crazy".
Tomorrow they call you "ahead of your time".
Joined: Jun 2006
Posts: 16,292
Likes: 116
UBB.threads Developer
UBB.threads Developer
Joined: Jun 2006
Posts: 16,292
Likes: 116
The cookie lifetime is set in minutes in the Control Panel (as the page states for the input box); the hardcoded value of 2592000 seconds (in the code) is a real world maximum of 30 days, we advise against values of infinity.

Asking users to revalidate that they are the account owner every 30 days by being forced to login to their account is far from unreasonable, and adds a layer of security to your forums... Its not like we're forcing them to update their passwords.


I am a Web Development Contractor, I do not work for UBBCentral. I have provided free User to User Support since the beginning of these support forums.
Do you need Forum Install or Upgrade Services?
Forums: A Gardeners Forum, Scouters World
UBB.threads: UBBWiki, UBB Styles, UBB.Sitemaps
Longtime Supporter & Resident Post-A-Holic
VNC Web Services: Code Modifications, Upgrades, Styling, Coding Services, Disaster Recovery, and more!
Joined: Apr 2004
Posts: 1,945
Likes: 145
UBB.threads Developer
UBB.threads Developer
Joined: Apr 2004
Posts: 1,945
Likes: 145
From the UBB.threads 7.5.9 Changelog:
"LIBS/HTML.INC- The maximum Cookie Lifetime was loosened-up a bit, to 2592000 (30 days)"
SOURCE: https://www.ubbcentral.com/forums/ubbthreads.php/topics/254570

Originally Posted by mmem700
Code
admin/loginas.php # Line 64.
If the admin has not logged in within 7 days or within the defined cookie setting (which ever is the lesser), they are asked to log in again. Security.

Originally Posted by mmem700
Code
install/install.php # Sets default value. Don't know if it resets existing setting.
At the point, this script is CREATING and POPULATING the configuration file for a new install.
You dont even have a configuration file yet. This is the script which gathers all the "FIRST RUN" defaults for your freshly installed forum.

Originally Posted by mmem700
Code
install/createtable.php # Line 2581
At the point, the script is CREATING and POPULATING the default-user settings in the database for a new install.
This is the script which literally is creating the database for your forum.

Originally Posted by mmem700
Code
libs/html.inc.php # Line 1502
This sets a default cookie expiration maximum of 30 days. That means if the setting within the control panel is beyond/outside of 30 days, it is corrected to just 30 days. If there is no value is set, we will use 7 days. Which is fair and reasonable.

We are not asking you to change your password every 30 days. We are asking that you login at least once every 30 days.
And that is what's hard-coded.



Originally Posted by mmem700
Code
scripts/changebasic.inc.php # Line 642
This line tells only the current cookie of the current member to expire within 7 days or within the defined cookie setting (which ever is the lesser) only when the user changes something and submits that change on their Account Profile page, such as password, email address, forum profile, etc. But if they log out and then back in again, their cookie gets reset to using the forum default setting, which I've detailed above.


Current developer of UBB.threads PHP Forum Software
Current Release: UBBT 7.7.5 // Preview: UBBT 8.0.0
isaac @ id242.com // my forum @ CelicaHobby.com
Joined: Jun 2008
Posts: 92
Likes: 1
M
Journeyman
Journeyman
M Offline
Joined: Jun 2008
Posts: 92
Likes: 1
I really appreciate the very-detailed answer. Thanks for that.

I have to say, with all sincerity, that one of the contributing factors to the huge success of big social media is that they don't require frequent logins. This is a huge factor in the public mind when they consider if they want to stop by for a quick visit.

I have gone months without re-logging in to Facebook (for example) and that fact contributes to my willingness to jump on often.

Many of us are unfortunately competing (either directly or indirectly) with big social media and having "the login barrier" ultimately affects our traffic.

I honestly feel that the cookie lifetime should be left to the discretion of the admins. They can tune the balance between convenience and security according to their application and venue.

So I do make this request for a future update.

It's perfectly fine to default the cookie lifetime to 30 days, but forcing a one-size-fits-all policy on admins is not ideal in my humble opinion.

So please consider this request for a future update.

Thanks again and I really appreciate your time.


Today they call you "crazy".
Tomorrow they call you "ahead of your time".
Joined: Jun 2006
Posts: 16,292
Likes: 116
UBB.threads Developer
UBB.threads Developer
Joined: Jun 2006
Posts: 16,292
Likes: 116
You're welcome to modify the software to fit your needs, as is any forum owner, but the stock behavior will remain for security.


I am a Web Development Contractor, I do not work for UBBCentral. I have provided free User to User Support since the beginning of these support forums.
Do you need Forum Install or Upgrade Services?
Forums: A Gardeners Forum, Scouters World
UBB.threads: UBBWiki, UBB Styles, UBB.Sitemaps
Longtime Supporter & Resident Post-A-Holic
VNC Web Services: Code Modifications, Upgrades, Styling, Coding Services, Disaster Recovery, and more!
Joined: Jun 2008
Posts: 92
Likes: 1
M
Journeyman
Journeyman
M Offline
Joined: Jun 2008
Posts: 92
Likes: 1
Sad to hear that.

Thanks for the reply.


Today they call you "crazy".
Tomorrow they call you "ahead of your time".
Joined: Apr 2004
Posts: 1,945
Likes: 145
UBB.threads Developer
UBB.threads Developer
Joined: Apr 2004
Posts: 1,945
Likes: 145
Originally Posted by mmem700
Sad to hear that.

Thanks for the reply.
Sorry to hear that you feel that way.

User privacy and user security is a priority for this software.
Leaving stale cookies on a visitors computer has no place within that priority.

As said earlier, you are welcome to modify the software to fit your needs.


Current developer of UBB.threads PHP Forum Software
Current Release: UBBT 7.7.5 // Preview: UBBT 8.0.0
isaac @ id242.com // my forum @ CelicaHobby.com
Joined: Jun 2008
Posts: 92
Likes: 1
M
Journeyman
Journeyman
M Offline
Joined: Jun 2008
Posts: 92
Likes: 1
Thanks for responding Isaac. I appreciate you taking the time.

Please know that I'm not trying to belabor a point at all. I like UBB Threads and have used it for many years. My intention is only to help make good software even better by contributing good ideas. That's all.

So, this issue really isn't big in terms of my own situation. It only means a little inconvenience. It means that I have to find-and-modify the code each time I install an update, and that's not too hard and something I can live with.

I do hope the information below will help.

In short, forcing periodic logins does not increase security for this reason.

Scenario #1:

When cracker gets access to an account, the very first thing a cracker may do is:

1. Change the password.
2. Log out.
3. Log back in with the new password.

In this scenario, if periodic logins are forced:
This locks the original user out (because the cracker logged them out) and gives the cracker exclusive access to the account.

In this scenario, if periodic logins are not forced:
If the cracker does not log the user out (and if a password-change does not forcibly log the user out), the cracker can use/monitor the account without the user knowing.

In this situation, requiring periodic logins does not increase security. It only decreases the window of time a user has access to a compromised account (unless the user is logged our by the cracker or the software), and prevents the user from re-changing the password (during that window of time) to recover the account.

Scenario #2:

If a cracker obtains access to an account by spoofing a cookie and does not change the password (ostensibly to use/monitor the account without the user knowing), then if a user logs in again, the cracker will just spoof the cookie again using the same method they used the first time. So in this scenario, forcing periodic logins does not increase security. Other means (like SSL) would have to be implemented to improve security.

In conclusions, forcing users to re-login periodically does not improve security.

So really, a few rules that would improve security (from a software perspective) would be:

1. Require email verification on each password change. Big social media does this.

2. Notify a user when the forum is accessed from another IP (actually from a different CIDR so as to eliminate multiple notifications when ISPs round-robin their IP addresses) or a different device. Big social media does this too.

3. Force a logout during a password change. This will allow the user to know that their account has been compromised the very next time they visit.

4. Require a multi-stage login/user verification. Big social media does this too.

etc.

I truly hope this helps. Again, I'm only trying to offer information to make the software we all use better in the long run.

Facebook, Twitter, and virtually all the other big players in social media do not use periodic forced logins, and for good reason. They don't increase security but they do decrease user engagement (obviously a bad thing), because people hate re-entering their credentials and big social media knows this.

So really, I would still suggest not capping the admins' cookie-lifetime that they set in the control panel. It ultimately only reduces user engagement and offers no real security advantage.

Your software is very good and I appreciate all the work that you do. That is why we keep periodically renewing our subscription.

Thanks again and all the best.


Today they call you "crazy".
Tomorrow they call you "ahead of your time".
Joined: Feb 2007
Posts: 1,294
Likes: 2
Veteran
Veteran
Joined: Feb 2007
Posts: 1,294
Likes: 2
Mmem700, you are the first person I have came across since the late 80's that actually has the terms totally correct. Your post just made my day.


Link Copied to Clipboard
ShoutChat
Comment Guidelines: Do post respectful and insightful comments. Don't flame, hate, spam.
Recent Topics
spam issues
by ECNet - 03/19/2024 11:45 PM
Looking for a forum
by azr - 03/15/2024 11:26 PM
Editing Links in Post
by Outdoorking - 03/15/2024 9:31 AM
Question on barkrowler and the like
by Mors - 02/29/2024 6:51 PM
Member Permissions Help
by domspeak - 02/27/2024 6:31 PM
Who's Online Now
2 members (Havenofsobriety, rootman), 624 guests, and 106 robots.
Key: Admin, Global Mod, Mod
Random Gallery Image
Latest Gallery Images
Los Angeles
Los Angeles
by isaac, August 6
3D Creations
3D Creations
by JAISP, December 30
Artistic structures
Artistic structures
by isaac, August 29
Stones
Stones
by isaac, August 19
Powered by UBB.threads™ PHP Forum Software 8.0.0
(Preview build 20230217)