Logged in status error?

timster -- le 23 mar. 2005
Yacs fan!

visitors automatically logged in

Bernard,

An issue has come up a couple of times now that I can't quite understand at all.

Last night I asked a friend to visit my site and look around and give me any advice they might have. We were talking over the telephone and he asked me if he was supposed to be logged in as 'xxxxx' (my admin name). Somehow just bringing up the page caused him to not only see the site but also have full administrative access.

Luckily it was a friend, and luckily I don't really have any traffic yet since the site isn't launched.

This happened to me once before that I noticed when I was using a colleagues PC at my day job, and I thought it was just some error on my part, but now I've confirmed that it does happen.

This could be a serious issue for people that use YACS for commercial/business sites.

Bernard Paques	le 11 avr. 2005 Timster: To make things more clear to me, can you confirm that you had not authenticated before voting? Also, can you relate the associate id returned to you to some previous recent session of this associate? Thank you for very valuable input. I have not been able to reproduce this symptom on my own servers up to now, therefore the questions... Maybe I will introduce a specific debug version to be used at your site... timster - le 12 avr. 2005 Bernard: Yes I was using a coworkers PC and made sure that no one was authenticated at the time of my retrying to duplicate the problem which I did successfully, from a browser (PC) that has never been used to authenticate anyone. I also went to yet another previously unused computer and tried to duplicate the problem while I was logged in on another system and the problem occurred as well, in both IE and FireFox, and Opera as well. Hope that can help you clear it up.. in fact you can probably see the problem first hand if you visit my site,vote and then click view results. Bernard - le 12 avr. 2005 Timster: I have visited your site as suggested but was unable to log in :P Actually, since you have been able to reproduce the problem using different browsers, I presume the issue is related to the server itself. At the moment I am checking new ideas by reviewing the source code of several popular CMS/blogging paltforms. Bernard - le 12 avr. 2005 Timster: Can you redo your tests using the latest nightly build please? Several bugs have been fixed in cookies, and I have added a sopisticated way of preserving session uniqueness. Thank you for your next feed-back - Bernard timster - le 15 avr. 2005 Bernard: Unfortunately the login problem persists. I can still get into the site editing functions by clicking view results on the polls, even when I'm not logged in. Also now all my images have disappeared... because of the change of the thumbnail positioning. Now if i add a new post and add the image with the new option to append the image and use it as a thumbnail, the thumbnail position is not the same as before (to the left fo the poll reselts) but rather positions on the top of post in the append image position. I need the thumbnail position (image align left) for the home page and the permalink. Lastly if i choose just the thumbnail image by itself postion as I was previously doing, the image doesn't show up on the home page or the permalink... although if I tried to edit the blog entry the image shows up to be edited. This is getting weirder. Tim Bernard - le 16 avr. 2005 Timster: If you are able to reproduce the problem, can you please visit the test page at contol/test.php, and copy to me what is displayed? I am interested into cookies and request values. timster - le 18 avr. 2005 Bernard: I am experienceing login problems to this site with Firefox. Also in IE when clicking the move forward option it is asking me to re-login... I'm attaching a .txt file that is the cookies values. Thanks, Tim P.S. I have lived in Asia now for 8 years... hope you enjoyed your time in China. Bernard - le 19 avr. 2005 Timster: There is no session data in your file. Was YACS considering you as an associate when you captured this data? timster - le 19 avr. 2005 Bernard; I must have been since I need to login to be able to access the control panel for my set up. Tim P.S. After authenticating on my own site, and the YACS community site, clicking the move forward link brings up the authentication form fields again... just thought you should know. Bernard - le 20 avr. 2005 Timster: Usually, the development of YACS invovles several steps: Step 1 - about daily, script modification on my own laptop and local tests Step 2 - 3 times a week, update of running scripts at the main YACS server (www.yetanother...) and remote tests Step 3 - about once a week, update of the reference repository of scripts at the main YACS server, to make the nightly built available for server updates Step 4 - about once a month, a new release is made available for people who install new YACS servers The current issue on login with Firefox has appeared at step 2, meaning there is no impact to end users like you. I have to change some scripts today, and will fix this accordingly. Thank you for your feed-back. timster - le 22 avr. 2005 Bernard: I realize you are probably working on this issue, but I should report my experience. Last week at one point I could not authenticate and create an article, clicking any of the create or write an article links from the side bar or control panel forced me to authenticate again. I experienced a similar problem on YACS server when clicking the move forward link caused me to need to authenticate again. Now my partners on my website cannot post content since they cannot authenticate and create content... any ideas. We are getting close to our planned launch date of May 1st, and we have a security and authentication issue outstanding. I'm getting pressured to change CMS or move or launch date and I'm not sure what to do. Bernard - le 22 avr. 2005 Timster: The authentication issue is supposed to have been fixed two days ago. Please upgrade your server. If you want me to speed up the process, please provide an FTP account to upload scripts to your server. Or use the upgrade script,if your server is allowed to access www.yetanothercommunitysystem.com. By the way, your site looks great. I like what you are doing with YACS, and will do my possible to support you. Let me know what level of assistance you require, and I will revert to you as soon as I can. timster - le 22 avr. 2005 Bernard: Thanks, I'll try rebuilding tonight when I get home from work, the FTP connection from my office is unstable. Yes I really like using YACS and I'm more than willing to keep tweaking the site, but we are already getting some traffic and once we send out our press release to some contacts I expect we'll get at least some initial interest... but I wouldn't want a complete stranger to be able to edit our posts by accidentally authenticating by viewing the poll results. I'll let you know how the latest build goes. Bernard - le 22 avr. 2005 Timster: Are you able to use the upgrade scripts now? timster - le 22 avr. 2005 Bernard: No, I'm using a large hosted server in the US, and I tried contacting them about it a while ago but they didn't answer me. timster - le 22 avr. 2005 Timster: Actually I just managed to upload all the files again. Can you remind me the proper upgrade procedure? I want to make sure I'm doing it properly. control panel>scripts> then validate and build a reference set Bernard - le 22 avr. 2005 Timster: Validate and build are useful only to reference servers, like www.yetanothercommunitysystem.com, and for some corporate YACS servers I know of. Else visit How to achieve incremental upgrades of a YACS server? timster - le 22 avr. 2005 Bernard: Ok, I've manually upgraded my scripts. It would appear that it has solved the authentication problem. My writers can now login and create content. However, if you vote, and then click view results when not logged in, you still automatically end up being authenticated as the person who posted the item you voted on. 1 down, 1 to go... progress is good. Bernard - le 22 avr. 2005 Timster: On Monday (morning for me, afternoon for you), I would like to do the test remotely. Please drop me a line when you will be ready, ok? timster - le 25 avr. 2005 Bernard: I am now online and available for the next few hours so let me know when you're ready. Thanks so much, Tim Bernard - le 26 avr. 2005 Timster: Good news! After the troubleshooting steps we had together I have successfully spotted the irritating bug. On vote YACS falsly presented the secret handle to voters instead of regular links. And this handle makes YACS automatically authenticate anonymous surfers as article posters... I have removed the usage of secret handles in the voting scripts, and links are now ok. The correction will be included into the release due Tuesday evening, Paris time. You should be able to fix this issue on Wednesday morning at the latest. Thank you for your patience. Bernard - le 26 avr. 2005 Timster: Can you please check the new release, version 5.4, of YACS, which should fix the impersonation bug in polls? Available at [article=download] timster - le 27 avr. 2005 Bernard: We are breathing a deep sigh of relief here. Thanks so much for your fast and effective efforts! While there will still be minor tweaks, we will now be able to proceed with confidence in launching our site on the 1st. The issue has been reported as fixed and was tested using Firefox, IE and Opera. Thanks again! Timster Bernard - le 27 avr. 2005 Timster: Thank you for your kind feed-back. The good news is that during bug tracking the security of YACS has been improved dramatically... I will document the new YACS release (v 5.4) before week end. Do not hesitate to ask for new features for the next step, due in May (v 5.5).
Bernard Paques	le 25 mar. 2005 Timster: Well, unfortunately your issue is well-known as proven by the following list * Cookies and (Apache) caching - Some Plone developers suggests the issue may be related to Apache. I have implemented tonight the Vary: header to protect from this potential bug. * Site Server Users May Be Authenticated Under the Wrong Account - This page, while coming from Microsoft, explains how proxies and cache engines that can unduly save Set-Cookie headers, will corrupt security * Proxy Caching May Cause Multiple Clients to Receive Same GUID - Microsoft suggests to update their servers; I know, your ISP is Unix... * How does Squid deal with Cookies? - Squid seems to have no problem with this * Installing phpBB 2.0.6 - Apache version 2 has some issue with cache directives; but your ISP is using version 1 anayway... The next step is to spread an updated version of YACS, and to wait for your feed-back.. timster - le 11 avr. 2005 Bernard: I'm using the latest build of YACS but the login problem persists. This time I was able to duplicate the processs that triggered it. I was using an outside PC, I voted on a poll and then then I clicked 'view results'. At that point I became automatically logged in as one of the administrator ids for my site and was able to edit and play around with articles. Does this info help you at all in tackling this problem?
Bernard Paques	le 24 mar. 2005 Timster: The previous version of YACS incorrectly generated two session cookies instead of one, and I suppose this could have affected some security operation. Please update your server as soon as possible to benefit from latest improvements and bug fixes. timster - le 24 mar. 2005 Bernard: Thanks for addressing this issue so quickly, I have updated. If this situation would not be unique to me you might want to post a warning/suggestion on the YACS front page for people to upgrade as this could end up being a major security issue for some. Cheers, Timster Bernard - le 24 mar. 2005 Timster: Actually I will do exactly that probably tonight. But let me check a couple of additional things on PHP cookies, session management, etc. I would like to be sure of what I'm doing before saying that everything is going fine...
Bernard Paques	le 23 mar. 2005 Timster: Actually, YACS has several features aiming to protect session data: - the session id is changed to stop some cookie attacks (shared/global.php) - session data is killed after one hour of inactivity (shared/global.php) - workstation IP address is recorded and checked to prevent cookie spoofing (shared/surfer.php) - YACS instance is recorded and checked to prevent cross-impersonation (shared/surfer.php) These features have been introduced in February while I was working on adding a demonstration instance of YACS to this server. Because of all these protections, I think that the issue you have described is related to invalid behavior of cache/proxy servers between workstations and the YACS server. A possible explanation of the symptom you have described is that some cache/proxy server unduly cache pages fetched by you, and serve these pages to anonymous surfers afterwards. Therefore, I would recommend you to change the configuration of your server and to disable cache. Performance will be degraded, of course, but at least all requests would be transmitted to the origin server itself, and the issue you have experienced should not happen anymore. Also, while YACS strictly implements HTTP protocol specifications, I suspect that some cache/proxy appliances do not. Let me dig into Google to find if we could find some workaround to benefit from cache speed while preserving security. To summarize on this hot topic: - disable cache NOW to secure your server - let me revert to you ASAP on additional findings timster - le 23 mar. 2005 Bernard: Presently my configuration for system perameters are already set to "compute all page elements" and http perameters are also set to "No Cache". Is there anywhere else in the configuration set up that I need to change to turn off caching functions? Bernard - le 23 mar. 2005 Timster: I have checked HTTP responses returned by your server, and there may be an issue with the way the Set-Cookie: attribute is shaped. Please let me dig into details before suggesting something else.

32 commentaires

Fichiers

test.txt

partagé par timster le 18 avr. 2005 · 371 téléchargements · 4 001 octets

détails