Forums / Cotonti / Extensions / Facebook Plugin?

<<<12

Trustmaster
#16 2011-01-20 17:28
That probably might be caused by IP changing frequently. It would be nice if we knew for sure if these logouts are really caused by IPcheck. I have uploaded a fix for this redirect problem, let me know how it works now.
May the Source be with you!
GHengeveld
#17 2011-01-20 19:25
I'm pretty sure it's IP check. On other sites I have it disabled and there it works fine.
Strangely it usually works fine when tethering mobile's 3G to my notebook, using the notebook for browsing, but on mobile itself, or on iPad (3G) it mostly keeps logging out. It differs though, because sometimes it works fine on mobile as well. I guess it's just a matter of what mobile broadcasting station I'm connected to. As long as it's the same one the IP doesn't change. At least that's my explanation. This morning I was on a train so it makes sense that the IP keeps changing.

A collegue suggested looking into HMAC for authentication, which doesn't require a DB query, but maybe that only works for always-running scripts like Python.
Trustmaster
#18 2011-01-20 20:57
FaceBook actually uses HMAC. It protects the auth data from getting sniffed and decomposed. But I need to investigate if it helps from XSS, because an XSS attacker does not decompose anything, he just uses the cookie as it is.

Even if does not protect from XSS, it might be a good improvement because it is more reliable than current mechanism based on random session identifiers.

Added 26 minutes later:

Something what we forgot of:
Wikipedia:
Another mitigation present in IE (since version 6), Firefox (since version 2.0.0.5), Safari (since version 4) and Google Chrome, is a HttpOnly flag which allows a web server to set a cookie that is unavailable to client-side scripts. While beneficial, the feature does not fully prevent cookie theft nor can it prevent attacks within the browser.
We've been using HttpOnly flag for quite long time. So, I think that for most sites ipcheck can be disabled by default and enabled on sites where security is much more important than user comfort (e.g. banking, e-stores, etc.).

Another thing to allow logins from multiple devices is using HMAC instead of random session keys (because such random keys are often changed).
May the Source be with you!
This post was edited by Trustmaster (2011-01-20 21:32, 13 years ago)
tensh
#19 2011-04-01 10:13

Hi,

Did anybody solve the problem with logouts?

I have to click the facebook logout button twice in order for it to logout. Can this be something about javascript?

Trustmaster
#20 2011-04-01 11:12

I have to test it somewhere. This site doesn't use that plugin currently.

May the Source be with you!
tensh
#21 2011-04-04 09:08

I would be very grateful :) BTW, the Facebook buttons doesn't work in IE8?

Added 9 minutes later:

Offtopic - I'll soon contribute many plugins and some tutorials. Like: youtube importer, how to make youtube gallery from pages, featured content slider using nivo slider (and page avatar plugin), custom filter in lists, etc. I just have to finish my current work and correct some bugs. Cotonti is great :)

This post was edited by tensh (2011-04-04 09:19, 12 years ago)

<<<12