cotonti.com : What influences the login time?

Trustmaster

Ma, 16 Aug 2010 01:36:27 -0000

This could also be fixed (for many cases but not all) by storing previous protection code for a longer period rather than just 1 request (as it currently does). Unfortunately, any of the known solutions has side effects.

ez

Ma, 16 Aug 2010 00:36:28 -0000

Do I have influence on this XSS code?, so that I can make the time longer?

Basically you are saying that this problem will be solved in Siena.. v0.9, but untill, there is a stable version of Siena, then there is No solution for this.

Ok.. My autosave / autorecover plugin is a real option then I figure..

Thnx for the response

Trustmaster

Zo, 15 Aug 2010 21:27:52 -0000

That sometimes happens when browsing the site in another tab after a long time editing an article/post, so that XSS protection code has changed before you submit the form.

It is not the super-ultimate solution, but 0.9 remembers all the input until it is cleaned explicitly (so you can restore the data even after you have been logged out).

ez

Zo, 15 Aug 2010 16:03:26 -0000

I am sorry to say that I probably still have this "losing connection" problem.
I have upgraded to 0.69.
I have made the remember me option default on. (nice feature by the way)

What went wrong:
A user makes a very long story(page) and took a long time to create it...
He submits the article.

And thats were it went wrong.. the work is lost.. (very angry user by the way)
BUT he was not logged out...??? so the remember me option is working i guess.

I think the session timed out (or something like that) en therefore the post is not
submitted correctly.?? Really strange stuff.... (IS this possible ???)

ANYWAY:
I do not like my users to be angry, so I will write an autosave plugin plugin. (Is a nice feature I think)

I am going to write it so that the users work will be saved every minute (automatically !!!).
And I will make a recover function in the pages (add and edit) to get the lost work back (also automatically).

Anybody interested in this plugin to ????

greets, EZ

GHengeveld

Za, 03 Jul 2010 16:23:24 -0000

Some applications, for example Magento Commerce, generate a random hash code when the system is installed. This is then used to uniquely identify the site and as a salt for passwords. Maybe Cotonti needs something like that too? I use it in my framework as a replacement for

defined(SED_CODE) or die();

since it's not very safe like that (it only prevents direct file access, but not file inclusion because it is easy to guess):

defined($cfg['app_code']) or die();

Added 3 hours 42 minutes later:

On a side note, I want to report that the Cotonti auth system fails almost always when I try to use it on my mobile (Nokia E63), even though the mobile browser supports cookies (it seems the problem is caused by sessions, not cookies).

pieter

Thu, 01 Jul 2010 18:50:36 -0000

Or release Siena shortly

tensh

Thu, 01 Jul 2010 18:17:35 -0000

If it wouldn't be a problem, a patch to Genoa is highly appreciated!

Trustmaster

Thu, 01 Jul 2010 15:17:19 -0000

Recent login changes in Siena:
http://trac.cotonti.com/ticket/496
accompanied by this: http://trac.cotonti.com/ticket/497
See changes in common.php and users.*.php in r1237

Most of the subdomain issues are fixed there except for PHPSESSID cookie which is more a PHP thing rather than Cotonti (see the topic mentioned in the previous post).

donP

Thu, 01 Jul 2010 07:41:08 -0000

Actual Login method shows many problems if we use mod_rewrite to create subdomains...
I discussed here: http://www.cotonti.com/forums.php?m=posts&q=5657 but with no much interest.

Mostly, it seems to me that Cotonti development had stopped from long time (I look at Trac tickets every day and they are always the same).

GHengeveld

Thu, 01 Jul 2010 05:31:48 -0000

Can you be more specific about these changes? I remember we've been having issues with the 'remember me' option in the past, with unexpected behavior when following a certain route through the site. These problems seem fixed. I can't find the trac ticket anymore though.

One reason for asking specifics is because I've more or less copied the Cotonti auth system to my own custom PHP framework (similar to Kohana 2, but more basic). I'd like to update it if necessary.

Trustmaster

Thu, 01 Jul 2010 01:06:06 -0000

Yes actually and these thoughts are implemented on Siena. I wonder if it is important enough to apply the patch on Genoa too (it changes some login internals).

tensh

Wo, 30 Jun 2010 19:41:27 -0000

Any thoughts about this problem?

foxhound

Ma, 28 Jun 2010 01:42:55 -0000

Yes, I always select "remember me". But today for example I was logged out when doing a search (on both pages and forums).

Trustmaster

Zo, 27 Jun 2010 23:20:07 -0000

Please tell me if you get this problem if using "remember me" option.

foxhound

Za, 26 Jun 2010 18:48:38 -0000

We are experiencing the same issue, being logged out from the admin panel at random. Its impossible to tell when it happens as one minute you are checking the config of a plug and your logged out and other times while opening topics to check.

tensh

Vr, 25 Jun 2010 16:06:33 -0000

My IP doesn't change, also the same sudden logouts are with "remember me" buttons.
My site's using the eAccelerator, maybe this is what causes problems? I also saw the suhosin extension installed.

Can you please show me how you solved the session handling using files? (it required corehacking?)

Trustmaster

Thu, 24 Jun 2010 00:27:21 -0000

One of my customers suffered a lot from sudden logouts. We had tried a million ways until we found that session handler they use (memcache) causes this. We solved it by using another session handler (file based) and forcing the "remember me" flag.

BTW, it makes a bit difference: whether you're logged out with "remember me" or not. This option stores data in cookies, without it sessions are used.

Another thing to check is how often your IP changes.

As for SSL, there shouldn't be any problems with it.

tensh

Wo, 09 Jun 2010 15:24:38 -0000

What should be correct (universal?) settings for cookies?

Added 13 days later:

Another question would be: does Cotonti use ssl without any problem?
I'm wondering about SSL login page.

I'm also open for possible ideas on what can influence the quick loging out - I pretty much don't know what should I look for, but clearly it's from the server's side (without changing any settings in Cotonti, during recent server system "improvements" the login time was drastically shortened, so it kicks me out of Cotonti after a couple of minutes)

It's very frustrating also for my users, who get logged out as they hit "post a message", and no message is saved.

GHengeveld

Di, 08 Jun 2010 15:29:19 -0000

Check your cookie settings, it sounds like they don't get stored or read properly.

tensh

Ma, 07 Jun 2010 20:48:31 -0000

Hi;

I've got a problem. Despite the fact that in Cotonti setings there's the longest cookie lifetime set, users on my site are logged out after a couple of minutes of inactivity. What else can inluence the session time?

My server settings:
session.gc_maxlifetime = 1440
session.cache_expire = 180