Forum adverts like this one are shown to any user who is not logged in. Join us by filling out a tiny 3 field form and you will get your own, free, dakka user account which gives a good range of benefits to you: No adverts like this in the forums anymore. Times and dates in your local timezone. Full tracking of what you have read so you can skip to your first unread post, easily see what has changed since you last logged in, and easily see what is new at a glance. Email notifications for threads you want to watch closely. Being a part of the oldest wargaming community on the net. If you are already a member then feel free to login now.

Even though I click sign me in when I visit IT WONT.

I have a slightly similar problem. The system will randomly and periodically log me out(many times if I refresh and occasionally just when I hit a topic or the index link).

Do you change computers a lot? or do you delete cookies from your web browser? If so that are your problems.

Hope that helps

Squig_herder wrote:Do you change computers a lot? or do you delete cookies from your web browser? If so that are your problems.

Hope that helps

Not here. Same computer, don't touch my cookies.

The only other factors I can think of right now is either your anti-virus [or even registry cleaner] or just your browser.

What web browser are you using?

Go to www.whatismyip.com a few times throughout the day - the IP address should not change (if it changes, you will be signed out for security purposes).

Try deleting all your cookies and logging in again.


Automatically Appended Next Post:
oh and do you knowingly use a proxy server?

LOL it started working right after i posted this. sorry for wasting your time.

I've recently started experiencing this problem as well, both at home and at work.

At work, I use a proxy to connect, my IP should be constant, although from time to time, our IT department does weird stuff and my country flag shows up as Finland or Iceland.

At home, my IP range should be fairly steady, but it is DSL and may change a little on the last digit.

In both cases, I'm using Google Chrome. The problem wasn't happening two weeks ago.



Reading your note, you say that if the IP changes, we'll be logged out for security reasons. Perhaps the problem here is expectations.

When I use the login page, it says, "Log me on automatically each visit:" - This is actually what I'd like my cookie to do for me. I'm on my own computer, and even if I was on a different computer earlier, I'd like the cookie to re-log me on when I connect. This should be possible to tie to a machine, rather than an IP address.

If you're going to keep the behaviour as it is currently functioning, perhaps the checkbox should read "Keep me logged in on this computer" or something like that, which more accurately describes what is happening. Because it's not logging me on automatically.

The cookie login option is off the table now I'm afraid. We have had a few instances of cookie hijacking by nefarious users with the older liberal system and so I have to be harsh and limit it to a cookie and ip address/computer combo. This is why if a cookie comes from a different source, it logs out as a precaution now. I'll make a note to change the text as you recommend.

There is an old post somewhere in this forum that details a specific url you can edit with your username and password, and you can bookmark that URL to effectively automatically login on any machine but obviously it is a little insecure doing so. If you can dig that post out then that functionality should still work fine.

Sorry for the inconvenience anyway, I just hate having to do the cleanup and log analysis from hijacking.

I'm confused.

How are cookies hijacked?

My understanding is that you can have a cookie store the person's name&password on their own computer. Then, the website checks for that cookie, and if they find it, attempts to log the user in with that login/password combo, and if that verification fails, the user doesn't get in.

Now, if someone steals my computer, they could certainly edit my cookie and discover my password (unless you had the cookie store an encrypted password, but I don't know if you'd want to do that) - although I think my concern in that case would be more for my stolen computer rather than my stolen password.

Short of that, how is this any more risky than having someone type their password in? It gets transmitted over the internet in both cases.

I ask not to question your decision, but because I also operate some websites, which use password protections for users, and do as I stated above, and haven't had any problems with doing it that way in 12+ years now. It could be that my sites are so low-profile that no hacker in their right mind would want to hack them.



Automatically Appended Next Post:
Oh, as an addtion, I looked up the old URL that you referenced. It is:
http://www.dakkadakka.com/dakkaforum/jforum.page?module=user&action=validateLogin&autologin=true&username=YOUR_USERNAME&password=YOUR_PASSWORD

Your analysis is generally correct (except most places will never store username/password in a cookie and will instead store a generated unique hash or something like that along with a username or user id for added safety)

Every page request sends the cookie in every request header between a client browser and your site.

As a result, intercepting or acquiring that cookie in some fashion, and then forging a request header will instantly gain you permissions and access as that user. This can be accomplished in a large number of ways:
- virus on the target machine
- invisible proxy server or hijacked proxy server used by the user
- cross site scripting exploits
- adobe flash exploits (or other plugins)
- poor server configuration or scripts which allow a user's cookies to be viewed
- server software exploits (both web server and application)

If you always are up to date on all of the above and can trust your users not to fall victim to the user level exploits (usually through lower profile sites), then you have little or nothing to concern yourself with.

Ultimately, cookies are generally secure enough for this job, but adding extra layers of protection is always a good idea imho as the attention from hackers/spammers is always increased on higher profile sites.

p.s. sorry if vague and/or patronising sounding, just got off a flight so am knackered and just trying to be legible right now!

Is there any way that the auto login/cookie thing could ignore the last digit of the IP address as that the only digit that changes when I log in from a different computer in the same network (connected to the same router at home). That way I wouldn't get logged out when I switch computers at home.

Not really my area of expertise so let me know if this won't work or you already told me it won't work.

It's got to be pretty unlikely that someone's leeching my wireless broadband AND hacking my Dakka account.

Nope, it doesnt work that way. The logic behind it is one of the few things I wont discuss either for security purposes.

legoburner wrote:Nope, it doesn't work that way.

Aha, I thought so.

its happaning again for me.