PDA

View Full Version : Logout globally - Beta


Stadler
17 Nov 2002, 05:01
Well, what I'm trying to reach with this hack, is, that you can logout globally with it, no matter on how many browsers/computers you have your cookies saved.

This hack saves the time of creation of your user and password-cookies and if you logout, it updates the new lastlogout-field. If you try to login with a cookie, that has a creation time older than lastlogout, the cookie will be deleted. Thats it.

Pfew, I hope, you unterstood what I'm trying to tell you. :knockedout:

Now I need some people, that help me testing and sorting out bugs for that hack.

I haven't tested it on a live forum, yet, but maybe I do some testing, later today.

Erwin
17 Nov 2002, 07:18
Good idea.

To clarify this hack -

Normally, if you logout, you only log out for the computer you're on. If you go to the forums with another computer, you have to log out of that computer as well.

With this hack, when you logout, you automatically log out of every computer you have logged into the forum with.

I don't have a use for it, but it's a great idea. Especially if you logged in on a public computer and forgot to log out... and you can't get back to that computer to log out.

Darth Cow
17 Nov 2002, 08:14
Good idea, but your method isn't very secure - one can simply edit the time in the cookie. I think that encoding the time into the password part of the cookie (used for authentication) would be the most effective solution, but that would require storing each of the valid login times for each user in the database (you couldn't do a simple numerical comparison because the password/date would be MD5'd).

Dean C
17 Nov 2002, 10:39
Awesome...

I'll definately use this once a few people have confirmed it works :)

Regards

- miSt

Stadler
17 Nov 2002, 11:03
Originally posted by Darth Cow
Good idea, but your method isn't very secure - one can simply edit the time in the cookie. I think that encoding the time into the password part of the cookie (used for authentication) would be the most effective solution, but that would require storing each of the valid login times for each user in the database (you couldn't do a simple numerical comparison because the password/date would be MD5'd). Well, you're right, but the encryption, that would be used, has to be two-way, because it needs to be checked, if the cookie is older or newer, than lastlogout.

Stadler
17 Nov 2002, 13:16
I've applied some changes and fixes, so please recheck the attachment.

Changes and fixes are as follows:
I now use $ourtimenow instead of time()
I've updated member.php?action=login, because I forgot to apply some changes there.
As for Darth Cow's idea: I've added the md5-hash of $ourtimenow to the cookie "bbcookietime"

Xenon
17 Nov 2002, 16:55
The hack seems to be a very good idea, as erwin said, this can be very helpful if you forgot to logout on a public pc...

Brad
17 Nov 2002, 20:46
very good idea :), im also releasing a global login point in the next few days.

Julio
18 Nov 2002, 02:18
1 - I think this is one of the most important hacks ever made.

2 - I installed the hack, but now I can't login with any username. Even admin, or any other account. Any idea?

- Lucky I always install hacks to one of my 2 local testboards! -

ManagerJosh
18 Nov 2002, 05:27
Definitely got my installation! Anyone from the vB3 dev team want to add this in? :D

Stadler
18 Nov 2002, 10:05
Originally posted by Julio
2 - I installed the hack, but now I can't login with any username. Even admin, or any other account. Any idea?The hack uses an extra cookie: bbcookietime. Maybe your browser blocks it?

If not, then recheck, if you didn't forgot to apply something.

And then, could you please try, if you can post, even, if you have to login over and over.

Stadler
18 Nov 2002, 11:59
I did some testing on our public board. And it seems to work without problems "for users!"

But I couldn't login to the admin-cp, if I haven't logged in to the forums homepage. I've had to be logged in to the forums homepage, before I could login to the adminpanel.

Sorry, but right now I have no idea, how to fix this. :o

Any help, sorting that out, would be welcome.

Julio
19 Nov 2002, 18:12
Stadler: One detail I forgot to mention....

My main page is not a PHP/VB page. It's an html page, in which I simply integrated the login code. Thus, I removed the "forums" icon from the navbar, and Im not allowing any access to un-registered users.

This means... You get into my page... must register if you're a new user, or just login if you're already registered. As soon as you login, you're taken to the forums page. If you click on Logout icon on the navbar, your taken back to the main page, where you must sign if you want to get back into the forums. BUT if for some reason, a user enters http://mydomain.com/forums in his/her browser, it will be taken back to the forums...and logged-in, since the LOGOUT icon it's not really login-out.

Here's the what I have in the logout icon.. which I know is NOT correct.. "<a href="member.php?s=$session[sessionhash]&action=logout"><a href="http://www.mydomain.com/index.html">

Therefore, the need for your hack... BUT as you already noticed, I can't login even as Admin, since I have to be logged in in the forums first...

Julio
29 Nov 2002, 16:15
Any news on this?

Anyone knows if I can use a Javascript to do what I need? I mean a script that will "call" the llogout function and then re-direct to my main page?

Darth Cow
10 Dec 2002, 02:03
Originally posted by Stadler
As for Darth Cow's idea: I've added the md5-hash of $ourtimenow to the cookie "bbcookietime" Cool :). However, the hack still isn't very secure - the MD5 algorithm is known, so someone could change the date and then md5 the changes as well. Now that I think about, you're right that you don't need to save all login time. But I would rather use a variant of md5 to store the date. Checking it to make sure the date still equals the md5($date . "randomstringtochangemd5") would make the system secure, as long as everyone can come up with a constant random string to append to the date for the md5.

Chris M
17 Dec 2002, 15:25
Sounds like a cool idea...

Can anyone confirm that it works?:)

Satan

Boofo
17 Dec 2002, 17:03
Originally posted by hellsatan
Sounds like a cool idea...

Can anyone confirm that it works?:)

Satan

Can you install it and set up a test account on your board and have someone log in and out and you do that right after them and see if it allows you on? Will that work?