ASF Site Login Security Warning..!!

Joe Blow · 29 May 2006

bullmarket said:
hmmmmmmm......I posted something at 9:46 this morning after which I clicked the 'X' in my browser.

I just opened up the ASF site again now at 12:37pm and I see my session from this morning is still active although I wasn't here.

Joe - I thought you mentioned some time ago that an account is automatically logged off 30 mins after hitting the browser 'X'. To me it looks like it's either at least 2.5 hrs or maybe even indefinite.

Bullmarket,

Your session from this morning was not still active. 30 minutes after your last interaction with the forums you would have dropped off the Users Online list and your current session would have ended. What happened is you were automatically logged in when you came back. If you would prefer to log in manually each time, just click 'Log Out' rather than just shutting down the browser.

bullmarket · 29 May 2006

ok thanks Joe,

but that doesn't make sense to me

because if someone hits their browser 'X' to end their seesion (and so from their point of view effectively log off) then what is the point of leaving their name on the online users list for another 30 mins?....to me it can only cause frustration or confisuion for someone who might be waiting for a reply from someone who appears to be online but in reality is not.

I can see the convenience in not having to log in a second time after returning to ASF after ending the previous session by clicking the browser 'X' but I don't see the point in then also leaving the users name on the online list for another 30 mins.

If possible, why not set the time left on the online users list to zero after someone clicks their browser 'X' just like when they click the logout button?

cheers

bullmarket

surelle · 29 May 2006

bullmarket said:
So it makes you wonder how many users on the 'online users' list are really actually here at any given time. I could be here talking to myself and not even realise it :

Hey there bull
aren't we all talking to ourself, by typing into the computer, and then hoping for a reply

Joe Blow · 29 May 2006

bullmarket said:
ok thanks Joe,

but that doesn't make sense to me because if someone hits their browser 'X' to end their seesion (and so from their point of view effectively log off) then what is the point of leaving their name on the online users list for another 30 mins?....to me it can only cause frustration or confisuion for someone who might be waiting for a reply from someone who appears to be online but in reality is not.

Bullmarket,

It used to be 15 minutes but I extended it to 30 at the request of a member because of an issue with the 'New Posts' function. After a member's session ends the 'New Posts' counter is reset. This was a problem because typing into a text box (entering a post or PM) does not qualify as interacting with the forums so if someone spent 25 minutes typing up a post (when the session cutoff was set to 15 minutes) they would come back to the forums to find that the 'New Posts' counter had been reset. This is an issue with this version of the software only and once I upgrade to the latest version I will put it back to 15 minutes which is the default setting as the new version has a better way of tracking 'New Posts'. Hope that all made sense.

There is one very easy way to see whether someone is still interacting with the forums or not. Click on that person's username and view their public profile. On the right hand side you will notice a time stamp telling you when the person in question last interacted with the forums and what they were doing. See attachment below.

Yezzy · 29 May 2006

Edit: Joe explained it better

bullmarket · 29 May 2006

ok Joe - I don't want to make a big deal out of this

But your example doesn't actually tell someone if another user is still actually online or not at any given time, does it?

If I understand correctly, after viewing another user's public profile and seeing what time their last activity was, that other user could still be off-line in reality if immediately after their last activity (according to their public profile) they hit their browser 'X' and yet their username will still be on the on-line users list for 30 mins after clicking the 'X' thus potentially causing frustration for someone who might be waiting for a reply from that other user.

Anyway, it doesn't really matter - I just thought it would eliminate confusion if you could set the time left on the online users list to zero for those who click the 'X', but if it's not practical to do that then that's fine.

Hi yezzy

the issue is not the fact that you are not logged off after clicking the 'X' as I can see the convenience as per the examples you gave - I was just suggesting that there would be less confusion for other users if after someone clicked their browser 'X' that their username would also immediately drop off the the online users list. But if for some reason Joe doesn't want to set the time to zero then that is fine by me

cheers

bullmarket

Joe Blow · 29 May 2006

bullmarket said:
ok Joe - I don't want to make a big deal out of this

But your example doesn't actually tell someone if another user is still actually online or not at any given time, does it?

No but it tells you if they are interacting with the forums.

bullmarket said:
If I understand correctly, after viewing another user's public profile and seeing what time their last activity was, that other user could still be off-line in reality if immediately after their last activity (according to their public profile) they hit their browser 'X' and yet their username will still be on the on-line users list for 30 mins after clicking the 'X' thus potentially causing frustration for someone who might be waiting for a reply from that other user.

If they are waiting for a response from that member to avoid frustration they should look at the time of their post/PM and then check the last time the person they are waiting for a response from interacted with the forums. If the time of their post/PM is the later of the two then there's a good chance they will be waiting a while for a response.

bullmarket said:
Anyway, it doesn't really matter - I just thought it would eliminate confusion if you could set the time left on the online users list to zero for those who click the 'X', but if it's not practical to do that then that's fine.

Unfortunately it's not practical at this time. Once I upgrade the software I will set it back to 15 minutes but at no time in the future will it be set to zero. Those who wish to disappear immediately from the list of online users should manually log off each time they leave the forums. That is the best suggestion I can make.

bullmarket · 29 May 2006

Joe Blow said:
........No but it tells you if they are interacting with the forums...........

Joe, I think one of us has our wires crossed because I don't see how the last activity in another user's public profile tells you whether they are still interacting with the forum or not for the 30 mins after their last activity if their user name is still on the online users list during that 30 mins.

eg......say

1) I make a post at 1:00pm

2) At 1:01pm I then click the 'X' in my browser and shut down my pc.

3) My username will remain on the online users list for another 30 mins until 1:31pm

But at say 1:02 I could have shut down my pc and then not log in again for hours or even days.

So from 1:01 to 1:31 my public profile will show that my last activity was at 1:00 as per 1) above and my username will still be on the online users list until 1:31 when in reality I shut down my pc for the day at 1:02

thus leaving a false impression that I am still online from 1:01-1:31 when in reality I am not and so your suggestion to check user profiles to see if they are still interacting with ASF breaks down during the first 30 mins if all of the above is correct.

cheers

bullmarket

ps...for the record I am hitting my browser 'X' immediately after submitting this post

and so I assume my username will remain on the user list for 30 mins after the time for this post even though I have clicked 'X' and shut down my pc...

sails · 29 May 2006

Thanks Joe for leaving the way it is - I use the new posts link and it is nice to have it active for the 30 mins especially if there are a large number of new posts since last visiting plus allowing for some interruptions.

I don't see what Bullmarket's problem is - even if someone is actually online, they may not necessarily be at their computer or it may not be convenient for them to reply at that time. So, in my opinion, whether it's 15 or 30 mins delay, it will make no difference to when another poster decides to reply!

Joe Blow · 29 May 2006

bullmarket said:
ps...for the record I am hitting my browser 'X' immediately after submitting this post and so I assume my username will remain on the user list for 30 mins after the time for this post even though I have clicked 'X' and shut down my pc...

There is a very easy solution to this problem. Instead of clicking 'X' on your browser, click 'Log Out' instead.

You will be removed from the users online list immediately.

wayneL · 29 May 2006

sails said:
Thanks Joe for leaving the way it is - I use the new posts link and it is nice to have it active for the 30 mins especially if there are a large number of new posts since last visiting plus allowing for some interruptions.

I don't see what Bullmarket's problem is - even if someone is actually online, they may not necessarily be at their computer or it may not be convenient for them to reply at that time. So, in my opinion, whether it's 15 or 30 mins delay, it will make no difference to when another poster decides to reply!

Joe,

I agree with sails, I can't see what the problem is, and I doubt 99.999999999% of others can either. I often have my browser open on ASF and I'm actually off in the Land of Nod... zero chance of a response from me even if my profile was visible!

This is a "bulletin board" type forum. If someone wants immediate interaction, they should probably go to IRC... or the telephone perhaps

Cheers

bullmarket · 29 May 2006

Hi sails

There is no major problem with the current set up for the vast majority. But if you look back at my original post in this thread I highlighted what the potential risks are for users who send private and sensitive information to others, especially if they don't know the recipients personally.

eg....tech/a decided a couple of weeks ago for some reason to voluntarily PM me his name. Now if someone other than me, who tech/a would probably not want to know his real name, read that PM after I had clicked the 'X' then he has only himself to blame....and hence the risk of the current setup.

But I am sure tech/a was smart enough to be aware of the risks before he chose to send me his name.

So as I said earlier, one downside for the convenience of not having to log on repeatedly means that private information is then potentially more easily accessible by people other than the intended recipient.

Anyway, as I said in an earlier post it's easier for me to continue using the 'X' and that is what I will be continuing to do

cheers

bullmarket

Julia · 29 May 2006

Bullmarket

Joe has suggested what appears to be an entirely satisfactory solution to your concerns. Can't you just accept that and stop going on about something which seems to concern no one else?

Sorry, bull, but you just go on, and on, and on, and on and.......

With kindest regards

Julia

Staybaker · 29 May 2006

Hi bullmarket,

It may help to understand a little about how web browser-based communication works.

The main point, at least for this discussion, is that there is not really any lasting "connection" between the web browser on your computer, and the web server with which you are communicating. When you type in a URL, or click on a hyperlink, your browser sends out a "request for information" which, through a process of magic, eventually ends up at the appropriate web server. The web server then issues its response, which magically finds its way back to your computer, and your browser displays the information. At this point, your browser has "forgotten" everything it knew about the web server, and likewise, the web server has "forgotten" about you and your browser. There is no ongoing "connection" maintained between the two. This is how the world wide web was designed to work.

In the early days of the web, this in itself was amazing enough. But pretty soon, people started wanting more of an interactive experience with web servers, they wanted web servers to "remember" them from one request to the next, and so on. So the web people started adding features, such as "cookies", to give the appearance of continuity to web sessions. Cookies, for example, are small pieces of information which are passed back and forth between a browser and a web server. By carefully managing the information in a cookie, and by adding extra "smarts" to the web server, the web server can use a cookie's information to recognize that a particular request is coming from a user that they have seen before, and can then respond appropriately. This allows more interaction to take place between the browser and the web server, and eventually led to the development of forums such as this, along with shopping sites, and so on. The important point, though, is that this mechanism only gives the appearance of there being some kind of "connection" between the two sides; in fact, there is none. The "connection" is actually a mirage managed by carefully programmed software and information exchange behind the scenes.

Now, when you click the "X" to shut down your browser, you simply close the browser. Since there is no "connection" to the web server, shutting down your web browser has no effect on the web server. It, therefore, has NO WAY OF KNOWING whether you have shut the browser, turned off your computer, or if you're still reading the last page it sent, or if you're typing a response to a message, or whatever. The only way the web server can know that you have finished, is if you send it a message telling it so. And the only way of doing that (on this forum) is by clicking on the "Log Out" link.

Does this make it a bit clearer why things work the way they do?

Cheers, Staybaker.

bullmarket · 30 May 2006

Hi staybaker

Thanks for the info

I'm not an IT expert by any means but I thought the 'mechanics' was along the lines you described.

But the point I was making is that regardless of whether the 'connection' is real or virtual the undeniable fact is that if someone clicks their browser 'X' to end an ASF session then there is always the possibility that someone else could come along and restart that session and do what they like within it....ie...read personal PM's, post messages or whatever.

I accept that the convenience of not having to repeatedly log on far outweighs the disadvantage of potentially less security for the vast majority but I am sure that when I made my original post there were some in here that did not realise that when they click the browser 'X' it doesn't necessarily prevent other potentially mischievous users from accessing their ASF account.

I am assuming that tech/a was smart enough to be aware that when he PM'd me his name he new that he had no control whatsoever on who read that PM but I'm sure there are some users who are not as computer savvy/literate and so might not have been aware of the potential dangers before my original post in this thread.

Anyway, I think I have made my point by highlighting the potential dangers and I for one cannot and do not guarantee that any info that is PM'd to bullmarket will not be read by someone the sender of the PM would prefer not to.

If Joe doesn't want to change the site's settings to eliminate this potential risk then that is fine by me, but since other reputable sites do log me off immediately when I click the browser 'X' I will continue to use the 'X' as it is much quicker and easier for me.

cheers

bullmarket

It's Snake Pliskin · 30 May 2006

Bullmarket,

Give it up man. You can x out or hit the log off button.

Yezzy · 30 May 2006

Depending on which browser you use bullmarket, you can change settings so that when you close your browser the cookie ASF uses will be discarded. You'll have to login again every time but that's up to you.

bullmarket · 30 May 2006

Hi Yezzy

thanks for the suggestion

but I'm not going to tinker with my browser settings as it then might affect other non ASF cookies.

But please don't get me wrong - I don't have any problem with the current set up on the ASF site as I see sending personal information in PM's as a big no-no.

I just wanted to hightlight to others, especially those that are not computer savvy, that might be tempted to PM private/sensitive information of the potential dangers on the ASF site.

I'm quite happy to continue using my browser 'X' as I always do and if someone else uses this account or reads any PM's sent to this account then I personally have no problem with that at all as it's of no consequence to me, but others might once they are aware of the potential dangers.........I guess it's each to their own

cheers

bullmarket

Happy · 30 May 2006

To be really safe, we should not use intent and this would be 100% safe and secure solution.

I know ridiculous, but thread got to this stage already without me.

Joe Blow · 30 May 2006

bullmarket said:
I'm quite happy to continue using my browser 'X' as I always do

Bullmarket I have to step in and clear the air on this issue a little. I can see by the way you navigate ASF that you do not 'always' click on the 'X' and shut down your browser window. Before you made your most recent post you had logged out of your account and were lurking on the forums as a guest. This is something you do quite frequently. I can tell by tracking your IP address.

So it seems that you are actually quite familiar with the process of manually logging out... why you don't do this all the time mystifies me if you are truly concerned about the integrity of your account...

ASF Site Login Security Warning..!!

Joe Blow

Administrator

bullmarket

surelle

Joe Blow

Administrator

Attachments

Yezzy

bullmarket

Joe Blow

Administrator

bullmarket

sails

Joe Blow

Administrator

wayneL

VIVA LA LIBERTAD, CARAJO!

bullmarket

Julia

In Memoriam

Staybaker

bullmarket

It's Snake Pliskin

Yezzy

bullmarket

Happy

Joe Blow

Administrator

Similar threads

Connect with us