xoops forums

birdseed

Just popping in
Posted on: 2005/7/20 21:30
birdseed
birdseed (Show more)
Just popping in
Posts: 59
Since: 2005/2/26
#31

Re: What do you think about new login in Xoops 2.2

Hi

As I am not happy about having to explain to my 15.000 User the difference between a username an a displayname, I will also have to do some ugly core hacks to deactivate this. So i would be VERY happy if this is made optional. And yes, i am willing to take the risk of a "not higher than before" security. ;)

greetings MK

Peekay

XOOPS is my life!
Posted on: 2005/7/20 22:16
Peekay
Peekay (Show more)
XOOPS is my life!
Posts: 2335
Since: 2004/11/20
#32

Re: What do you think about new login in Xoops 2.2

If an upgrade to a login name plus display name membership system is transparent to existing users, I can't see a problem.

For example, I currently log in as Peekay. Ideally, if Xoops.org upgraded to 2.2, I would expect nothing to change. My posts (in forum, news, comments, etc.) would still displayed as being from Peekay. This is because the upgrade would by default set my display name to the same as my login name.

When I then get a PM from admin saying I now have the option to change my 'display' name to something else - to protect my login name from being seen - I have the choice of doing so, or leaving things as they are.

Seems simple to me. If that's how it was intended to work.
A thread is for life. Not just for Christmas.

addicti1

Just popping in
Posted on: 2005/7/20 22:52
addicti1
addicti1 (Show more)
Just popping in
Posts: 40
Since: 2005/6/7 4
#33

Re: What do you think about new login in Xoops 2.2

Adrock - that's the answer I was looking for but I don't know how to do this. Can you help me?

addicti1

Just popping in
Posted on: 2005/7/21 15:03
addicti1
addicti1 (Show more)
Just popping in
Posts: 40
Since: 2005/6/7 4
#34

Re: What do you think about new login in Xoops 2.2

Mith wrote: With XOOPS 2.2 RC2, which we'll release tomorrow if all goes well, the Real Name attribute will be used like it is today, i.e. not really - except in some modules where you can toggle between username and real name.

Did all go well & do we get to see this version today?

SLEO577

Not too shy to talk
Posted on: 2005/7/22 16:54
SLEO577
SLEO577 (Show more)
Not too shy to talk
Posts: 110
Since: 2005/6/27
#35

Re: What do you think about new login in Xoops 2.2

I have to say I am "Extremely Happy" with the new Security measures making it harder for a hack to figure out both the username and display name.

Security has to be a top priority for any site, just get hacked once and you'll agree. The easiest way I found to notify potential clients about what "DisplayName" meant was to use the FAQ "Registration Requirements" in a block visible to my guest so they could understand the reason for the security and how to fill out the registration properly.

I have yet to have anyone fill out the registration improperly and I have had several comments about the "Nice" security measure making them feel more at ease.

I think the problem I am running into now is the "Select" and "Multi-select" option in the registration field. In version 2.2rc, it allowed only 4 options. In version 2.2rc2, this does not allow ANY option. So you cannot make a drop down "select" for members to select. You can't even get the "Default" fields like ICQ, YIM, ect to creat a "Select" drop down field.

I am hoping this was just a missed item and can be corrected in the stable version.

rebelus

Just popping in
Posted on: 2005/7/24 22:20
rebelus
rebelus (Show more)
Just popping in
Posts: 10
Since: 2002/7/1 1
#36

Re: What do you think about new login in Xoops 2.2

Quote:

Mithrandir wrote:
Before you call it paranoic and exaggarated, let me tell you a little story:

A site running with XOOPS 2.0.10 and autologin hack is hacked. How? Because of a hacker being able to construct a cookie that resembles the autologin cookie of an administrator. How did he do that? He used the password hash of the administrator, which he got from the database through an SQL injection hole in the XML-RPC interface. How did he get the password hash? He knew the username of the administrator.

So what is the solution to making sure this doesn't happen again? We first closed the hole in the XML-RPC interface, but is that enough? I don't think so. If another hole appears somewhere else in the core or in a module, we have the whole problem once again.
...


Sory but I disagree!

if somebody can read or write to sql because any reason, can find any user record; there is uid field used many times. It's not hard work to know any user's uid.

If you know uid, you can easyly locate this user's record in the db.

It's realy not necessary to know the user's login name.

Zarei

Just popping in
Posted on: 2005/8/2 14:18
Zarei
Zarei (Show more)
Just popping in
Posts: 13
Since: 2005/5/26
#37

Re: What do you think about new login in Xoops 2.2

My main problem with the system is the seperation of loginname from username. Since the standard is to register with a username and then use that same one to log in, this will confuse my users. Another thing is that the select user form still uses loginname or username to show users rather then the real name. Please switch back to a combo of username (requiered, unique) and real name(not required, not unique).

Methis

Just popping in
Posted on: 2005/8/10 11:55
Methis
Methis (Show more)
Just popping in
Posts: 52
Since: 2005/6/25
#38

Re: What do you think about new login in Xoops 2.2

Another thing I discovered just now is the following: admin can change only displayname and not login name...or at least I'm unable to change it

If I'm not wrong this choice is useless for existing sites and security because an admin (that's the only user that could appreciate this thing in terms of security) can't use this security "improvement".

But probably I'm wrong and there's a way to change my login name otherwise it would be a big big bug in my opinion.

Please tell me how can change my login name because if I change username in Edit account I've no effects.

Still...is it normal that a normal user can't change his Displayname? I think yes but it colud be the same error that dont't let me change my username

DMarvelus

Just popping in
Posted on: 2005/8/12 12:25
DMarvelus
DMarvelus (Show more)
Just popping in
Posts: 70
Since: 2005/1/29
#39

Re: What do you think about new login in Xoops 2.2

Quote:

Mithrandir wrote:
Quote:
does XOOPS 2.2 check for duplicate display names?

Yes


I'm really not too familiar with the new system, so I could be wrong, but i just wanted to mention this scenario:

New security threat:

Display name spoofing.

lets say Mithrandir (hypothetically) decides to change his display name. He just decides one day he wants to be called something else.

Then, some clever person out there decides to change their display name to Mithrandir... And on top of that, they send mail to different people saying: "Important bug fix! please download the new version of XOOPS here: http://mysite.com/xoops.zip" The user goes and downloads the "patch" only to find there is a trojan horse in the php code.

Some one could also change their name to a previously used name just to get personal information from some one else. For example, even just asking for email addresses, or how the date went last night or whatever.

I said that to say, there is a certain amount of trust that people give names. But, now that trust is no longer there because these names are somewhat interchangeable. You loose the ability to tell who is who with 100% probability. This provides a security hole in which a hacker doesn't really have to do anything clever or technical (unlike before), and you could have a much bigger problem.

Even if you did have a system where you kept track of past display names, so people could not use them anymore, you could run out the namespace quickly if people frequently changed names.

Herko

XOOPS is my life!
Posted on: 2005/8/12 12:55
Herko
Herko (Show more)
XOOPS is my life!
Posts: 4238
Since: 2002/2/4 1
#40

Re: What do you think about new login in Xoops 2.2

DMarvelus: that's not a new security thret. You could do the same right now if I changed my name and you changed yours (changing mine frees up the old one). The only way to stop this is to make names unique forever, or give admins reserved names.

So th ethreat isn't that big IMHO.

Herko