11
HughG
Re: I read it but -
  • 2004/5/3 16:19

  • HughG

  • Not too shy to talk

  • Posts: 124

  • Since: 2003/2/21


Autologin works, but the point I was trying to convey in addition to the other itemes - is that the remember me/autologin in it's current state is a hack. A hack that you have to go in and do this/that etc to enable it. The forums are filled daily with some webmaster new to XOOPS asking how -> to be promptly shuffled off to the wiki.

If the current state is a security risk that prevents it from being enabled by default (I agree there should be a webmasters option to go in and disable it) vs going in and hacking core files everytime there's an update, then something needs attention - yes?

Avatars, yeah. I know - I've read prior posts of yours everytime this is brought up. Again, "option" i believe is the keyword here. As now, there is no option - except to watch the uploads directory grow - or tell users no avatars.... (we all know how fond Tom is of his - can you imagine telling him no ava?)

Just basic items - hoping they weren't lost in the shuffle.

12
DonXoop
Re: I read it but -

HughG, I agree that the autologin might as well be fully GUIfied since users and admins will insist having it more often than not. But it is a "grey area hack", the code is all there and fairly simple to do if one is determined. I still say a big no to making it on by default for a new install.

Avatars, I don't want to belabour the point and don't mean to harp on it. But isn't it really easy to have users download their favourite avatar and upload to xoops? It is the same thing in the end and for me much preferred. A smarter directory structure for this is needed for large sites but there are other tricks that also work.

Cblue, I'm guessing that there is some little thing you missed. I know you have a bigger clue than a first timer but I'll bet it is one of those tiny things that got missed. There, I just made Hugh's argument to make autologin fully implemented in the GUI. (just not on by default)

13
Dave_L
Re: I read it but -
  • 2004/5/5 10:42

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


I agree that the autologin feature should be available as an option without having to hack it in, but that by default it should be disabled.

CBlue: I installed autologin following the instructions in the Wiki (I didn't unload any files), and have no problems with it. That was before the recent update to remove a security vulnerablility. The only flaw in the instructions was that for one file you were told to look for the wrong string ("autologin" instead of "rememberme"), but I edited the Wiki to correct that. Did you increase the "Session expiration" value in General Settings? Maybe the Wiki should clarify that's the cookie expiration value.

14
HughG
Re: I read it but -
  • 2004/5/29 11:00

  • HughG

  • Not too shy to talk

  • Posts: 124

  • Since: 2003/2/21


Let's add the Firewall issue to the this list. Another basic asked about / seen frequently request.


15
HughG
Re: I read it but -
  • 2004/5/29 23:33

  • HughG

  • Not too shy to talk

  • Posts: 124

  • Since: 2003/2/21


And.......

Page titles!

16
m0nty
Re: I read it but -
  • 2004/5/30 1:19

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


hmmm autologin is handy, but yes it is a security risk, and it's a security risk on any site/cms etc including yahoo or even msn..

simply the risk being in 1 case for example is emails, and users clicking links that are passed to them.. click a link which then takes u to a site or whatever, it then steals your cookie data.. hence then the person who retrieves the cookie data can impersonate you because the cms will think they r you!!

while not as bigger a risk for members, but i would seriously disable the feature completely for any1 who has any kind of admin rights..

believe me cookie stealing is very easy to do.. and is also a very common method used..


with regards to the firewall issue!! it does need some addressing, but i wouldn't want XOOPS to dispense on security simply because users don't read the instructions and notes in their firewalls..

ie. it states clearly in zonealarm that blocking http referrer checks will stop certain sites from being accessed.. MSN has this check and they don't remove the feature!!

but implementing an error check into the code to detect whether a user is blocking http refers and then displaying the relevant message would be a good idea.. i would prefer to see this than lose the http referrer part which will make XOOPS less secure in other ways.. especially from cross site scripting..


URL rewriting, this ought to be addressed too, especially for those users who can't use .htaccess or mod_rewrite functions.. altho not a major problem, just a nice feature..

17
HughG
Re: I read it but -
  • 2004/5/30 4:27

  • HughG

  • Not too shy to talk

  • Posts: 124

  • Since: 2003/2/21


Again, the items brought up are basic items found that seem to be either forgotten or is for some reason alien to xoops. More and more I'm finding myself longing for those aggressive get results days of onokazu.

Nothing special the peeps and webmasters are asking for, just common sense should of but somehow wasn't...

Autologin -
Inbox Size - (btw, how do you turn notifications off for forums?)
Forums - mark all read, easy way to see new posts, etc.,
Page Titles -

Firewall Issue - Granted peeps should be able to configure their firewalls, but if they did, would their be a need for ZAPro or Norton to be the way it is? We can be "right" all day long but if it keeps peeps out of the site - ?? Getting a peep to make the move to "sign up" is a feat in itself, make him/her jump through hoops to do it.... forget about it. How many times have we seen webmasters bitch'n because they had to sign up on a site to get a module?? A displayed message with walkthrough would be a step in the right direction - better than what there is now...

MOD Rewrite - Another plus to add. I really don't have trouble with the SE's crawling my site, but I do look at the logs and see when they get "confused" and make adjustments to point them back in the right direction... if it's something I want on Google the next day. I played around with the shorturl hack on my test box and it's no way I would put on a production site - too flaky (IMO). If Simple Page titles were provided (instead of "NEWS" or "SECTIONS" or "XCGALLERY" or "FORUM" for example)- everyone's SE ranks would go up. It would be nice to have that option tho, going through 500+MB a day logs to accomplish the same thing gets to be a pain.

Less things to shove the newcomers off to the wiki - or to the competition...

18
HughG
Re: I read it but -
  • 2004/6/3 7:07

  • HughG

  • Not too shy to talk

  • Posts: 124

  • Since: 2003/2/21


Adding to the Inbox requests -

When a user is removed/deleted, how about his PM's going too? I just removed a user and had to go in and manually remove all his PM's and Notifications.

19
Mithrandir
Re: I read it but -

That one is a clear inconvenience. Put it on the bug tracker and I will look into it.

Login

Who's Online

402 user(s) are online (302 user(s) are browsing Support Forums)


Members: 0


Guests: 402


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits