xoops forums

Methis

Just popping in
Posted on: 2005/7/20 9:00
Methis
Methis (Show more)
Just popping in
Posts: 52
Since: 2005/6/25
#1

What do you think about new login in Xoops 2.2

Since next version XOOPS will implement a new type of rgistration form and login including both a "username" (used for login) and a "displayname" (showed to community).

Who agree says:
"We think this is an important feature for two reasons:
1. security - if the name being displayed is different from your loginname, no one can hack into your account by guessing your password, because he would also have to guess your loginname
2. usability - choose a simple loginname and have a smooth looking display name"


Who disagree says:
"This solution is against usability bucause lots of people, that are accustomed to use just username and password, could not understand what registration form mean and could do lots of error in login or just confuse between username and displaynam if they choose them different.
If you speak about usability you should consider to implement autologin not as a separate hack but in the core or at least like an option that a webmaster can choose.
If you speak about security our advice is to use SSL in XOOPS if you have very very important user's data to protect. But in a tipical Xoops' site this feature is a paranoic exaggeration in security to protect nothing more than an email address"


Please express your opinion about it

wizanda

Home away from home
Posted on: 2005/7/20 9:26
wizanda
wizanda (Show more)
Home away from home
Posts: 1583
Since: 2004/3/21
#2

Re: What do you think about new login in Xoops 2.2

I agree, this is not a good change and should be an option.

Some of my modules use your real name as a display name.

Which is brill when it come to my poetry, ect.

Yet my real name is Zanda Dibbo-Pajaczkowski, so now with the new changes this appers all over the site Ie forum, comments, ect

This is also awkward for large sites, who have had many visitors Ie Xoops.org

What happens when some of their users, don`t use the system anymore?
so now, where they have posted, instead appers a blank, unless you send out emails to them, telling them to add their real names??

What happens if they asked not to recieve emails, are you not breaking your own agreement with them?

Mithrandir

XOOPS is my life!
Posted on: 2005/7/20 9:31
Mithrandir
Mithrandir (Show more)
XOOPS is my life!
Posts: 6320
Since: 2003/6/21
#3

Re: What do you think about new login in Xoops 2.2

Before you call it paranoic and exaggarated, let me tell you a little story:

A site running with XOOPS 2.0.10 and autologin hack is hacked. How? Because of a hacker being able to construct a cookie that resembles the autologin cookie of an administrator. How did he do that? He used the password hash of the administrator, which he got from the database through an SQL injection hole in the XML-RPC interface. How did he get the password hash? He knew the username of the administrator.

So what is the solution to making sure this doesn't happen again? We first closed the hole in the XML-RPC interface, but is that enough? I don't think so. If another hole appears somewhere else in the core or in a module, we have the whole problem once again.

Usually, security problems in XOOPS have been fixed before they got serious, but this time XOOPS sites got HACKED!
I don't know about you, but XOOPS sites getting hacked is serious business for me - and whatever I can do to ensure that XOOPS sites are difficult to hack, I will do. You may think that the web equivalent of putting a blanket over your head is adequate - but I don't.

Instead of protesting against this change, you should rather focus your efforts on how it should be communicated so that your users will understand it. Help texts, explanations etc.

Quote:
to protect nothing more than an email address

All content on your site, all forum threads in your forums, deletion of all users on your site is NOT "nothing more than an email address". Just think about all the things you can do on your website - and think about the what-ifs of someone else gaining that access.
"When you can flatten entire cities at a whim, a tendency towards quiet reflection and seeing-things-from-the-other-fellow's-point-of-view is seldom necessary."

Cusix Software

Pnooka

Just popping in
Posted on: 2005/7/20 9:33
Pnooka
Pnooka (Show more)
Just popping in
Posts: 68
Since: 2004/7/16
#4

Re: What do you think about new login in Xoops 2.2

Right, of course it's a nice security feature. It's also easy enough to weed out this, if you really don't need it. But it would be nice is this was made optional instead. I also think that the LDAP auth should be made optional already in the install phase, because not all of the XOOPS users use this feature anyway.
P.S. This is only my personal thoughts about this.

Mithrandir

XOOPS is my life!
Posted on: 2005/7/20 9:36
Mithrandir
Mithrandir (Show more)
XOOPS is my life!
Posts: 6320
Since: 2003/6/21
#5

Re: What do you think about new login in Xoops 2.2

Quote:
so now, where they have posted, instead appers a blank, unless you send out emails to them, telling them to add their real names??

As I said yesterday, we are changing it, so there are
1) Login name - used for login purposes ONLY
2) Username/displayname - used for displaying the user's name, when upgrading to XOOPS 2.2RC2, your users will get the same login name as username
3) Real Name - not used in the core, but can be used elsewhere
"When you can flatten entire cities at a whim, a tendency towards quiet reflection and seeing-things-from-the-other-fellow's-point-of-view is seldom necessary."

Cusix Software

Pnooka

Just popping in
Posted on: 2005/7/20 9:39
Pnooka
Pnooka (Show more)
Just popping in
Posts: 68
Since: 2004/7/16
#6

Re: What do you think about new login in Xoops 2.2

This works fine for me. After all, if i don't need a feature, i can hack it out. But so far, all tests works just fine for me.

Methis

Just popping in
Posted on: 2005/7/20 9:44
Methis
Methis (Show more)
Just popping in
Posts: 52
Since: 2005/6/25
#7

Re: What do you think about new login in Xoops 2.2

Mine is just an opinion and not a protest...I'm sorry if you mean it wrong.
First of all, before your post, I wrongly considered this feature only from an usability and user's poit of view....and for this I'm sorry.
Then I appreciate your efforts toward security of XOOPS but you should consider to implement this important feauture as optional or (I don't know if it's possible) at least limited to webmaster's login that's the most important account to protect, or, still, permit to choose what groups must use this surest feature and what not.

Obviosly it's just my opnion, and I add, it's a newbie's opnion!

davidl2

XOOPS is my life!
Posted on: 2005/7/20 9:49
davidl2
davidl2 (Show more)
XOOPS is my life!
Posts: 4843
Since: 2003/5/26
#8

Re: What do you think about new login in Xoops 2.2

Very sensible reasons Mith - I'm sure we webmasters can explain it to most people...

LazyBadger

Home away from home
Posted on: 2005/7/20 10:34
LazyBadger
LazyBadger (Show more)
Home away from home
Posts: 1187
Since: 2004/6/7 9
#9

Re: What do you think about new login in Xoops 2.2

Quote:

Methis wrote:

Who agree says:
...
Who disagree says:

Can I vote for intermediate opinion

1. security - if the name being displayed is different from your loginname, it's harder for easy hack your account by guessing your password, because he would also have to guess your loginname

But

"This solution is against usability bucause lots of people, that are accustomed to use just username and password, could not understand what registration form mean and could do lots of error in login or just confuse between username and displaynam if they choose them different.

and

if we have unique uname and it allow fast idenifcation of author, show only Real Name is against usability - I had 2 Alexanders per only 7 users, and must research EVERY TIME - "Who is who"

Display username also stupid "security"-measure - nobody from viewed by me a lot of XOOPS sites uses SSL-login, with pure http get username and password is a task of easy traffic-sniffing
Quis custodiet ipsos custodes?

Webmaster of
XOOPS2.RU
XOOPS Modules Proving Ground
XOOPS Themes Exhibition

Peekay

XOOPS is my life!
Posted on: 2005/7/20 10:48
Peekay
Peekay (Show more)
XOOPS is my life!
Posts: 2335
Since: 2004/11/20
#10

Re: What do you think about new login in Xoops 2.2

Quote:
How did he get the password hash? He knew the username of the administrator.

Have to agree with that. Once hackers have the username they are half way there. However, does XOOPS 2.2 check for duplicate display names?
A thread is for life. Not just for Christmas.