smartfaq
SmartFAQ is developed by The SmartFactory (http://www.smartfactory.ca), a division of InBox Solutions (http://www.inboxsolutions.net)

How safe is autologin + email hack?
Requested and Answered by Sudhaker on 2005/3/4 21:10:54 (15933 reads)
Myths about autologin + email hack

Myth1: It increases server and database load heavily because garbage collector will not be doing clean up. I can't afford it because my concurrent user count is huge.

Fact: It will not increase the load any significantly. Query to xoops_session table will return few extra bytes and 'Who's online' block will pump more uname(s). That's it. Xoops always creates a record for any new sessions (no matter if the session is anonymous or member's). So query count stays same. And we see more realistic information in 'Who's online' block and members can have pleasant browsing. I'm sick of seeing 'no permission' as my session gets expired while typing response (may be I should type fast – hehe).

Myth2: Oooo, is it safe? We can't compromise with security B-).

Fact: It is far safer than storing username/password in the browser. Yes, it is little less safe than normal operation, but eventually it is exactly same logic what cookie based session persistence have. The only difference is – server can release resource as usual but you get a fake feeling of extended session using saved cookies. It will be transparent to end-user as server will create new session without authentication.

Assuming possibility of session hijacking, without this hack you are vulnerable during your current session only. But with this hack the period is extended till auto-login is valid. Big vendors like gMail (2 weeks), Yahoo Mail (24 hours) also use similar mechanism with similar risks.

Myth3: Cookies are saved on user's computer. We lost the control.

Fact: Site admin can invalidate all (or some) saved auto-login. Clear up actkey column in xoops_users table, done. Those save cookie is trash now.

Myth4: You guys are great, doing awesome things.

Fact: The actual credit should go to Xoops team and GIJOE, they have done great work. We are just tweaking the application to satisfy our personal urge and need. Sometime hacks are worth sharing in the community. So we came up aboard.

I wish, I could get more free time and opportunity to contribute more

You can get it here http://xoops.biz/dist/

and read more at https://xoops.org/modules/newbb/viewto ... t&topic_id=29338&forum=14


---

I'll not advocate this hack to any critical site dealing with big $$$. But now many of us have critical site, so IMHO this hack is a MUST HAVE for most of people .

I also request Xoops core team to consider merging this into main distribution. Ideally, a site parameter (entry in table xoops_config or mainfile.php) can be used to enable and disable the feature and parameters.

Cheers,


The comments are owned by the author. We aren't responsible for their content.
  • Not too shy to talk

 Dedicated page for auto-login

Tune to

http://xoops.biz/x7/modules/myhacks/index.php?id=2

Thanks,

 
  • Not too shy to talk

 Re: Dedicated page for auto-login

Autologin Hack for Xoops-2.0.10 is Ready.
Please check

Page: http://xoops.biz/x7/modules/myhacks/index.php?id=2

Download: http://xoops.biz/x7/modules/mydownloads/

Thanks,

 
  • Home away from home

 Re: Dedicated page for auto-login

Thanks sudhaker for keeping us informed of these updates

 
  • Just popping in

 Re: Dedicated page for auto-login

No downloads listed there and the site looks like its fallen to pieces. Have I chosen a bad time?

 
  • Friend of XOOPS

 Re: Dedicated page for auto-login

http://xoops.biz/x7/modules/mydownloads/

 
  • Just popping in

 Re: Dedicated page for auto-login

Well, xoops.biz is just an Apache server directory list with parent folder and cgi-bin as available content. By looking at the date on the last modified info on CGI-bin it appears that Feb. 28, 2006 was the last date of site functionality. Is this a temporary situation or does major work need to be done here to get this back online?

By the way, I'm trying to determine if I can create a URL shortcut that will allow an automatic login with the credentials provided by the URL i.e. something like:
http://www.site.com/user.php?xoops_redirect=/index.php?uname=user*&pass=user*pw

this is for testing purposes to be able to quickly check site functionality per user groups/levels ect. and maybe later as an included distro method for tracking usage and various other possibilities using some kind of secure encrypted redirect topology for creating user accounts automatically or who knows what else, yet. Been looking throughout the forums but well, its been slow going and to the best of my knowlege, XOOPS validation method defies this method without turning some defualt function off which of course alters the security of the site to something less than desirable.

Any thoughts or working links to find out more on this would be greatly appreciated.