6502.org Forum  Projects  Code  Documents  Tools  Forum
It is currently Fri Nov 22, 2024 10:05 pm

All times are UTC




Post new topic Reply to topic  [ 45 posts ]  Go to page Previous  1, 2, 3
Author Message
PostPosted: Wed Sep 13, 2023 4:59 pm 
Offline
User avatar

Joined: Fri Aug 03, 2018 8:52 am
Posts: 746
Location: Germany
Broti wrote:
The worst part of using this (or any) forum on mobile is that damn autocorrection.
It always tries to "correct" my English texts to German. :D


you know you can just have multiple languages for your phone keyboard....
on my S8 for example i got both English and German options and i can switch between then by swiping the spacebar left/right.
that fixes autocorrect from trying to correct words for the wrong language.


Top
 Profile  
Reply with quote  
PostPosted: Thu Sep 14, 2023 1:09 am 
Offline
User avatar

Joined: Thu May 28, 2009 9:46 pm
Posts: 8507
Location: Midwestern USA
akohlbecker wrote:
One super annoying thing, though, is I keep getting logged out, presumably as I move across cell towers and my IP changes?

That is mostly likely the case.

By way of explanation, since HTTP is a stateless protocol, the PHP backend that drives the forum sets up a “session” to maintain state as you move about the site.  In the case of 6502.org, PHP does that by storing data about your session in a temporary file on the server and by creating a browser cookie to identify that session file.  For example, as I reply to your post, my session cookie is named forum_6502_sid_sid and when read, returns 898ece2d8c9d0e298414012f3f81aa4f, which is the session ID.  The session ID is used to form the name of the server file in which my session state is being maintained, e.g., sess_898ece2d8c9d0e298414012f3f81aa4f.

When you log out of the forum by selecting that function on any page, the temporary file on the server will be deleted and your browser will be instructed to destroy the session cookie (merely closing the browser may destroy the cookie, but doing so won’t erase the session file).  The design of the forum software likely stores your log-in IP address into the session file to minimize repeated DNS queries, which implies that it is assumed your IP address will be static for the duration of your log-in session.

As you move page-to-page on 6502.org, different PHP scripts will be loaded and executed on the server.  Within each PHP script, your session file will be read and loaded into variables that are local to that script.  Since your IP address from log-in is one of those variables, there is likely code that compares the IP address read from the session file to the IP address from which your browser sent its most recent GET request, which is one of several measures used to improve security.  If the IP addresses don’t match, the forum will think your browser is a different client than the one that logged in and your session will effectively “disappear.”  The only way to re-establish connectivity would be to start a new session with your new IP address, which means a new log-in.

By the way, a loss of connectivity for any reason that forces you to log in again may leave an orphaned session file on the 6502.org forum server.  If enough orphaned session files collect on a busy server, storage consumption can become an issue.

I have been able to replicate the session-breaking effects of my browser IP address changing by changing my workstation’s default gateway from one of my office servers to the other, each server routing traffic to the Internet via a different IP address.  Once logged in, if I switch gateways, 6502.org will think I’m not logged in when I go to a different page, which means my session is “lost.”  If I then switch back to the gateway through which I had logged in, my session will “re-appear.”

I believe this problem is correctable by using PHP5 or later, along with a newer version of the PHP BB software, which will update the IP address associated with a session with each browser GET request.  That is speculation on my part, since I have not had an occasion to examine the innards of PHP BB.  However, another forum on which I am subscribed, which runs on a more recent version of PHP BB, doesn’t have a problem with IP addresses changing mid-session, which I determined with the same gateway-switching test.

Disclaimer: while I have done quite a lot of work with PHP, I don’t consider myself anything more than of intermediate skill at this time.

_________________
x86?  We ain't got no x86.  We don't NEED no stinking x86!


Top
 Profile  
Reply with quote  
PostPosted: Thu Sep 14, 2023 1:17 am 
Offline
User avatar

Joined: Thu May 28, 2009 9:46 pm
Posts: 8507
Location: Midwestern USA
Broti wrote:
The worst part of using this (or any) forum on mobile is that damn autocorrection.
It always tries to "correct" my English texts to German. :D

...and if you go to the UK, it will probably “correct” your German words to English.  :D

_________________
x86?  We ain't got no x86.  We don't NEED no stinking x86!


Top
 Profile  
Reply with quote  
PostPosted: Thu Sep 14, 2023 2:46 am 
Offline

Joined: Sun Sep 03, 2023 3:40 pm
Posts: 33
BigDumbDinosaur wrote:
I believe this problem is correctable by using PHP5 or later, along with a newer version of the PHP BB software, which will update the IP address associated with a session with each browser GET request.  That is speculation on my part, since I have not had an occasion to examine the innards of PHP BB.  However, another forum on which I am subscribed, which runs on a more recent version of PHP BB, doesn’t have a problem with IP addresses changing mid-session, which I determined with the same gateway-switching test.


The described behavior could easily be intentional code intended to prevent session hijacking. Session cookies are pretty often effectively the same as login credentials.


Top
 Profile  
Reply with quote  
PostPosted: Thu Sep 14, 2023 4:38 am 
Offline
User avatar

Joined: Thu May 28, 2009 9:46 pm
Posts: 8507
Location: Midwestern USA
anomie wrote:
BigDumbDinosaur wrote:
I believe this problem is correctable by using PHP5 or later, along with a newer version of the PHP BB software...

The described behavior could easily be intentional code intended to prevent session hijacking.

Possibly...I did say it is a means of improving security.

Quote:
Session cookies are pretty often effectively the same as login credentials.

Unless the programmer overrides PHP’s default behavior when a session_start() instruction is executed, the PHP session cookie will be named according to the value assigned to the session.name constant in the php.ini file read by the PHP Zend engine at startup.  On this site, the session cookie is named forum_6502_sid_sid and is assigned a session ID that is internally generated by random means.  There is no direct relationship between the session ID, the session cookie’s name and the user’s credentials.

A different cookie, forum_6502_sid_u, contains the logged-in user’s forum ID, which is a plain-text number.

_________________
x86?  We ain't got no x86.  We don't NEED no stinking x86!


Top
 Profile  
Reply with quote  
PostPosted: Thu Sep 14, 2023 4:46 am 
Offline

Joined: Sun Sep 03, 2023 3:40 pm
Posts: 33
BigDumbDinosaur wrote:


Quote:
Session cookies are pretty often effectively the same as login credentials.

Unless the programmer overrides PHP’s default behavior when a session_start() instruction is executed, the PHP session cookie will be named according to the value assigned to the session.name constant in the php.ini file read by the PHP Zend engine at startup.  On this site, the session cookie is named forum_6502_sid_sid and is assigned a session ID that is internally generated by random means.  There is no relationship between the session ID, the session cookie’s name and the user’s credentials.


It’s not about there being a relationship between the cookie and the credentials.

It’s about whether or not the system treats the session cookie as meaning that you are that logged in user. Which is why I said “effectively” and “pretty often”.

This forum specifically may or may not do this. But give googling “Session hijacking” or perhaps “PHP Session hijacking” a whirl and see what you find.

Edit: pedantically, when session hijacking is possible, there is a relationship between the credentials and the cookie - but that relationship is ‘the server treats the cookie as proof that the provider of the cookie authenticated’ and not any relationship between the credential data and the cookie data.


Last edited by anomie on Thu Sep 14, 2023 4:54 am, edited 1 time in total.

Top
 Profile  
Reply with quote  
PostPosted: Thu Sep 14, 2023 4:53 am 
Offline

Joined: Mon Jan 19, 2004 12:49 pm
Posts: 984
Location: Potsdam, DE
BigDumbDinosaur wrote:
Broti wrote:
The worst part of using this (or any) forum on mobile is that damn autocorrection.
It always tries to "correct" my English texts to German. :D

...and if you go to the UK, it will probably “correct” your German words to English.  :D


I use Duolingo to try and learn German. The keyboard autocorrect is by now completely confused about whether I'm trying to type English or German (and apparently votes words in by popularity: it's a bit pot luck whether it will allow e.g. 'meiner' to stay as typed without correcting it apparently randomly to mein, meine, meines, or meinen... keeps me on my toes, I suppose.

(As an aside: Duolingo does not use English as claimed. It uses American; it requires you to have an at least superficial knowledge of US usage and cultural knowledge which, judging by the complaints when Duolingo still had discussion fora, are by no means common in the UK. So 'translate this sentence to English' means 'translate it to English, and then to US English', and the same in reverse: some of the purported translations are simply not English at all.)

Neil


Top
 Profile  
Reply with quote  
PostPosted: Thu Sep 14, 2023 5:36 am 
Offline
User avatar

Joined: Thu May 28, 2009 9:46 pm
Posts: 8507
Location: Midwestern USA
barnacle wrote:
BigDumbDinosaur wrote:
Broti wrote:
The worst part of using this (or any) forum on mobile is that damn autocorrection.
It always tries to "correct" my English texts to German. :D

...and if you go to the UK, it will probably “correct” your German words to English.  :D

I use Duolingo to try and learn German. The keyboard autocorrect is by now completely confused about whether I'm trying to type English or German (and apparently votes words in by popularity: it's a bit pot luck whether it will allow e.g. 'meiner' to stay as typed without correcting it apparently randomly to mein, meine, meines, or meinen... keeps me on my toes, I suppose.

Makes me wonder what autocorrect would do if you said you had chow mein with your dinner.  :?

Quote:
(As an aside: Duolingo does not use English as claimed. It uses American...)

You’d think the software developer would have provided an option to select American vs. British English.  I sometimes get confused by British English expressions, since they too are often related in some way to British culture.  Even more fun is when American colloquialisms get mixed in with British ones; the resulting mashup is sometimes as clear as mud.  :shock:

BTW, I have a friend who is a native German speaker, but whose immediate family emigrated to the USA when he was 10 years old, this was in the 1950s.  His parents continued to speak German at home, but also took English classes, and did develop some fluency.  My friend, of course, was immersed in English at school, at the playground, and so forth, and developed both fluency and a midwest USA accent.  The result is his fluency with German is weaker than with English.  This state of affairs gives rise to problems in communication with relatives in Germany, who while proficient in English, know the British version.  He once told me he almost feels like an American in Germany trying to communicate by reading from a phrase book, since he doesn’t know how to accurately translate many American phrases in intelligible German.

_________________
x86?  We ain't got no x86.  We don't NEED no stinking x86!


Top
 Profile  
Reply with quote  
PostPosted: Thu Sep 14, 2023 6:34 am 
Offline
User avatar

Joined: Thu May 28, 2009 9:46 pm
Posts: 8507
Location: Midwestern USA
anomie wrote:
It’s not about there being a relationship between the cookie and the credentials.

It’s about whether or not the system treats the session cookie as meaning that you are that logged in user. Which is why I said “effectively” and “pretty often”.

According to the PHP manual and the Programming PHP O’Reilly book, the only datum embedded in a PHP session cookie is the PHP session ID.  As a session can be started before a user has actually been authenticated, the presence of the session cookie in itself is not an indication that a user has logged in.

That said, I can agree with “effectively” in your statement if a session is started after log-in, user-identifiable data is encapsulated in the PHP $_SESSION[] global array associated with that session and each page visited by the user checks $_SESSION[] for the presence of that user-identifiable data.  That being the case, deleting the session cookie from the browser would be an effective log-out (but not a clean one), since the server side would no longer have a way to relate the user’s browser to the session that was started on his/her behalf.

_________________
x86?  We ain't got no x86.  We don't NEED no stinking x86!


Top
 Profile  
Reply with quote  
PostPosted: Thu Sep 14, 2023 1:45 pm 
Offline

Joined: Sun Sep 03, 2023 3:40 pm
Posts: 33
BigDumbDinosaur wrote:
According to the PHP manual and the Programming PHP O’Reilly book, the only datum embedded in a PHP session cookie is the PHP session ID.  As a session can be started before a user has actually been authenticated, the presence of the session cookie in itself is not an indication that a user has logged in.


I'm not saying the server has to always and forever treat the session cookie as proof you are a particular user, whenever the cookie is presented, as that is obviously not the case. I am saying that, if someone gets your logged-in session cookie, that can be as good as having your credentials for any system that is *ever* in a state where presenting the cookie will result in the server treating that request as coming from an authenticated user - for as long as that session cookie is valid.

It doesn't matter that there is a period where the server will have a session setup without authentication (although hijacking that cookie could well result in stealing that unauthenticated session) if what is being done is a hijack of an actually authenticated session.

BigDumbDinosaur wrote:
That said, I can agree with “effectively” in your statement if a session is started after log-in, user-identifiable data is encapsulated in the PHP $_SESSION[] global array associated with that session and each page visited by the user checks $_SESSION[] for the presence of that user-identifiable data.  That being the case, deleting the session cookie from the browser would be an effective log-out (but not a clean one), since the server side would no longer have a way to relate the user’s browser to the session that was started on his/her behalf.


It doesn't have to be each page - there only needs to be one. It also isn't PHP specific: plenty of CTF have solutions that require session hijacking against servers using various implementation languages; plenty of CVE have been issued for session hijacking in real products (web application languages like php, server software, even 'that network device over there in the rack with that web configuration ui').

There are, of course, various mitigations. Invalidate a session if the user-agent header changes - which is a fine preventative measure up until your attacker is stealing the cookie by capturing traffic; as that traffic will have the user-agent header in it. Just guessing the header can work too, if enough is known about the target to reasonably narrow down the range of possible values, and the attacker thinks it's worth it. If the server only allows https then the 'capture traffic' route is closed, of course.

Then there's the item that started this subthread: If the server invalidates the session as soon as it notices an IP address change, now the attacker is in a spot where even with the session cookie, they have to either be attacking from the client with that IP address, or in circumstances where they can arrange to spoof the IP address (which is certainly a higher bar).


Top
 Profile  
Reply with quote  
PostPosted: Sun Sep 17, 2023 8:24 pm 
Offline
Site Admin
User avatar

Joined: Fri Aug 30, 2002 1:08 am
Posts: 281
Location: Northern California
and3rson wrote:
I tried Tapatalk - 6502.org is not listed there, possible due to PHPBB2 being really old.

While it's true that this forum used to run on phpBB 2, it's been running on phpBB 3 since 2012.

_________________
- Mike Naberezny (mike@naberezny.com) http://6502.org


Top
 Profile  
Reply with quote  
PostPosted: Mon Sep 18, 2023 4:00 pm 
Offline
User avatar

Joined: Fri Feb 17, 2023 11:59 pm
Posts: 163
Location: Lviv, Ukraine
Mike Naberezny wrote:
While it's true that this forum used to run on phpBB 2, it's been running on phpBB 3 since 2012.


That's nice! I thought it's still at 2 because of all the icons.

Since phpBB 3 is much newer, I think there's much more third-party content for it, such as responsive themes.

If you could consider an option of installing an additional (more mobile-friendly) theme that can be selected as an alternative to default subsilver-ish style - that would solve problems for many people here for a long time.

_________________
/Andrew

deck65 - 6502 slab with screen and keyboard | ПК-88 - SBC based on KM1810VM88 (Ukrainian i8088 clone) | leo80 - simple Z80 SBC
nice65 - 6502 assembly linter | My parts, footprints & 3D models for KiCad/FreeCAD


Top
 Profile  
Reply with quote  
PostPosted: Mon Sep 18, 2023 5:40 pm 
Offline
Site Admin
User avatar

Joined: Fri Aug 30, 2002 1:08 am
Posts: 281
Location: Northern California
I've deleted a post above where a user complains about what they call "Americanisms". This forum has users from many cultures and countries, including the USA, and all users are expected to be respectful and tolerant.

_________________
- Mike Naberezny (mike@naberezny.com) http://6502.org


Top
 Profile  
Reply with quote  
PostPosted: Mon Sep 18, 2023 11:57 pm 
Offline
User avatar

Joined: Tue Oct 25, 2016 8:56 pm
Posts: 362
I appreciate that Mike has afforded me the luxury of anonymity in this matter, however I wish to publicly apologise for any upset or misunderstanding caused by that part of my post, the one which he deleted. I have given Mike a more detailed apology and explanation, but in summary it was meant to be a light-hearted reflection on a previous post, but self-evidently my intention was not borne out by my words. I shall try not to repeat the mistake.

_________________
Want to design a PCB for your project? I strongly recommend KiCad. Its free, its multiplatform, and its easy to learn!
Also, I maintain KiCad libraries of Retro Computing and Arduino components you might find useful.


Top
 Profile  
Reply with quote  
PostPosted: Tue Sep 19, 2023 3:53 pm 
Offline
User avatar

Joined: Sun Jun 30, 2013 10:26 pm
Posts: 1949
Location: Sacramento, CA, USA
Foot in mouth? I have fallen victim to that disease more often than I'd like to admit. Skins appear to be getting thinner and thinner these days, for better or for worse, making "light-hearted reflections" a difficult navigation task.

_________________
Got a kilobyte lying fallow in your 65xx's memory map? Sprinkle some VTL02C on it and see how it grows on you!

Mike B. (about me) (learning how to github)


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 45 posts ]  Go to page Previous  1, 2, 3

All times are UTC


Who is online

Users browsing this forum: No registered users and 17 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to: