Mobile app for this forum?

[Proxy]

Broti wrote:

The worst part of using this (or any) forum on mobile is that damn autocorrection.
It always tries to "correct" my English texts to German.

you know you can just have multiple languages for your phone keyboard....
on my S8 for example i got both English and German options and i can switch between then by swiping the spacebar left/right.
that fixes autocorrect from trying to correct words for the wrong language.

[BigDumbDinosaur]

akohlbecker wrote:

One super annoying thing, though, is I keep getting logged out, presumably as I move across cell towers and my IP changes?

That is mostly likely the case.

By way of explanation, since HTTP is a stateless protocol, the PHP backend that drives the forum sets up a “session” to maintain state as you move about the site.  In the case of 6502.org, PHP does that by storing data about your session in a temporary file on the server and by creating a browser cookie to identify that session file.  For example, as I reply to your post, my session cookie is named forum_6502_sid_sid and when read, returns 898ece2d8c9d0e298414012f3f81aa4f, which is the session ID.  The session ID is used to form the name of the server file in which my session state is being maintained, e.g., sess_898ece2d8c9d0e298414012f3f81aa4f.

When you log out of the forum by selecting that function on any page, the temporary file on the server will be deleted and your browser will be instructed to destroy the session cookie (merely closing the browser may destroy the cookie, but doing so won’t erase the session file).  The design of the forum software likely stores your log-in IP address into the session file to minimize repeated DNS queries, which implies that it is assumed your IP address will be static for the duration of your log-in session.

As you move page-to-page on 6502.org, different PHP scripts will be loaded and executed on the server.  Within each PHP script, your session file will be read and loaded into variables that are local to that script.  Since your IP address from log-in is one of those variables, there is likely code that compares the IP address read from the session file to the IP address from which your browser sent its most recent GET request, which is one of several measures used to improve security.  If the IP addresses don’t match, the forum will think your browser is a different client than the one that logged in and your session will effectively “disappear.”  The only way to re-establish connectivity would be to start a new session with your new IP address, which means a new log-in.

By the way, a loss of connectivity for any reason that forces you to log in again may leave an orphaned session file on the 6502.org forum server.  If enough orphaned session files collect on a busy server, storage consumption can become an issue.

I have been able to replicate the session-breaking effects of my browser IP address changing by changing my workstation’s default gateway from one of my office servers to the other, each server routing traffic to the Internet via a different IP address.  Once logged in, if I switch gateways, 6502.org will think I’m not logged in when I go to a different page, which means my session is “lost.”  If I then switch back to the gateway through which I had logged in, my session will “re-appear.”

I believe this problem is correctable by using PHP5 or later, along with a newer version of the PHP BB software, which will update the IP address associated with a session with each browser GET request.  That is speculation on my part, since I have not had an occasion to examine the innards of PHP BB.  However, another forum on which I am subscribed, which runs on a more recent version of PHP BB, doesn’t have a problem with IP addresses changing mid-session, which I determined with the same gateway-switching test.

Disclaimer: while I have done quite a lot of work with PHP, I don’t consider myself anything more than of intermediate skill at this time.

[BigDumbDinosaur]

Broti wrote:

The worst part of using this (or any) forum on mobile is that damn autocorrection.
It always tries to "correct" my English texts to German.

...and if you go to the UK, it will probably “correct” your German words to English. 

[anomie]

BigDumbDinosaur wrote:

I believe this problem is correctable by using PHP5 or later, along with a newer version of the PHP BB software, which will update the IP address associated with a session with each browser GET request.  That is speculation on my part, since I have not had an occasion to examine the innards of PHP BB.  However, another forum on which I am subscribed, which runs on a more recent version of PHP BB, doesn’t have a problem with IP addresses changing mid-session, which I determined with the same gateway-switching test.

The described behavior could easily be intentional code intended to prevent session hijacking. Session cookies are pretty often effectively the same as login credentials.

[BigDumbDinosaur]

anomie wrote:

BigDumbDinosaur wrote:

I believe this problem is correctable by using PHP5 or later, along with a newer version of the PHP BB software...

The described behavior could easily be intentional code intended to prevent session hijacking.

Possibly...I did say it is a means of improving security.

Quote:

Session cookies are pretty often effectively the same as login credentials.

Unless the programmer overrides PHP’s default behavior when a session_start() instruction is executed, the PHP session cookie will be named according to the value assigned to the session.name constant in the php.ini file read by the PHP Zend engine at startup.  On this site, the session cookie is named forum_6502_sid_sid and is assigned a session ID that is internally generated by random means.  There is no direct relationship between the session ID, the session cookie’s name and the user’s credentials.

A different cookie, forum_6502_sid_u, contains the logged-in user’s forum ID, which is a plain-text number.

[anomie]

BigDumbDinosaur wrote:

Quote:

Session cookies are pretty often effectively the same as login credentials.

Unless the programmer overrides PHP’s default behavior when a session_start() instruction is executed, the PHP session cookie will be named according to the value assigned to the session.name constant in the php.ini file read by the PHP Zend engine at startup.  On this site, the session cookie is named forum_6502_sid_sid and is assigned a session ID that is internally generated by random means.  There is no relationship between the session ID, the session cookie’s name and the user’s credentials.

It’s not about there being a relationship between the cookie and the credentials.

It’s about whether or not the system treats the session cookie as meaning that you are that logged in user. Which is why I said “effectively” and “pretty often”.

This forum specifically may or may not do this. But give googling “Session hijacking” or perhaps “PHP Session hijacking” a whirl and see what you find.

Edit: pedantically, when session hijacking is possible, there is a relationship between the credentials and the cookie - but that relationship is ‘the server treats the cookie as proof that the provider of the cookie authenticated’ and not any relationship between the credential data and the cookie data.

[barnacle]

BigDumbDinosaur wrote:

Broti wrote:

The worst part of using this (or any) forum on mobile is that damn autocorrection.
It always tries to "correct" my English texts to German.

...and if you go to the UK, it will probably “correct” your German words to English. 

I use Duolingo to try and learn German. The keyboard autocorrect is by now completely confused about whether I'm trying to type English or German (and apparently votes words in by popularity: it's a bit pot luck whether it will allow e.g. 'meiner' to stay as typed without correcting it apparently randomly to mein, meine, meines, or meinen... keeps me on my toes, I suppose.

(As an aside: Duolingo does not use English as claimed. It uses American; it requires you to have an at least superficial knowledge of US usage and cultural knowledge which, judging by the complaints when Duolingo still had discussion fora, are by no means common in the UK. So 'translate this sentence to English' means 'translate it to English, and then to US English', and the same in reverse: some of the purported translations are simply not English at all.)

Neil

[BigDumbDinosaur]

barnacle wrote:

BigDumbDinosaur wrote:

Broti wrote:

The worst part of using this (or any) forum on mobile is that damn autocorrection.
It always tries to "correct" my English texts to German.

...and if you go to the UK, it will probably “correct” your German words to English. 

I use Duolingo to try and learn German. The keyboard autocorrect is by now completely confused about whether I'm trying to type English or German (and apparently votes words in by popularity: it's a bit pot luck whether it will allow e.g. 'meiner' to stay as typed without correcting it apparently randomly to mein, meine, meines, or meinen... keeps me on my toes, I suppose.

Makes me wonder what autocorrect would do if you said you had chow mein with your dinner. 

Quote:

(As an aside: Duolingo does not use English as claimed. It uses American...)

You’d think the software developer would have provided an option to select American vs. British English.  I sometimes get confused by British English expressions, since they too are often related in some way to British culture.  Even more fun is when American colloquialisms get mixed in with British ones; the resulting mashup is sometimes as clear as mud. 

BTW, I have a friend who is a native German speaker, but whose immediate family emigrated to the USA when he was 10 years old, this was in the 1950s.  His parents continued to speak German at home, but also took English classes, and did develop some fluency.  My friend, of course, was immersed in English at school, at the playground, and so forth, and developed both fluency and a midwest USA accent.  The result is his fluency with German is weaker than with English.  This state of affairs gives rise to problems in communication with relatives in Germany, who while proficient in English, know the British version.  He once told me he almost feels like an American in Germany trying to communicate by reading from a phrase book, since he doesn’t know how to accurately translate many American phrases in intelligible German.

[BigDumbDinosaur]

anomie wrote:

It’s not about there being a relationship between the cookie and the credentials.

It’s about whether or not the system treats the session cookie as meaning that you are that logged in user. Which is why I said “effectively” and “pretty often”.

According to the PHP manual and the Programming PHP O’Reilly book, the only datum embedded in a PHP session cookie is the PHP session ID.  As a session can be started before a user has actually been authenticated, the presence of the session cookie in itself is not an indication that a user has logged in.

That said, I can agree with “effectively” in your statement if a session is started after log-in, user-identifiable data is encapsulated in the PHP $_SESSION[] global array associated with that session and each page visited by the user checks $_SESSION[] for the presence of that user-identifiable data.  That being the case, deleting the session cookie from the browser would be an effective log-out (but not a clean one), since the server side would no longer have a way to relate the user’s browser to the session that was started on his/her behalf.

[anomie]

BigDumbDinosaur wrote:

According to the PHP manual and the Programming PHP O’Reilly book, the only datum embedded in a PHP session cookie is the PHP session ID.  As a session can be started before a user has actually been authenticated, the presence of the session cookie in itself is not an indication that a user has logged in.

I'm not saying the server has to always and forever treat the session cookie as proof you are a particular user, whenever the cookie is presented, as that is obviously not the case. I am saying that, if someone gets your logged-in session cookie, that can be as good as having your credentials for any system that is *ever* in a state where presenting the cookie will result in the server treating that request as coming from an authenticated user - for as long as that session cookie is valid.

It doesn't matter that there is a period where the server will have a session setup without authentication (although hijacking that cookie could well result in stealing that unauthenticated session) if what is being done is a hijack of an actually authenticated session.

BigDumbDinosaur wrote:

That said, I can agree with “effectively” in your statement if a session is started after log-in, user-identifiable data is encapsulated in the PHP $_SESSION[] global array associated with that session and each page visited by the user checks $_SESSION[] for the presence of that user-identifiable data.  That being the case, deleting the session cookie from the browser would be an effective log-out (but not a clean one), since the server side would no longer have a way to relate the user’s browser to the session that was started on his/her behalf.

It doesn't have to be each page - there only needs to be one. It also isn't PHP specific: plenty of CTF have solutions that require session hijacking against servers using various implementation languages; plenty of CVE have been issued for session hijacking in real products (web application languages like php, server software, even 'that network device over there in the rack with that web configuration ui').

There are, of course, various mitigations. Invalidate a session if the user-agent header changes - which is a fine preventative measure up until your attacker is stealing the cookie by capturing traffic; as that traffic will have the user-agent header in it. Just guessing the header can work too, if enough is known about the target to reasonably narrow down the range of possible values, and the attacker thinks it's worth it. If the server only allows https then the 'capture traffic' route is closed, of course.

Then there's the item that started this subthread: If the server invalidates the session as soon as it notices an IP address change, now the attacker is in a spot where even with the session cookie, they have to either be attacking from the client with that IP address, or in circumstances where they can arrange to spoof the IP address (which is certainly a higher bar).

[Mike Naberezny]

and3rson wrote:

I tried Tapatalk - 6502.org is not listed there, possible due to PHPBB2 being really old.

While it's true that this forum used to run on phpBB 2, it's been running on phpBB 3 since 2012.

[and3rson]

Mike Naberezny wrote:

While it's true that this forum used to run on phpBB 2, it's been running on phpBB 3 since 2012.

That's nice! I thought it's still at 2 because of all the icons.

Since phpBB 3 is much newer, I think there's much more third-party content for it, such as responsive themes.

If you could consider an option of installing an additional (more mobile-friendly) theme that can be selected as an alternative to default subsilver-ish style - that would solve problems for many people here for a long time.

[Mike Naberezny]

I've deleted a post above where a user complains about what they call "Americanisms". This forum has users from many cultures and countries, including the USA, and all users are expected to be respectful and tolerant.

[Alarm Siren]

I appreciate that Mike has afforded me the luxury of anonymity in this matter, however I wish to publicly apologise for any upset or misunderstanding caused by that part of my post, the one which he deleted. I have given Mike a more detailed apology and explanation, but in summary it was meant to be a light-hearted reflection on a previous post, but self-evidently my intention was not borne out by my words. I shall try not to repeat the mistake.

[barrym95838]

Foot in mouth? I have fallen victim to that disease more often than I'd like to admit. Skins appear to be getting thinner and thinner these days, for better or for worse, making "light-hearted reflections" a difficult navigation task.