General TC > General TC Talk

Bad login behavior

<< < (2/4) > >>

tinypoodle:
If I understood the issue right, IMHO that is exactly the expectable and predictable behaviour, I would be rather surprised if it was different (at least with my settings).
With a backup one restores a former point in time.

Tweaking browser and personalized forum settings might possibly modify it as individually preferable.

Rich:
Just to be clear, I'm not singling out the TC website, as Jason told me and mentioned above there are
other sites that exhibit the same behavior. So even though I don't allow my browser to save passwords
or fill in forms, would it be accurate to suggest that someone with access to my browser cache could
access the forum posing as me?

@tinypoodle: I would think the "expectable" behavior would be that upon logging out I would be locked
                     out until I present the proper credentials to log back in. Who should be in control here,
                     the login mechanism or the web browser?

gerald_clark:
Generally the server verifies the user at login and passes a session id to the browser.
The browser includes this session id with each exchange of data with the server.
When you logout, the server may or may not mark the session as closed.
If you access the server with an old session id, the server may consider the session still active.
A secure server will track session ids against IP addresses and not reuse a session id once the session logs out.

Rich:
Hi gerald_clark
Thanks for the explanation. You'd think they would teach in security 101
if(logs_out(someone))
   {
     remove_from_authorized_list(someone);
   }


--- Quote --- So even though I don't allow my browser to save passwords
or fill in forms, would it be accurate to suggest that someone with access to my browser cache could
access the forum posing as me?
--- End quote ---

So what's your opinion on this.

Guy:
I am happy being permanently logged in to the Tiny Core forum. I don't see any reason to change the way it is.

It would be different if it was a bank, or any website where financial transactions may be performed.

I have never logged out of the Tiny Core forum. I have only ever been logged out when I updated something, and lost the cache. If people remain logged in after logging out, that should be fixed.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version