General TC > General TC Talk
Bad login behavior
Rich:
This is something I stumbled across by accident. While I was logged onto the Tinycore forum I ran a
back up. I then logged out from the forum, shut down the web browser, and did a reboot WITHOUT
running a backup. When the desktop appeared I started the browser and to my surprise found I was
logged onto the forum. Now, I expect to still be logged in if I simply reboot without logging out, but
not if I logged out first. Jason W was kind enough to discuss this with me and said he noticed the same
behavior with other sites including his bank. I tried it with my bank but was presented with a login screen
which is the behavior I would expect. I don't know anything about website design, but I would have
thought that the site maintains a list of who is currently logged in, and if I log out remove me from that
list until I login again. Under these circumstances it suggests that the login mechanism is not in control,
the web browser is. Whether they should be or not these are not criticisms, merely observations and
my own musings.
Guy:
I think this is up to the website concerned. I think they recognize you by cookies.
Before Tiny Core moved, just recently, you had the option to log in for a certain number of hours, or forever. If you logged in for a certain number of hours, after that time, you needed to log in again.
The same thing applies with some email companies. You may have the option to remain logged in until you log out. With other email companies you need to log in each time you go there. Some email companies automatically log you out after a certain amount of time.
If you ever travel and use internet cafes, ensure you log out. Some people don't, and people using the computer after them can access their email. Not everyone is honest.
It should not happen with banks. This is a security risk to them. But the bank involved may have their website set up badly.
So it depends on how the website is set up.
Rich:
Hi Guy
I agree with everything you said. The point was that I logged out, yet when the browser came up with
the previously logged in page the website acted as though I never logged out. Re-read the sequence
of events, regardless of cookies or anything else, it should not do this, should it?
Jason W:
Amazon.com exhibits this same bahavior, as well as a member of the top two or three banks in the US, as well as Facebook. In other words, it is hardly specific to the TC forum, and the TC forum is on par with the security of major banks and Amazon.com, Facebook, also tested, etc.
And this can be duplicated with any Linux distro upon archiving and restoring data in the /home directory like we do. It is something to think about when doing a backup while logged into sensitive accounts, no doubt. But not so much a TC forum flaw per se. But if it can be adjusted here or anywhere else, then even the better. I think the backup/restore thing was not a factor in the design of most sites in regards to login/logoff, as if the correct files are there with specific data in them (preserved with a backup) then you are still "logged in".
Jason W:
In other words, this security issue is in the hands of the user as opposed to the site, as good backup practice (or lack of bad) can prevent it.
Navigation
[0] Message Index
[#] Next page
Go to full version