Bad login behavior

[Rich]

This is something I stumbled across by accident. While I was logged onto the Tinycore forum I ran a
back up. I then logged out from the forum, shut down the web browser, and did a reboot WITHOUT
running a backup. When the desktop appeared I started the browser and to my surprise found I was
logged onto the forum. Now, I expect to still be logged in if I simply reboot without logging out, but
not if I logged out first. Jason W was kind enough to discuss this with me and said he noticed the same
behavior with other sites including his bank. I tried it with my bank but was presented with a login screen
which is the behavior I would expect. I don't know anything about website design, but I would have
thought that the site maintains a list of who is currently logged in, and if I log out remove me from that
list until I login again. Under these circumstances it suggests that the login mechanism is not in control,
the web browser is. Whether they should be or not these are not criticisms, merely observations and
my own musings.

[Guy]

I think this is up to the website concerned. I think they recognize you by cookies.

Before Tiny Core moved, just recently, you had the option to log in for a certain number of hours, or forever. If you logged in for a certain number of hours, after that time, you needed to log in again.

The same thing applies with some email companies. You may have the option to remain logged in until you log out. With other email companies you need to log in each time you go there. Some email companies automatically log you out after a certain amount of time.

If you ever travel and use internet cafes, ensure you log out. Some people don't, and people using the computer after them can access their email. Not everyone is honest.

It should not happen with banks. This is a security risk to them. But the bank involved may have their website set up badly.

So it depends on how the website is set up.

[Rich]

Hi Guy
I agree with everything you said. The point was that I logged out, yet when the browser came up with
the previously logged in page the website acted as though I never logged out. Re-read the sequence
of events, regardless of cookies or anything else, it should not do this, should it?

[Jason W]

Amazon.com exhibits this same bahavior, as well as a member of the top two or three banks in the US, as well as Facebook.  In other words, it is hardly specific to the TC forum, and the TC forum is on par with the security of major banks and Amazon.com, Facebook, also tested, etc.

And this can be duplicated with any Linux distro upon archiving and restoring data in the /home directory like we do.  It is something to think about when doing a backup while logged into sensitive accounts, no doubt.  But not so much a TC forum flaw per se.  But if it can be adjusted here or anywhere else, then even the better.  I think the backup/restore thing was not a factor in the design of most sites in regards to login/logoff, as if the correct files are there with specific data in them (preserved with a backup) then you are still "logged in".

[Jason W]

In other words, this security issue is in the hands of the user as opposed to the site, as good backup practice (or lack of bad) can prevent it.

[tinypoodle]

If I understood the issue right, IMHO that is exactly the expectable and predictable behaviour, I would be rather surprised if it was different (at least with my settings).
With a backup one restores a former point in time.

Tweaking browser and personalized forum settings might possibly modify it as individually preferable.

[Rich]

Just to be clear, I'm not singling out the TC website, as Jason told me and mentioned above there are
other sites that exhibit the same behavior. So even though I don't allow my browser to save passwords
or fill in forms, would it be accurate to suggest that someone with access to my browser cache could
access the forum posing as me?

@tinypoodle: I would think the "expectable" behavior would be that upon logging out I would be locked
                     out until I present the proper credentials to log back in. Who should be in control here,
                     the login mechanism or the web browser?

[gerald_clark]

Generally the server verifies the user at login and passes a session id to the browser.
The browser includes this session id with each exchange of data with the server.
When you logout, the server may or may not mark the session as closed.
If you access the server with an old session id, the server may consider the session still active.
A secure server will track session ids against IP addresses and not reuse a session id once the session logs out.

[Rich]

Hi gerald_clark
Thanks for the explanation. You'd think they would teach in security 101
if(logs_out(someone))
   {
     remove_from_authorized_list(someone);
   }

So even though I don't allow my browser to save passwords
or fill in forms, would it be accurate to suggest that someone with access to my browser cache could
access the forum posing as me?

So what's your opinion on this.

[Guy]

I am happy being permanently logged in to the Tiny Core forum. I don't see any reason to change the way it is.

It would be different if it was a bank, or any website where financial transactions may be performed.

I have never logged out of the Tiny Core forum. I have only ever been logged out when I updated something, and lost the cache. If people remain logged in after logging out, that should be fixed.

[Rich]

Hi Guy
And you can do that by using the forever option, and I'm not suggesting that should change. I guess
I just have a different opinion of what should happen when I click the logout button in that I expect
to actually be logged out.

[Guy]

So if you log out, and do a backup while logged out, you will be logged out when you restart the computer. Is that correct?

When you understand how it works, you can get it right.

I don't use backup. I use persistent home and opt, and make new extensions for personal settings, such as printer setup. So I have never experienced this.

Because the Tiny Core forum is not a place where financial transactions are occurring, security is not a big issue. If someone was to log into the Tiny Core forum using my account, they could not get any money.

The issue you raised is a concern where banks are involved, or anywhere where financial transactions are occurring. It is good to be aware of it.


A slightly different issue.

I have purchased a few things over the internet, usually because they are less expensive. In some cases, I have been able to purchase things which are not available locally.

So far, I have only dealt with honest people, and have not had any problems. There is a real possibility that some time in the future, I may unknowingly deal with someone dishonest, and have money stolen. You can never be sure about every company on the internet.

[Rich]

Hi Guy
Yes, you are correct. And I understand how the backup/restore function works, what I did not realize
is just how vulnerable the login/logout mechanisms are. I also realize that the only reason I noticed
this is because I run TC using a CD and memory stick routinely run a backup, granted I should look
into making that more selective.
It's not an issue with most OS's, TC is one of the unique OS's that will save and restore state information
depending on what you back up. I just find it odd that something as basic as verifying a users login is
still valid isn't done, just seems like common sense.
I do feel good about the fact that this did not work on my banks website.

I don't often buy through the internet because I usually prefer to see what I'm buying in person. I did
recently need a power supply for a laptop, so when I found a site that had it at a reasonable price, I
Googled that site to check for complaints and financial information. While no guarantee, they had very
few complaints and annual sales of a billion dollars, it worked very nicely.

[curaga]

Rich, have you reported this bug to the SMF folks? Although they might ignore it for 1.1, with efforts going to 2.0, the same thing might apply there.

[tinypoodle]

@tinypoodle: I would think the "expectable" behavior would be that upon logging out I would be locked
                     out until I present the proper credentials to log back in. Who should be in control here,
                     the login mechanism or the web browser?

IMHO the user should be in control by using browser configuration options to provide the login mechanism with the suitable data.
My point is that all the idea of restoring a backup is that all functionality is restored, so the logging out (or not) after making the backup should not be of any relevance.