Textpattern CMS

#1 2008-02-19 22:57:03

iblastoff

Plugin Author

From: Toronto

Registered: 2006-06-11

Posts: 1,197

Website

odd subject but...overly aggressive security? (new nonce/cookie setup)

just upgraded my own site to 4.0.6…i’m assuming there is some new cookie/nonce setup at work now?

I keep getting ‘invalid cookie’ every time I access the backend via the other computers i have strewn throughout my house. even on the same computer if i use a different browser (currently working on an admin theme) and reload to see changes in various browsers i always get ‘invalid cookie’ and have to relog in again every time. i guess things are now set up to invalidate a cookie set on one computer if you sign on with another? any way to safely revert this new functionality?

---

my plugins || iblastoff.ca

#2 2008-02-20 07:24:50

Mary

Sock Enthusiast

Registered: 2004-06-27

Posts: 6,236

Re: odd subject but...overly aggressive security? (new nonce/cookie setup)

i guess things are now set up to invalidate a cookie set on one computer if you sign on with another?

That’s the side-effect of it, yes.

any way to safely revert this new functionality?

(Emphasis mine).

Nope.

#3 2008-02-20 15:46:30

lee

Member

From: Normandy, France

Registered: 2004-06-17

Posts: 831

Re: odd subject but...overly aggressive security? (new nonce/cookie setup)

Have to say I find this new feature annoying and ridiculous. I hope someone comes up with a work around soon.

#4 2008-02-20 19:15:52

ruud

Developer Emeritus

From: a galaxy far far away

Registered: 2006-06-04

Posts: 5,068

Website

Re: odd subject but...overly aggressive security? (new nonce/cookie setup)

Workaround 1: create multiple users and use a different user for each computer.
Workaround 2: use 1 computer.
Workaround 3: learn to appreciate increased security.

#5 2008-02-20 20:41:51

TheEric

Plugin Author

From: Colorado & Montana.

Registered: 2004-09-17

Posts: 597

Website

Re: odd subject but...overly aggressive security? (new nonce/cookie setup)

Workound 4: Institute an authentication method that doesn’t annoy everyone.

Really, why wasn’t a session based method implemented? This new system is exceedingly annoying.

Last edited by TheEric (2008-02-20 21:28:43)

#6 2008-02-20 22:41:36

ruud

Developer Emeritus

From: a galaxy far far away

Registered: 2006-06-04

Posts: 5,068

Website

Re: odd subject but...overly aggressive security? (new nonce/cookie setup)

So far “everyone” = 3 people.
It doesn’t annoy me. In fact, I like the option of logging out every other session automatically in case I forget to log out in some public place.

#7 2008-02-21 01:38:18

Gocom

Developer Emeritus

From: Helsinki, Finland

Registered: 2006-07-14

Posts: 4,533

Website

Re: odd subject but...overly aggressive security? (new nonce/cookie setup)

ruud wrote:

So far “everyone” = 3 people.

Count one more ;)

---

Rah | GitHub

#8 2008-02-21 01:48:04

guiguibonbon

Member

Registered: 2006-02-20

Posts: 296

Re: odd subject but...overly aggressive security? (new nonce/cookie setup)

+1

#9 2008-02-21 02:21:34

hcgtv

Plugin Author

From: Key Largo, Florida

Registered: 2005-11-29

Posts: 2,722

Website

Re: odd subject but...overly aggressive security? (new nonce/cookie setup)

Could this be something that can be configured?

Like on Windows, you can have it annoy the heck out of you or you could tell it to trust your instincts.

---

We Love TXP . TXP Themes . TXP Tags . TXP Planet . TXP Make

#10 2008-02-21 09:05:17

ruud

Developer Emeritus

From: a galaxy far far away

Registered: 2006-06-04

Posts: 5,068

Website

Re: odd subject but...overly aggressive security? (new nonce/cookie setup)

Going back to the old authentication method is not an option.

Eric, do you mean keeping track of multiple logins from the same username? That would require an extra table to store the nonces and additional code to periodically clean up expired sessions.

I understand that, for development purposes, it’s desirable to be able to check with multiple browsers/computer, but I wonder if that outweighs the benefit of extra security, especially for those who frequently login on a public computer (and forget to log out).
Why is the first suggested workaround (create a few users, one for each testing PC/browser) not an option?

#11 2008-02-21 09:19:30

marios

Archived Plugin Author

Registered: 2005-03-12

Posts: 1,253

Re: odd subject but...overly aggressive security? (new nonce/cookie setup)

ruud wrote:

Going back to the old authentication method is not an option.
Why is the first suggested workaround (create a few users, one for each testing PC/browser) not an option?

May be this is, because if you want to test something specific, some code might behave differently, based on as which User you are logged in. ( Code that has username, id as arguments ).
Not that I really have a deep understanding of these things, but I think a preference to switch this off when in debugging or testing would be something useful.

regards, marios

---

⌃ ⇧ < ⎋ ⌃ ⇧ >

#12 2008-02-21 09:50:55

Mary

Sock Enthusiast

Registered: 2004-06-27

Posts: 6,236

Re: odd subject but...overly aggressive security? (new nonce/cookie setup)

…but I think a preference…

That’s not possible (really, it isn’t). This is a side-effect of a security fix, not a feature change/addition. To get rid of the side-effect you would have to revert the security fix.