Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Re: The Sacred Lawn...
wet wrote:
Maybe this would be an indication of one user name concurrently used from more than one client browser.
Yeah, perhaps. Though I thought TXP kicked any old sessions off automatically after it detected a secondary login? I’m only logged in on Dale’s server as me, once, and I log out before starting afresh with a new browser.
I’ve got a monitor plugin running that’s showing me who’s online at any given moment so I’ll keep an eye on that and if someone else logs in I’ll do lots of saving to see if I get more lawnage messages compared to when they’re not logged in. Based on those findings I’ll tweak my approach.
Last edited by Bloke (2011-06-15 11:53:01)
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: The Sacred Lawn...
Bloke wrote:
Though I thought TXP kicked any old sessions off automatically after it detected a secondary login?
Yeah, it does.
The way the token is built we only have two factors (blog_uid, user’s nonce). None of these must change mid-session.
Maybe you could find further clues by:
- inspecting the form’s
_txp_token
input prior to posting - sniffing the POSTed values
- wait for the sky to fall spuriously and deduct reasonable causes
Offline
Re: The Sacred Lawn...
And the winner is… ign_password_frigging_protect.
Managed to replicate the problem repeatably like this:
- Visit some Page / Form / Style admin-side tab
- Save it —> OK
- Visit public site
- Revisit admin tab and hit Save without refreshing first —> “Get off my lawn”
After that it was child’s play to prove it by doing what you said: displaying the token / nonce on the admin side. Sure enough — for reasons best known to igner — every time ign_pw_protect runs and it validates someone, it regenerates the nonce and stores it. Boooooom!
Disabling ign_pw_protect makes the problem go away.
Solution: use rvm_privileged over ign_password_protect. It’s the connoisseur’s choice.
Last edited by Bloke (2011-06-15 12:45:59)
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: The Sacred Lawn...
Bloke wrote:
Disabling ign_pw_protect makes the problem go away.
Solution: use rvm_privileged over ign_password_protect. It’s the connoisseur’s choice.
Thanks for sleuthing that out big stef. Yeoman’s work. Now can you tell me why I can’t install my xerox drivers on Snow Leopard?
Actually We use ign pretty extensively for the front side login system, which I’m not sure rvm could handle. I might just have to adjust my workflow till I figure something else out.
muchas gracias
Last edited by mrdale (2011-06-15 14:54:11)
Offline
Re: The Sacred Lawn...
Does rvm_privileged provide a mechanism for users to log in to only the public side of the site? E.g. privs None.
Offline
Re: The Sacred Lawn...
Manfre wrote:
Does rvm_privileged provide a mechanism for users to log in to only the public side of the site?
No. We tend to get round it by directing people to the admin side for login, and then dumping them to a dashboard page or auto-redirecting them back to the public side.
With the new plugin I just installed on mrdale’s site you can create a new user group level and/or make your own priv areas so public registered accounts can get that level by default. You can clamp down the privs on that group so they can see almost nothing on the admin side apart from maybe a single dashboard tab.
Last edited by Bloke (2011-06-15 15:05:23)
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
#19 2011-06-15 15:08:31
- igner
- Plugin Author
- Registered: 2004-06-03
- Posts: 337
Re: The Sacred Lawn...
Bloke wrote:
And the winner is… ign_password_frigging_protect.
Sure enough — for reasons best known to igner — every time ign_pw_protect runs and it validates someone, it regenerates the nonce and stores it. Boooooom!
You’re giving me way too much credit, Stef. I’m not sure I know the reasons at this point.
I can safely say that at one point there was a reason for recreating the nonce every time (seems to me it was necessary after some changes to the TXP authentication process several releases back).
Would that I had more time to spend on TXP (read “any time to spend on TXP”), but that’s just not the case right now.
Last edited by igner (2011-06-15 15:09:02)
And then my dog ate my badger, and the love was lost.
Offline
Re: The Sacred Lawn...
The easiest solution is to turn of the csrf protection until txp provides a better mechanism for handing public side logins.
In “/textpattern/lib/txplib_misc.php” find ‘get_off_my_lawn’ and comment out that line and add “return true;” as the next line.
// This place ain't no good for you, son.
die(gTxt('get_off_my_lawn', array('{event}' => $event, '{step}' => $step)));
Turns in to
// This place ain't no good for you, son.
//die(gTxt('get_off_my_lawn', array('{event}' => $event, '{step}' => $step)));
return true;
Last edited by Manfre (2011-06-15 15:27:47)
Offline
Re: The Sacred Lawn...
Manfre wrote:
The easiest solution is to turn of the csrf protection
Bit drastic given the risks. Isn’t the easiest solution to comment out the code in ign_password_protect that regenerates the nonce? Shouldn’t be necessary any longer. From my cursory exam it looks like ign_update_access()
is a good starting point.
igner wrote:
I’m not sure I know the reasons at this point
Hehehe, that’s fair enough. The code gave me a headache when I tried to figure it out before. But hey, my own code gives me a headache if I come back to it after a few months’ break :-)
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: The Sacred Lawn...
Bloke wrote:
From my cursory exam it looks like
ign_update_access()
is a good starting point.
// -------------------------------------------------------------
function ign_update_access($acct)
{
global $ign_pp_updated, $ign_user, $ign_user_db;
if (!$ign_pp_updated) { //update last access if necessary
if(!empty($_COOKIE['ign_login']))
{
list(,,,,$cookie_time) = ign_getCookie();
if(strtotime($acct['last_access'])-strtotime($cookie_time) > 60) ign_setCookie($acct);
}
$safe_user = strtr(addslashes($ign_user),array('_' => '\_', '%' => '\%'));
safe_update($ign_user_db, "last_access = now()", "name = '$safe_user'");
$ign_pp_updated = true;
}
}
Where, oh where shall I look? For what it’s worth, I cannot locate any write access to nonce
throughout the whole public tags’ code. Version 0.5b9, that is.
Offline
Re: The Sacred Lawn...
wet wrote:
Where, oh where shall I look?
Maybe v0.6 — the version running on mrdale’s server — is radically different from 0.5b9 then. You’re right that ign_update_access()
might have been a premature hint; on closer inspection it appears the function that does the deed is ign_setCookie()
. In this version we have:
if (txpinterface == 'public') {
...
//fire off validation routine, since most functionality is dependent on it:
$ign_err = ign_doTxpValidate();
}
So that calls ign_doTxpValidate()
on every public hit. In that function, we have this snippet:
if($ign_user_db == 'txp_users' && isset($_COOKIE['txp_login_public'])) {
// smd: i.e. logged in, cookie set
$name = substr(cs('txp_login_public'), 10);
$u = is_logged_in($name);
if($u) {
$acct = safe_row('name, privs, realname, nonce, last_access, email', $ign_user_db, "name='{$u['name']}'");
if(cs('ign_stay')) {
if(!ign_setCookie($acct, $now)) return 3;
} else {
if(!ign_setCookie($acct, NULL)) return 3;
}
$GLOBALS['ign_user'] = $u['name'];
ign_update_access($acct); // smd: this fn also calls ign_setCookie under certain conditions
return 0;
}
}
And in ign_setCookie()
:
if($ign_user_db == 'txp_users') {
...
$nonce = md5($name.pack('H*',$c_hash));
// smd: blammo!
safe_update(
'txp_users',
"nonce = '".doSlash($nonce)."'",
"name = '".doSlash($name)."'"
);
Not sure if that’s quite right as I’ve not traced the logic through fully (my head hurts!) but I believe ign_setCookie()
is being called every public access attempt which may account for the new nonce being generated. As I say, I’ve not looked in 0.5b9 so I don’t know how different this version is.
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: The Sacred Lawn...
Bloke wrote:
As I say, I’ve not looked in 0.5b9 so I don’t know how different this version is.
Sufficiently different:
// -------------------------------------------------------------
function ign_setCookie($acct, $time=false, $path='/')
{
extract(lAtts(array(
'name' => '',
'realname' => '',
'last_access' => '',
'nonce' => '',
'privs' => '',
'email' => ''
), $acct, 0)
);
if(empty($name))
{
return false;
}
$o[] = urlencode($name);
$o[] = urlencode($privs);
$o[] = urlencode($realname);
$o[] = urlencode(md5($name.$privs.$nonce));
$o[] = urlencode($last_access);
$o[] = urlencode($email);
$val = join(',', $o);
$d = explode('.', $_SERVER['HTTP_HOST']);
// $domain = '.'.join('.', array_slice($d, 1-count($d), count($d)-1));
$domain = ign_getDomain();
setcookie('ign_login', $val, $time, $path, $domain);
$_COOKIE['ign_login'] = $val; //manually set value so cookie is available immediately
return true;
}
No blammo here. I think we have a winner.
Offline