Having forgotten to include the following information with my original post, here goes.

After logging out, I get the message from the message board that "All cookies are cleared." It also invites me to re-enter the board.

Also, when I re-enter the message board from the main page, regardless if it's the initial entry or a subsequent one, the message board remembers my last login, so some cookie somewhere is tracking that information. But, I am not logged in. A simple check of the Forum rules in the bottom left corner of the page confirms this.

auslander : )

luvpain,

It figures, and I was suspecting that that was what I was doing wrong. (Oddly enough, it's just like Yahoo!)

Thanks for the info.

auslander

Well part of it might be the Message Board logging things in its database. I am not an expert at vBulletin, but it probably like a few others and keep track of those things like your last login.

You can see that certain things like last post, number of post, etc. are logged, so it stands to reason that last login are logged.

luvpain,

Sorry to belabor the issue, but I'm thinking that this could be a security concern.

The message board knows who I am when I return to it after logging out. I can tell this because the board is displaying the DTG of the last time of use.

The board cannot use my IP address to identify me because my ISP (Verizon DSL) assigns me a "random" IP address each time I log on their service. So, the board must be reading my identity from a cookie.

If I don't log off before I exit EA's site, am I still logged on in an "idle" session? Or does the message board software in fact close that connection until it next sees a cookie from my browser saying that I'm "really" logged in?

If this needs to be discussed further, should we move it to email?

auslander

If you look into your Window/Cookies folder you will notice AFTER you logged out there is indeed still a cookie.

It's a plain text file and you can open it and there is the information stored you ponder about (or at least some).

That is because, just as you said, your IP adress is not a proper way to validate your identity, not only because it changes dynamically but also because different people may use the same machine.

Now I don't know how much Information is stored there (I know that you will loose the marking of read or unread threads for example if you delete that cookie) and as a layman I would think, just like you, all those should be stored in the database with your account, for safety, discretion and reliability but since I talked with somebody who was workin at some similar problem recently I must admitt there are some good points speaking against this.

So the message "All cookies cleared" is misleading because it doesn't mean all cookies cleared AWAY! It just set's your cookie into a "logged out mode", clearin all information you will no longer need.

Anyway, if you just don't log out you don't have to log in again but anybody accessing your machine will be logged in also of course.

And if you log out there is still a cookie on your machine.

Hmm, have I been of any help?

Really, IS something stored in a database at all ?

Ahhh, Paolo, Bryan...

:withstupi ...

I am not sure if this has anything to do with it, but I sometimes notice that the board seems to lose track of the fact that I am logged in.

When I connect, it gives me the 'welcome back' and for most boards I am listed in the 'members browsing'. However, somewhere about Eunuch Central this disappears - the threads still show the threads which have been updated since my last visit. However, when I next connect I have to login in. When I get down to Eunuch Central, it shows the same threads as the previous visit.

Is this something to do with the way my machine is set up?

LOL

Haltos,

Well, I'm no longer concerned with the logging out part since the solution is not to log out. I also understand about the confusing message "all cookies cleared." No problem there.

What I am concerned about though, is the potential that someone trying v-e-r-y hard (or maybe even not so hard) could exploit this to gain unauthorized access. This possibility would be totally dependent on whether or the the vBulletin system recognizes the fact that I have "left the building."

If vBulletin sees that the connection between my browser and itself has been dropped, then vBulletin could shut down the transaction session I'd been using to browse the bulletin boards, but still leave the "login cookie" on my computer.

And, my recollection (and please correct me if I'm mistaken) is that back when I signed up to become a member, I could log out, but still automatically be logged back in to the message board when I returned at a later time.

I have seen the concept of automatic logins implemented several different ways. One is to log out, but automatically be logged in on returning to the site. No login screen is used as all pertinent informatin is read from a cookie on your computer.

Another is to log out, and upon return to the site be presented with a login screen with all of your necessary data already filled in for you; all you have to do is press "enter/return." Again this data come from a cookie retained on your computer.

And of course, there is the way it works on EA's message boards. To some extent Yahoo's login (for email or other personalized features) works the same way. You can log on Yahoo, take care of your business, and then go browsing elsewhere on the web, and when you return to Yahoo, you're still logged in to the same area you were before you left.

If you terminate you browser's internet session, you will be logged off Yahoo as well. Also, you have the option of logging off Yahoo's personalized service, but not from Yahoo itself. The next time you get on the web and return to the same section in Yahoo, you be asked to re-enter your password, but your username is already filled in for you.

Anyway, as I said above, I'm more concerned now about potential security concerns for EA rather than convenient log ins for myself.

Oh, I'm not concerned about unauthorized access from my end, since I'm the only human using it, and my cats haven't yet figured out how to surf the web!

auslander

Colin,

Is this problem relative recent? With the change to the new version of vBulletin (I guess that's what happened) I had to reset my password to log on to the message boards at all.

Another possibility is that you've become "unjoined" from that particular area somehow?

Hope this helps.

auslander

1. The vbulletin database does store information about the last time you logged in, posted, checked for new messages, etc.

2. With the upgrade to the software people had to be reissued passwords because both UltraBoard, which we used before, and vBulletin, which is the current software, store your password in an encrypted form -- unfortunatly they don't use the same encrypting method. When I initially installed vBulletin I re-coded all of the authentication routines to use UltraBoard's style of authentication -- so at that point you didn't have to get a new password. The issue was that if I ever wanted to upgrade vBulletin it would over-write all of the changes I had made. When we were 5 releases behind, I decided to bite the bullet and upgrade - and in the process you all had to re-do your passwords. NOW we can upgrade as soon as a new version comes out because we are using a fully "stock" version.

3. When you log in vBulletin assignes you a reeeeeeealy long session id number, which it stores in the database. As long as you are logged in it checks to see that that session id is valid. Every time you change pages, check messages, etc. it updates the 'last active' time for your session id. it also forces the board to look through the dtabase table and delete any sessions that have expired -- ie not been active for a set period of time.

4. The possibility of spoofing a session id is virtually non existant.

5. All of the Archive message boards use exactly the same code -- and I mean THE SAME code, not different but identical, to check authentication ... so it makes no sense that it would drop your log in going from one board to another.

Any more questions?

Bboy,

Thanks for the clarification on my concerns about unauthorized accesses.

auslander