Waspman
Posts: 948
|
| Posted: 12/10/2010, 1:58 AM |
|
Is this something new?
I've never done anything to set this as an option.
The last project I completed 6 months ago does logout when I clsoe the browser and I have to log back in when I return to the site. But my latest project (v4.3) just let's me back in...not good.
Anyone else noticed this?
_________________
http://www.waspmedia.co.uk |
 |
 |
Oper
Posts: 1195
|
| Posted: 12/10/2010, 5:08 AM |
|
Try first closing all Windows Browsers first. then check if still Logged.
_________________
____________________________
http://www.7bz.com (Free CMS,CRM Developed in CCS)
http://www.PremiumWebTemplate.com
Affiliation Web Site Templates
Please do backup first |
|
|
|
Waspman
Posts: 948
|
| Posted: 12/10/2010, 5:41 AM |
|
Yep,
It's the same on all our machines and the clients?
_________________
http://www.waspmedia.co.uk |
|
|
|
Waspman
Posts: 948
|
| Posted: 12/10/2010, 5:41 AM |
|
Yep,
It's the same on all our machines and the clients?
_________________
http://www.waspmedia.co.uk |
|
|
|
pbrad
Posts: 58
|
| Posted: 12/10/2010, 6:14 AM |
|
Hi,
Can't explain why but I had the same problem once. After I cleared out my local cookies it didn't happen again. I figured it was some kind of cookie corruption.
_________________
Pete
CCS 4
MySQL
PHP |
|
|
|
Waspman
Posts: 948
|
| Posted: 12/10/2010, 6:43 AM |
|
Hiya Pete:)
Yeah we tried that, no good though.
Are you having any probs with 4.3, it's a bit of a mare for us 
_________________
http://www.waspmedia.co.uk |
|
|
|
MichaelMcDonald
Posts: 640
|
| Posted: 12/19/2010, 6:40 PM |
|
Are you developing and testing on the same pc?
Is it the browser somehow caching session variables or similar?
_________________
Central Coast, NSW, Australia.
|
|
|
|
Waspman
Posts: 948
|
| Posted: 12/20/2010, 12:01 AM |
|
Yep, tried all that.
This happens on our clients machines too?
_________________
http://www.waspmedia.co.uk |
|
|
|
solesz
Posts: 137
|
| Posted: 12/20/2010, 5:58 AM |
|
Wasp man:
If you close browser and re-opening it keeps session, then something has to happen on client side which keeps session alive. Or better chance you have some misconfiguration at server-side.
For me, in ASP enviroment there is no problem with login/session handling.
solesz
|
|
|
|
Waspman
Posts: 948
|
| Posted: 12/20/2010, 10:53 AM |
|
Weird thing is it worked fine before upgraded?
_________________
http://www.waspmedia.co.uk |
|
|
|
MichaelMcDonald
Posts: 640
|
| Posted: 12/21/2010, 6:53 PM |
|
Is this happening on many browser variants?
_________________
Central Coast, NSW, Australia.
|
|
|
|
Waspman
Posts: 948
|
| Posted: 12/22/2010, 2:46 AM |
|
Same problem with IE, FF and Chrome.
_________________
http://www.waspmedia.co.uk |
|
|
|
cvboucher
Posts: 191
|
| Posted: 12/22/2010, 9:36 AM |
|
I've closed all my browsers before but still had one running in the background. Look at the processes in the task manager to make sure you don't have any still running. I believe if there are, it will retain the session key. I had to do an End Process to force these background browsers to quit.
Craig
|
|
|
|
Waspman
Posts: 948
|
| Posted: 12/22/2010, 10:37 AM |
|
Nah, it's not that simple. I'm talking about turning machines off and coming back to them next day and still the the session hasn't closed. If it is an upgrade issue it's gona be a real problem.
_________________
http://www.waspmedia.co.uk |
|
|
|
peterr
Posts: 5971
|
| Posted: 12/22/2010, 10:52 AM |
|
Waspman,
I am never logged out of any website when I close my web browsers. When I reopen a browser I'm back logged in to every website where I was previously logged into (these forums, other forums, eBay, Amazon, Yahoo Mail). I'm even logged into every website after I reboot my computer. Thus I'm not sure why would you expect to be logged out after simply closing a browser. Closing a browser doesn't tell the server anything about wanting to logout. Rebooting also doesn't.
And if there is a real issue have you discussed this with the support?
_________________
Peter R.
YesSoftware Forums Moderator
For product support please visit http://support.yessoftware.com |
|
|
|
Waspman
Posts: 948
|
| Posted: 12/22/2010, 11:15 AM |
|
The last project I completed does log people out when they close the browser or shut down their machine. It has to do that why would you bother with security otherwise?
In fact this forum logs me out everytime?
Support err, no I stopped paying for that a long time ago. In the early years they were great. But then as I got fairly proficient my questions got harder (mostly to do with upgrades I recall) they just kept saying they couldn't recreate my problem and could I send them the project. If you saw the size of some of my projects you'd understand why I was reluctant to do that.
I'm only complaining cos when I upgraded to 4.3 it broke my project up until that point log out worked and stuff like the empty records trick in editable grids also worked.
Also, ebay and Amazon logs me out unless I tell them not to, and with ebay it's only for a day?
_________________
http://www.waspmedia.co.uk |
|
|
|
peterr
Posts: 5971
|
| Posted: 12/22/2010, 11:38 AM |
|
Waspman,
You wrote that your latest project (v4.3) just let's you back in, so maybe you need to check what you did differently in your previous projects.
As for support, they should investigate any upgrade-related issues. While even if you cannot provide your project you may be able to provide a sample project or URL or project settings, or any information that cannot be discussed publicly on the forums.
However, I don't see any issue with not being logged out since that looks normal to me and happens every day. It actually looks strange that your previous project logs users out upon closing web browser, so you may check your project settings, custom code and anything else you did then.
And in fact, how can it be even possible for any application to keep anyone logged out if the browser is reopened? This can only happen if the web application recognizes you somehow, but you are implying that this cannot be possible because the web browser must clear all traces of the user when it is closed, and the web application has no way of recognizing you. So either the web browser doesn't clear the session and in such case you are wrong - your web browser doesn't do what you want it to do; or the web application uses cookies to recognize the user and in such case you need to look at your web application configuration.
Or how else the web browser and web application can recognize you, regardless of CCS, programming language, and any technology used?
_________________
Peter R.
YesSoftware Forums Moderator
For product support please visit http://support.yessoftware.com |
|
|
|
Waspman
Posts: 948
|
| Posted: 12/22/2010, 11:58 AM |
|
Whatever you say Peterr, I'm speaking from the point that if CCS did it before without me touching anything why isn't it doing the same thing again?
Surely applications would log you out once your session is terminated, it makes sense. It doesn't have to know who you are just that you are no longer connected?
_________________
http://www.waspmedia.co.uk |
|
|
|
peterr
Posts: 5971
|
| Posted: 12/22/2010, 12:21 PM |
|
Waspman,
I don't believe that CCS is doing something differently. I think it's your project configuration, custom code, newer web browser, different web server, etc. And just like every programmer I've made hundreds of mistakes when I said that something is causing a bug but it was something completely different. Haven't you ever done that?
And now I may be wrong too.
But no, web application cannot know that you are no longer connected, until the session expires. I mean how an application can connect to your computer to check if you are connected or not? The main behavior of web applications is that they cannot do that. Right now when I'm typing this message the web application also doesn't know that I am connected to it or have my browser open. Only when I submit something to the web server then it can check if the session or cookie is the same as previously and if hasn't expired by then.
_________________
Peter R.
YesSoftware Forums Moderator
For product support please visit http://support.yessoftware.com |
|
|
|
Waspman
Posts: 948
|
| Posted: 12/22/2010, 2:07 PM |
|
Don't the sessions that keep me logged into the CCS application reside client side?
I'm not using cookies so why would the browser save those sessions?
_________________
http://www.waspmedia.co.uk |
|
|
|
peterr
Posts: 5971
|
| Posted: 12/22/2010, 2:27 PM |
|
Waspman,
A session is managed by the web server. The server may save or check client's session cookies whenever web browser submits something to the server. Although that's rather not relevant as the point is that the term "you are no longer connected" doesn't exist. You are never connected until you submit something to the server.
Web browsers are continually improved. Even now I noticed that when I type this message in the Chrome web browser, close the web browser and reopen it, my message is still in the textbox and I can finish typing and submit it. All my tabs are still open and I am still logged in. That's an amazing improvement and exactly what I'd expect with modern technology: I want to be logged in and do not lose my session, my tabs, or the text I typed. Hopefully all web browsers are doing this now, but that's something you can test yourself with different web browsers. Oh, aren't you saying that you just tested this and it works exactly as expected, and there are no issues with CCS 4.3 upgrade? Congrats! 
_________________
Peter R.
YesSoftware Forums Moderator
For product support please visit http://support.yessoftware.com |
|
|
|
MichaelMcDonald
Posts: 640
|
| Posted: 12/22/2010, 8:16 PM |
|
Well whether or not session variables are displaying appropriate behaviour, there is a fundamental security issue which could be addressed.
If multiple persons access a single pc using a common windows or linux login on a LAN PC, yet our sql databases are configured for individual user accounts because we would like our users to login as themselves on the web application - but all still using the common windows/linux login, how can this be achieved?
Do we configure the server to shorten the time that a session variable can exist and force disconnect?
Will this impact a live session or can a heartbeat scenario be set up where a 'pulse' by way of a user initiated action inserts a value and if that value corresponds with the state of a session variable then its TTL is extended?
Doed anyone have any really creative ideas?
I know Walter would !!! Merry Xmas mate !
_________________
Central Coast, NSW, Australia.
|
|
|
|
peterr
Posts: 5971
|
| Posted: 12/22/2010, 11:59 PM |
|
Michael,
First, I'm not sure if this is directly related to Waspman's issue because I'm confused about what's causing different behavior from his previous application: application configuration, CCS, server configuration, web browser, etc. For now I'm just challenging him to consider all possibilities.
Generally from security point of view let's see how everyone handles this every day. For example:
a) When any of my friends borrow my laptop to check their emails, they log in to Gmail or Yahoo Mail and select the browser option to not save the password. They then check their email, log out and give the laptop back to me. It appears that most people are aware of these steps. Sometimes they even say "oops, I forgot to logout so let me do this".
b) When I am logged onto my bank's website, after 15 minutes I see a message that I need to click some button if I want to continue to stay logged in, otherwise I will be logged out. Although another bank automatically logs me out after ~15 minutes (expire the session).
Thus it appears that these are standard steps and procedures that everyone using Internet deals with by being aware that that may need to log out or will be logged out automatically by the application. It also appears that users may need to learn proper procedures and if we can teach them how to close the browser then we also can teach them how to click the "Logout" button. Especially considering that web browsers are continually improved and we cannot guarantee that teaching someone how to close web browser would be the proper procedure for years to come. Even if closing a web browser should indeed log someone out today, we cannot count on this tomorrow. We also cannot count on users to remember to close the browser or hit the "Logout" button, thus when security is critical it might be our responsibility to configure the application or the server to perform true logout by expiring sessions after specific amount of time. In your case I also imagine you may want to expire the session after 15 minutes or so. This automatically means 15 minutes of inactivity, thus the time is extended after each user action that connects to the server. You could also disable the "Remember Me" feature.
Does this address your question, or am I missing the point?
_________________
Peter R.
YesSoftware Forums Moderator
For product support please visit http://support.yessoftware.com |
|
|
|
MichaelMcDonald
Posts: 640
|
| Posted: 12/23/2010, 1:23 PM |
|
Peter,
Thanks for your response, I agree that it would be good to educate users to use the logout button and they may do that when they believe there is a personal security threat such as might be associated with a bank website.
You are very close to the mark with your assessment of what I am inferring, so what I will do is provide a business scenario with consideration to customer perception, as opposed to a purely technical example:
Say you have built a helpdesk application with many users staffing computers and taking calls and generating help tickets. A particular help desk operator who is logged in gets up to grab a shot of coffee, pepsi, etc.... She closes the web browser window. Now... while she is away from her desk let us imagine another helpdesk operator sits at her desk and he starts using the application. He opens the browser and HER userid session variable is still active. Any new help desk tickets logged by him will be recorded in the log files with her userid and therefore appear as her work. Now imagine when the help desk ticket is generated an email is sent to the customer and it carries the userid of her as the contact, not him. When the customer calls back to follow up and asks to speak with the userid as the contact on the email received, she has no recollection of the help desk ticket because he raised it while she was off getting coffee, pepsi...etc.
A security consideration here is also that HE may deliberately choose to sabotage the contents of the help desk ticket and is able to do this without a trace. It looks even worse for her if there is a help desk ticket log file that records all the activities of the help desk operators and could even lead to her receiving a negative performance review.
Now I realise many people would say here that possibly the Windows login should lock and prevent this altogether, but in reality it does not happen. And this can lead to arguments about whether it's I.T.'s responsibility or the web application developers responsibility. And that is where the really big arguments can begin to occur!
All of a sudden help desk management start saying they don't care whose responsibility it is, they just want it fixed.
So I guess what I am trying to say here is whenever we can go deeper that a technical issue, it is often useful to try and understand the perception of the client who we develop and sell the web application to, because they are often our bread and butter and if we are not careful, we can be attributed with not being considerate enough of their security concerns and look at how that can impact their organisation.
_________________
Central Coast, NSW, Australia.
|
|
|
|
Waspman
Posts: 948
|
| Posted: 01/05/2011, 5:16 AM |
|
Sorry to dig this up again, but I have definitely done this before. I just opened the admin for my sites CMS(done a year ago), logged in and then closed the browser. When I open the browser and return to my site it asks me to log in again, exactly as it should be.
I go straight back so if its about the server session, it must be set very low. However, I've logged back in and left it for 1 hour, not submitting anything etc. and it still lets me navigate the site.
The site was published in V4.2
The site that I am having problems with is the same project only it's published in V4.3
I haven't changed any of the settings, it's the same project.
It's also on the same server.
_________________
http://www.waspmedia.co.uk |
|
|
|
peterr
Posts: 5971
|
| Posted: 01/06/2011, 8:42 AM |
|
Waspman,
In such case you should discuss this with support, especially as no one here on the forums can look at your application settings, analyze your logs, check if you are using sessions or cookies for authentication, etc. If there is a related bug then support especially should help.
But you cannot say "exactly as it should be" unless you did something specific to make it so. Since web browsers may not log you out then for the web browser company not being logged out is perfectly fine and exactly as it should be. I'd be more concerned with you not being logged out for one hour, which seem like a big security hole. If I wanted to breach security on a nearby computer then I wouldn't wait until someone closes the browser but until they are called out for an emergency and don't have time to close their browser.
Michael,
Your case is identical to the ones I provided, except banks have much more at stake, including their reputation. Imagine if a corporate accountant left his computer and someone else sat in his chair. It doesn't even matter if the accountant closes the browser or not. Banks must have spent considerable time and resources on implementing security and decided that users should be logged out after 15 minutes of inactivity. I suspect that many banks also can log you out when you close the browser, so if that's what your users want then sure go ahead and implement it. There are thousands of related discussions on the internet and plenty of solutions. Possibly web browsers can also be configured to facilitate this.
_________________
Peter R.
YesSoftware Forums Moderator
For product support please visit http://support.yessoftware.com |
|
|
|
MichaelMcDonald
Posts: 640
|
| Posted: 01/17/2011, 4:13 AM |
|
It's not just banks...
Have a look at the password policy of Vodafone Australia in this article:
http://www.smh.com.au/technology/technology-news/i-just...0117-19t4j.html
_________________
Central Coast, NSW, Australia.
|
|
|
|
feha
Posts: 712
|
| Posted: 01/17/2011, 3:22 PM |
|
@ Waspman
Have you tried to set a session timeout on your web-server ?
I think that your sessions are still active on the server side ...
or somehow you have active auto login "sliding" cookie in CCS 4.3 ...
Try to add some custom code to "clean" your auto login ...
Just a thought ...
_________________
Regards
feha
www.vision.to
feedpixel.com |
|
|
|
Oper
Posts: 1195
|
| Posted: 01/18/2011, 3:32 PM |
|
Could you try this:
open the browser logIN then
close all browser open the browser (dont got to your page YET)
Clear all Cookies, Close Browser, then open browser and go to your page.
check if you now have been loggue out.
_________________
____________________________
http://www.7bz.com (Free CMS,CRM Developed in CCS)
http://www.PremiumWebTemplate.com
Affiliation Web Site Templates
Please do backup first |
|
|
|
jjrjr2
Posts: 131
|
| Posted: 02/24/2011, 11:20 AM |
|
Hi
Has Anybody figured this out.
I have had the exact same experience as Waspman.
I have no clue what has changed..
_________________
John Real - More CodeCharge Studio Support at - http://CCSElite.com
Real Web Development At: http://RealWebDevelopment.us |
|
|
|
|
