 |
| View previous topic :: View next topic |
| Author |
Message |
Reel_Trouble
Guest
|
 Posted: Sat Jan 05, 2008 9:35 am Post subject: |
 |
|
| Thanks Dave |
|
| Back to top |
|
 |
blueoceaneyez
I-Mapper
Joined: Jan 19, 2006
Posts: 810
Location: Monkey Junction, NC & Destin, FL
|
| Posted: Sat Jan 05, 2008 9:53 am Post subject: |
|
|
AOL test...Yep, it works!  |
|
| Back to top |
|
|
Capt_Dave
Site Admin
Joined: Mar 29, 2004
Posts: 3841
Location: Cape Fear, NC
|
| Posted: Sat Jan 05, 2008 10:01 am Post subject: |
|
|
Another one bites the DUST.......WOOT WOOT!
Only 6482 tasks to go!!
Dave
_________________
Capt. Dave
Life is SHORT....Fish Hard!
NOT a Member??You are missing ALL the Downloads........and most of the Pictures....!! |
|
| Back to top |
|
|
Reel_Trouble
Guest
|
| Posted: Sat Jan 05, 2008 5:16 pm Post subject: |
|
|
| AOL test different lap top |
|
| Back to top |
|
|
Reel_Trouble
Guest
|
| Posted: Sat Jan 05, 2008 5:17 pm Post subject: |
|
|
| You Da Man Dave |
|
| Back to top |
|
|
Capt_Dave
Site Admin
Joined: Mar 29, 2004
Posts: 3841
Location: Cape Fear, NC
|
| Posted: Tue Jan 15, 2008 10:41 am Post subject: |
|
|
Try a PM and see if that works. I had a e-mail this morning about invalid in the PMs and I want to see if it is him or this issue coming back to light...
Dave
_________________
Capt. Dave
Life is SHORT....Fish Hard!
NOT a Member??You are missing ALL the Downloads........and most of the Pictures....!! |
|
| Back to top |
|
|
Reel_Trouble
Guest
|
| Posted: Tue Jan 15, 2008 4:58 pm Post subject: |
|
|
| Could not PM |
|
| Back to top |
|
|
Capt_Dave
Site Admin
Joined: Mar 29, 2004
Posts: 3841
Location: Cape Fear, NC
|
| Posted: Tue Jan 15, 2008 5:02 pm Post subject: |
|
|
So Reel you could not PM either?
I will send you one...see if you can read it and reply.
Dave
_________________
Capt. Dave
Life is SHORT....Fish Hard!
NOT a Member??You are missing ALL the Downloads........and most of the Pictures....!! |
|
| Back to top |
|
|
Reel_Trouble
Guest
|
| Posted: Tue Jan 15, 2008 9:49 pm Post subject: |
|
|
Dave,
Got your PM sent at 5:02, tried sending PM reply, invalid ses......... |
|
| Back to top |
|
|
Capt_Dave
Site Admin
Joined: Mar 29, 2004
Posts: 3841
Location: Cape Fear, NC
|
| Posted: Tue Jan 15, 2008 9:57 pm Post subject: |
|
|
Have I ever told you how much I HATE AOL!!
I will look into it.
Dave
_________________
Capt. Dave
Life is SHORT....Fish Hard!
NOT a Member??You are missing ALL the Downloads........and most of the Pictures....!! |
|
| Back to top |
|
|
Reel_Trouble
Guest
|
| Posted: Tue Jan 15, 2008 10:14 pm Post subject: |
|
|
| Capt_Dave wrote: | Have I ever told you how much I HATE AOL!!
I will look into it.
Dave |
Seems that came up the other day 
I'll use another browser, not a problem.
Thanks |
|
| Back to top |
|
|
Capt_Dave
Site Admin
Joined: Mar 29, 2004
Posts: 3841
Location: Cape Fear, NC
|
| Posted: Wed Jan 16, 2008 9:48 pm Post subject: |
|
|
Try it now.....See if it works....
Dave
_________________
Capt. Dave
Life is SHORT....Fish Hard!
NOT a Member??You are missing ALL the Downloads........and most of the Pictures....!! |
|
| Back to top |
|
|
Reel_Trouble
Guest
|
| Posted: Wed Jan 16, 2008 9:57 pm Post subject: |
|
|
| Your dreaded AOL test, PM sent to you, invalid |
|
| Back to top |
|
|
Capt_Dave
Site Admin
Joined: Mar 29, 2004
Posts: 3841
Location: Cape Fear, NC
|
| Posted: Wed Jan 16, 2008 10:33 pm Post subject: |
|
|
phpBB uses sessions to "track" users as they move between pages, forums, topics, etc. A session is made up of a unique 32 character session_id which identifies the current users. This value is stored in the sessions table and either a temporary (i.e. it's deleted when the browser window is closed) cookie on the users machine or if that doesn't seem to be working it's appended to all URLs.
The problem with using just a session_id is that it becomes very easy to hijack (takeover) a session. All a user need do is obtain the session_id and add it to the url as they browse the board. If the id they grab happens to be a logged in admin or moderator ... well you get the picture.
What we do to help complicate the situation is also tie the session to the users IP. Using this method someone would need to spoof an IP and obtain the session_id in order to hijack a session, not incredibly difficult but certainly harder ... and with this sort of software it's really a case of making everything harder to do, thus disuading all but the most ardent "hackers" from bothering to attempt anything.
How do we obtain this IP? We check the availability of two variables, REMOTE_ADDR and HTTP_X_FORWARDED_FOR. Firstly we check for HTTP_X_ ..., this is typically set by "nice" proxies, caches, etc. and contains "an" IP which may be the users "real" IP or some other IP. If that does not exist or it contains a private or restricted IP range (several blocks of IPs are reserved by the international bodies responsible for IP allocation) we instead use the value contained in REMOTE_ADDR. This variable typically contains the users real IP.
However, problems arise with how some ISPs operate their systems. Instead of forwarding the users real IP or indeed a different but static IP they simply make available only the IP of the proxy being browsed. The larger ISPs do not use a single proxy or cache, the load upon it and data passing through it would be far too great. Instead they use several systems in a "proxy farm" (I tend to refer to it as something containing most of those letters ... ). A user browsing the web may be switched between these machines from one page to another (to help distribute load), with the IP changing as they go.
Obviously a problem then exists in that phpBB's ability to tie a users session to a unique id and an IP fails ... because the IP is constantly changing. There are some "nice" ISPs out there that run these farms within a single "class" or block of IPs, e.g. 1.2.3.4, 1.2.3.5, 1.2.3.6, etc.
This is why in a previous release of phpBB we introduced a slightly reduced IP checking system which now checks only the first three "quads" of an IP, i.e. 1.2.3.4 is checked only for 1.2.3 the 4 is discarded. Remember, that an IPv4 address is 32bits wide, this is generally presented in the form of four 8 bit numbers. By checking just the first three numbers (24bits) we neglect 8 bits or 255 (253 in practice) possible IPs ... that's 253 seperate potential proxies ... IOW enough machines for practically any ISP on the planet. However we can go further and reduce that checking to just the first "two quads", that ignores 255 * 253 IPs!
The problem is some ISPs don't arrange their IP allocation particularly well, either for historical or other reasons ... AOL is one significant culprit. So what happens is that users can jump between completely different Class A (this is a full 32bit block of IPs) networks, e.g. 100.100.100.100 to 200.100.40.40, etc. This renders IP validation completely useless for such situations
_________________
Capt. Dave
Life is SHORT....Fish Hard!
NOT a Member??You are missing ALL the Downloads........and most of the Pictures....!! |
|
| Back to top |
|
|
Reel_Trouble
Guest
|
| Posted: Thu Jan 17, 2008 9:08 am Post subject: |
|
|
| So based on what I see (don't understand) the best for all parties is to use something other than AOL for browser. NOT A PROBLEM. Thanks again |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Log in to check your private messages
Log in
