VERY SERIOUS - replies on embedded forums attributed to wrong accounts

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

VERY SERIOUS - replies on embedded forums attributed to wrong accounts

Steve Diamond

I'm sure this is related to the embedded forum cookie and session issues that I've raised here recently - see my other recent threads - and to Graham Perrin's recent post. But this is the most serious consequence I've seen so far. I've made my new forum public so everyone can see the results and try it out. Once this is sorted, I'll delete all the test threads, so feel free to post some replies if you like.

Here's the forum permalink, in case you missed it in the previous paragraph - http://n2.nabble.com/The-Kenneth-G.-Mills-Foundation-Community-f2275814ef2275814.html;cid=1233854550932-335. You'll see that it's a forced embed. Take a look at some of the threads started by me. Read the replies. You'll see that many of them that were attributed to my account were actually made while another account was logged in. And lest you think that it's all because I've been testing with several accounts from one computer, that's not the case. The first reply in the "Welcome to the forum" thread was made by someone in another country who has never logged into Nabble under any of my accounts.

This is very bad. I hope it can be addressed quickly, as obviously the embedded forum is useless as long as this goes on.

Here are some suggestions based on my observations:

  • First and foremost, make sure that embedded forums are always accessing the same cookies and session variables as non-embedded. See Graham's thread referenced above for one proof that this isn't happening.
  • Expire sessions quickly, say after 15 minutes of inactivity, which is a normal procedure. Some of these effects would be alleviated if sessions didn't persist.
  • When a session ends, and also when a user logs out, be sure to clear the cookies of all session-related values. This obviously isn't happening.

Reply | Threaded
Open this post in threaded view
|

Re: VERY SERIOUS - replies on embedded forums attributed to wrong accounts

Steve Diamond

I've discovered that this bug was reported five months ago, and I'm hoping to light a fire to get it fixed soon. Thanks.

Reply | Threaded
Open this post in threaded view
|

Re: VERY SERIOUS - replies on embedded forums attributed to wrong accounts

Jennifer M
In reply to this post by Steve Diamond
This is Jennifer M trying to reply to another forum by Steve Diamond.
Reply | Threaded
Open this post in threaded view
|

focus on the ;cid=… tail of some permalinks

Graham Perrin
In reply to this post by Steve Diamond
<http://n2.nabble.com/Test---new-topic-tp2293752.html> looks OK.

I wonder, what will happen if you and your other testers:

1. purge nabble.com cookies

2. test again using URLs from which the ;cid=… tails have been removed before sharing.

Also, test using WebKit nightly. In November 2008 I found that r38064 was not bugged.
Reply | Threaded
Open this post in threaded view
|

Re: focus on the ;cid=… tail of some permalinks

Steve Diamond

Graham, please explain the ;cid= tail. What's its significance? I see it in the permalink that pops up when I click a Permalink link in the forum. But my page on which the forum is embedded certainly doesn't include it. The page just has the embed code provided by Nabble.

In most of our tests to date, the users have not accessed the forum via the permalink. In fact I haven't given the permalink to anyone except when I posted here in the support forum. I've given my users the direct URL to the page where it's embedded: http://www.kgmfoundation.org/index.php?id=forum. The very first reply posted was by a user who had only that URL, and it got attributed to my account instead of hers.

I've just confirmed that after I clear my cookies from w2.nabble.com and www.nabble.com, I can go directly to the forum page, log in under one of the accounts that previously replied with an erroneous attribution, and post a reply with the correct attribution.

In my view this result reinforces the points that I made in the OP of this thread about Nabble's need to expire sessions and to clear the cookie data properly upon session expiration and upon logout.

Reply | Threaded
Open this post in threaded view
|

Re: focus on the ;cid=… tail of some permalinks

Graham Perrin
Steve Diamond wrote
 please explain the ;cid= tail
I can't explain (I don't work for Nabble) but I recalled cid from <http://n2.nabble.com/-tp950354p950354.html>. The string is rare in this forum.

A guess:

cookie
i
dentity
Reply | Threaded
Open this post in threaded view
|

session persistence

Graham Perrin
In reply to this post by Steve Diamond
Steve Diamond wrote
Nabble's need to expire sessions and to clear the cookie data properly upon session expiration and upon logout
I prefer sessions to:

• persist until the user explicitly logs out from Nabble
• not expire when the user quits or exits from the browser
• not time out.

<http://plone.org/support/forums> is a good example of an area comprising multiple list archives in which time outs would lead to confusion and/or frustration.

Regards
Graham
Reply | Threaded
Open this post in threaded view
|

attribution tests

Graham Perrin
In reply to this post by Steve Diamond
Steve Diamond wrote
 http://www.kgmfoundation.org/index.php?id=forum. The very first reply posted was by a user who had only that URL, and it got attributed to my account instead of hers.
Was that post <http://n2.nabble.com/Welcome-to-the-forum%21-tp2276161p2293601.html>?
Reply | Threaded
Open this post in threaded view
|

Re: attribution tests

Steve Diamond
Graham Perrin wrote
Steve Diamond wrote
 http://www.kgmfoundation.org/index.php?id=forum. The very first reply posted was by a user who had only that URL, and it got attributed to my account instead of hers.
Was that post <http://n2.nabble.com/Welcome-to-the-forum%21-tp2276161p2293601.html>?
Yes, that's the one.
Reply | Threaded
Open this post in threaded view
|

Re: session persistence

Steve Diamond
In reply to this post by Graham Perrin
Graham Perrin wrote
I prefer sessions to:
  • persist until the user explicitly logs out from Nabble
  • not expire when the user quits or exits from the browser
  • not time out.
http://plone.org/support/forums is a good example of an area comprising multiple list archives in which time outs would lead to confusion and/or frustration.
In my view those preferences are more applicable to public forums than to private ones. And I think we've already demonstrated that they just plain don't work when a private forum is embedded. Perhaps the Nabble engineers could provide some options settings to govern the treatment of sessions and cookies. But unless they find another way to prevent posts from getting attributed to an account other than the one that's actually logged in, I for one would like to see the session data cleared automatically.
Reply | Threaded
Open this post in threaded view
|

New details - one way to replicate

Steve Diamond
In reply to this post by Steve Diamond

Here's one way I can get an unexpected result on my embedded forum, using two accounts: Steve Diamond and Steve Test.

  • Logged out as Steve Test.
  • Logged in as Steve Diamond.
  • Closed browser.
  • Waited a few minutes.
  • Opened browser.
  • Upper right shows "Steve Test" but clicking it reveals not really logged in, as there is no logout link.
  • Posted reply to first post in announcements sub-forum. Here is the result - http://n2.nabble.com/Welcome-to-the-forum%21-tp2276161p2299050.html, attributed to Steve Diamond although it looked as if Steve Test was the active user.

Please note that this scenario doesn't explain this post, which was made by a user who had never logged in under any account except her own, yet her post showed up as if I had made it.

Reply | Threaded
Open this post in threaded view
|

Re: New details - one way to replicate

Steve Diamond
Nabble folks: Are you working on this?

Do you need any additional behavioral data?

Thanks.
Reply | Threaded
Open this post in threaded view
|

Re: New details - one way to replicate

Hugo <Nabble>
Administrator
Hi Steve,

Just an update. We have fixed several bugs in the last weeks and improved the login security. That case where a user was able to post as another user won't happen again. By the way, it probably happened because you posted a link to your forum with the cid information in it (links shouldn't have that information). The cid parameter is part of the Nabble solution to offer functional embeddable apps even when the browser has third-party cookies disabled. This goal is very difficult to achieve and most websites don't offer embeddable services because of this cookie challenge. Nabble is probably the only website that has gone that far and the details of this implementation are our best secret for now.

You can test your forum again and you shouldn't have problems with login. If you keep blocking third-party cookies in your browser, the login of an embedded forum (or gallery, blog, news, etc) is independent of the login on the Nabble website (we just can't read the cookies from another domain -- that's the challenge). So you must login on embedded forums even if you are already logged in on nabble.com. Another point is: if you play with multiple tabs on an embedded forum, you may eventually find a wrong login info on the top right corner (depending on the way you navigate), but this is harmless. If it happens, please just refresh your page (F5) and the login will be fixed. We are still working on a fix for that.

Regards,
Hugo Teixeira
Nabble.com
Reply | Threaded
Open this post in threaded view
|

Re: New details - one way to replicate

Steve Diamond
Hugo <Nabble> wrote
That case where a user was able to post as another user won't happen again. By the way, it probably happened because you posted a link to your forum with the cid information in it (links shouldn't have that information). The cid parameter is part of the Nabble solution to offer functional embeddable apps even when the browser has third-party cookies disabled. This goal is very difficult to achieve and most websites don't offer embeddable services because of this cookie challenge. Nabble is probably the only website that has gone that far and the details of this implementation are our best secret for now.

Hi, Hugo. Thanks for the update. (Sorry for the delayed response; I've been on vacation.) We'll test it some more with the forum set to "private" again.

I have to tell you that I know your theory is incorrect about users posting as other users because they accessed the forum using links containing the cid. The only link that those users ever received was the link to the page in which the forum is embedded. And that page contains only the embedding code supplied under "Options." (I posted the cid parameter in links on this support forum only because it was displayed by my forum as part of a relevant permalink.)

Thanks,

Steve

Reply | Threaded
Open this post in threaded view
|

Re: New details - one way to replicate

Ruralinfo.net
In reply to this post by Hugo <Nabble>
Hi Hugo,

I just had a user send me an email on this exact same issues..    Here is the email content to me:

Sometimes when I post a reply as a logged in registered user it will use a different users name on the post and vice versa. It's more annoying than anything else but I don't want to get yelled at through replies for something I did not post

My forum is embedded on my website..

http://ruralinfo.net/ruralmailtalk.html


Thanks for your help...
Never doubt that a small, group of thoughtful, committed citizens can change the world. Indeed, it is the only thing that ever has..
Reply | Threaded
Open this post in threaded view
|

Re: New details - one way to replicate

Hugo <Nabble>
Administrator
Thanks a lot for reporting this. We have improved our security again and the next release will be the end of this problem. Sorry for the inconvenience.

Hugo Teixeira
Nabble.com