VERY SERIOUS - replies on embedded forums attributed to wrong accounts
I'm sure this is related to the embedded forum cookie and session issues that I've raised here recently - see my other recent threads - and to Graham Perrin's recent post. But this is the most serious consequence I've seen so far. I've made my new forum public so everyone can see the results and try it out. Once this is sorted, I'll delete all the test threads, so feel free to post some replies if you like.
Here's the forum permalink, in case you missed it in the previous paragraph - http://n2.nabble.com/The-Kenneth-G.-Mills-Foundation-Community-f2275814ef2275814.html;cid=1233854550932-335. You'll see that it's a forced embed. Take a look at some of the threads started by me. Read the replies. You'll see that many of them that were attributed to my account were actually made while another account was logged in. And lest you think that it's all because I've been testing with several accounts from one computer, that's not the case. The first reply in the "Welcome to the forum" thread was made by someone in another country who has never logged into Nabble under any of my accounts.
This is very bad. I hope it can be addressed quickly, as obviously the embedded forum is useless as long as this goes on.
Here are some suggestions based on my observations:
First and foremost, make sure that embedded forums are always accessing the same cookies and session variables as non-embedded. See Graham's thread referenced above for one proof that this isn't happening.
Expire sessions quickly, say after 15 minutes of inactivity, which is a normal procedure. Some of these effects would be alleviated if sessions didn't persist.
When a session ends, and also when a user logs out, be sure to clear the cookies of all session-related values. This obviously isn't happening.
Graham, please explain the ;cid= tail. What's its significance? I see it in the permalink that pops up when I click a Permalink link in the forum. But my page on which the forum is embedded certainly doesn't include it. The page just has the embed code provided by Nabble.
In most of our tests to date, the users have not accessed the forum via the permalink. In fact I haven't given the permalink to anyone except when I posted here in the support forum. I've given my users the direct URL to the page where it's embedded: http://www.kgmfoundation.org/index.php?id=forum. The very first reply posted was by a user who had only that URL, and it got attributed to my account instead of hers.
I've just confirmed that after I clear my cookies from w2.nabble.com and www.nabble.com, I can go directly to the forum page, log in under one of the accounts that previously replied with an erroneous attribution, and post a reply with the correct attribution.
In my view this result reinforces the points that I made in the OP of this thread about Nabble's need to expire sessions and to clear the cookie data properly upon session expiration and upon logout.
persist until the user explicitly logs out from Nabble
not expire when the user quits or exits from the browser
not time out.
http://plone.org/support/forums is a good example of an area comprising multiple list archives in which time outs would lead to confusion and/or frustration.
In my view those preferences are more applicable to public forums than to private ones. And I think we've already demonstrated that they just plain don't work when a private forum is embedded. Perhaps the Nabble engineers could provide some options settings to govern the treatment of sessions and cookies. But unless they find another way to prevent posts from getting attributed to an account other than the one that's actually logged in, I for one would like to see the session data cleared automatically.
Just an update. We have fixed several bugs in the last weeks and improved the login security. That case where a user was able to post as another user won't happen again. By the way, it probably happened because you posted a link to your forum with the cid information in it (links shouldn't have that information). The cid parameter is part of the Nabble solution to offer functional embeddable apps even when the browser has third-party cookies disabled. This goal is very difficult to achieve and most websites don't offer embeddable services because of this cookie challenge. Nabble is probably the only website that has gone that far and the details of this implementation are our best secret for now.
You can test your forum again and you shouldn't have problems with login. If you keep blocking third-party cookies in your browser, the login of an embedded forum (or gallery, blog, news, etc) is independent of the login on the Nabble website (we just can't read the cookies from another domain -- that's the challenge). So you must login on embedded forums even if you are already logged in on nabble.com. Another point is: if you play with multiple tabs on an embedded forum, you may eventually find a wrong login info on the top right corner (depending on the way you navigate), but this is harmless. If it happens, please just refresh your page (F5) and the login will be fixed. We are still working on a fix for that.
That case where a user was able to post as another user won't happen again. By the way, it probably happened because you posted a link to your forum with the cid information in it (links shouldn't have that information). The cid parameter is part of the Nabble solution to offer functional embeddable apps even when the browser has third-party cookies disabled. This goal is very difficult to achieve and most websites don't offer embeddable services because of this cookie challenge. Nabble is probably the only website that has gone that far and the details of this implementation are our best secret for now.
Hi, Hugo. Thanks for the update. (Sorry for the delayed response; I've been on vacation.) We'll test it some more with the forum set to "private" again.
I have to tell you that I know your theory is incorrect about users posting as other users because they accessed the forum using links containing the cid. The only link that those users ever received was the link to the page in which the forum is embedded. And that page contains only the embedding code supplied under "Options." (I posted the cid parameter in links on this support forum only because it was displayed by my forum as part of a relevant permalink.)
I just had a user send me an email on this exact same issues.. Here is the email content to me:
Sometimes when I post a reply as a logged in registered user it will use a different users name on the post and vice versa. It's more annoying than anything else but I don't want to get yelled at through replies for something I did not post