VERY SERIOUS - replies on embedded forums attributed to wrong accounts

I'm sure this is related to the embedded forum cookie and session issues that I've raised here recently - see my other recent threads - and to Graham Perrin's recent post. But this is the most serious consequence I've seen so far. I've made my new forum public so everyone can see the results and try it out. Once this is sorted, I'll delete all the test threads, so feel free to post some replies if you like.

Here's the forum permalink, in case you missed it in the previous paragraph - http://n2.nabble.com/The-Kenneth-G.-Mills-Foundation-Community-f2275814ef2275814.html;cid=1233854550932-335. You'll see that it's a forced embed. Take a look at some of the threads started by me. Read the replies. You'll see that many of them that were attributed to my account were actually made while another account was logged in. And lest you think that it's all because I've been testing with several accounts from one computer, that's not the case. The first reply in the "Welcome to the forum" thread was made by someone in another country who has never logged into Nabble under any of my accounts.

This is very bad. I hope it can be addressed quickly, as obviously the embedded forum is useless as long as this goes on.

Here are some suggestions based on my observations:

• First and foremost, make sure that embedded forums are always accessing the same cookies and session variables as non-embedded. See Graham's thread referenced above for one proof that this isn't happening.
• Expire sessions quickly, say after 15 minutes of inactivity, which is a normal procedure. Some of these effects would be alleviated if sessions didn't persist.
• When a session ends, and also when a user logs out, be sure to clear the cookies of all session-related values. This obviously isn't happening.

I've discovered that this bug was reported five months ago, and I'm hoping to light a fire to get it fixed soon. Thanks.

This is Jennifer M trying to reply to another forum by Steve Diamond.

Steve Diamond wrote

http://n2.nabble.com/The-Kenneth-G.-Mills-Foundation-Community-f2275814ef2275814.html;cid=1233854550932-335

<http://n2.nabble.com/Test---new-topic-tp2293752.html> looks OK.

I wonder, what will happen if you and your other testers:

1. purge nabble.com cookies

2. test again using URLs from which the ;cid=… tails have been removed before sharing.

Also, test using WebKit nightly. In November 2008 I found that r38064 was not bugged.

Graham, please explain the ;cid= tail. What's its significance? I see it in the permalink that pops up when I click a Permalink link in the forum. But my page on which the forum is embedded certainly doesn't include it. The page just has the embed code provided by Nabble.

In most of our tests to date, the users have not accessed the forum via the permalink. In fact I haven't given the permalink to anyone except when I posted here in the support forum. I've given my users the direct URL to the page where it's embedded: http://www.kgmfoundation.org/index.php?id=forum. The very first reply posted was by a user who had only that URL, and it got attributed to my account instead of hers.

I've just confirmed that after I clear my cookies from w2.nabble.com and www.nabble.com, I can go directly to the forum page, log in under one of the accounts that previously replied with an erroneous attribution, and post a reply with the correct attribution.

In my view this result reinforces the points that I made in the OP of this thread about Nabble's need to expire sessions and to clear the cookie data properly upon session expiration and upon logout.

Steve Diamond wrote

 please explain the ;cid= tail

I can't explain (I don't work for Nabble) but I recalled cid from <http://n2.nabble.com/-tp950354p950354.html>. The string is rare in this forum.

A guess:

cookie
i
dentity

Steve Diamond wrote

Nabble's need to expire sessions and to clear the cookie data properly upon session expiration and upon logout

I prefer sessions to:

• persist until the user explicitly logs out from Nabble
• not expire when the user quits or exits from the browser
• not time out.

<http://plone.org/support/forums> is a good example of an area comprising multiple list archives in which time outs would lead to confusion and/or frustration.

Regards
Graham

Steve Diamond wrote

 http://www.kgmfoundation.org/index.php?id=forum. The very first reply posted was by a user who had only that URL, and it got attributed to my account instead of hers.

Was that post <http://n2.nabble.com/Welcome-to-the-forum%21-tp2276161p2293601.html>?

Graham Perrin wrote

Steve Diamond wrote

 http://www.kgmfoundation.org/index.php?id=forum. The very first reply posted was by a user who had only that URL, and it got attributed to my account instead of hers.

Was that post <http://n2.nabble.com/Welcome-to-the-forum%21-tp2276161p2293601.html>?

Yes, that's the one.

Graham Perrin wrote

I prefer sessions to:

• persist until the user explicitly logs out from Nabble
• not expire when the user quits or exits from the browser
• not time out.

http://plone.org/support/forums is a good example of an area comprising multiple list archives in which time outs would lead to confusion and/or frustration.

In my view those preferences are more applicable to public forums than to private ones. And I think we've already demonstrated that they just plain don't work when a private forum is embedded. Perhaps the Nabble engineers could provide some options settings to govern the treatment of sessions and cookies. But unless they find another way to prevent posts from getting attributed to an account other than the one that's actually logged in, I for one would like to see the session data cleared automatically.

Here's one way I can get an unexpected result on my embedded forum, using two accounts: Steve Diamond and Steve Test.

• Logged out as Steve Test.
• Logged in as Steve Diamond.
• Closed browser.
• Waited a few minutes.
• Opened browser.
• Upper right shows "Steve Test" but clicking it reveals not really logged in, as there is no logout link.
• Posted reply to first post in announcements sub-forum. Here is the result - http://n2.nabble.com/Welcome-to-the-forum%21-tp2276161p2299050.html, attributed to Steve Diamond although it looked as if Steve Test was the active user.

Please note that this scenario doesn't explain this post, which was made by a user who had never logged in under any account except her own, yet her post showed up as if I had made it.

Nabble folks: Are you working on this?

Do you need any additional behavioral data?

Thanks.

Hi Steve,

Just an update. We have fixed several bugs in the last weeks and improved the login security. That case where a user was able to post as another user won't happen again. By the way, it probably happened because you posted a link to your forum with the cid information in it (links shouldn't have that information). The cid parameter is part of the Nabble solution to offer functional embeddable apps even when the browser has third-party cookies disabled. This goal is very difficult to achieve and most websites don't offer embeddable services because of this cookie challenge. Nabble is probably the only website that has gone that far and the details of this implementation are our best secret for now.

You can test your forum again and you shouldn't have problems with login. If you keep blocking third-party cookies in your browser, the login of an embedded forum (or gallery, blog, news, etc) is independent of the login on the Nabble website (we just can't read the cookies from another domain -- that's the challenge). So you must login on embedded forums even if you are already logged in on nabble.com. Another point is: if you play with multiple tabs on an embedded forum, you may eventually find a wrong login info on the top right corner (depending on the way you navigate), but this is harmless. If it happens, please just refresh your page (F5) and the login will be fixed. We are still working on a fix for that.

Regards,
Hugo Teixeira
Nabble.com

Hugo <Nabble> wrote

That case where a user was able to post as another user won't happen again. By the way, it probably happened because you posted a link to your forum with the cid information in it (links shouldn't have that information). The cid parameter is part of the Nabble solution to offer functional embeddable apps even when the browser has third-party cookies disabled. This goal is very difficult to achieve and most websites don't offer embeddable services because of this cookie challenge. Nabble is probably the only website that has gone that far and the details of this implementation are our best secret for now.

Hi, Hugo. Thanks for the update. (Sorry for the delayed response; I've been on vacation.) We'll test it some more with the forum set to "private" again.

I have to tell you that I know your theory is incorrect about users posting as other users because they accessed the forum using links containing the cid. The only link that those users ever received was the link to the page in which the forum is embedded. And that page contains only the embedding code supplied under "Options." (I posted the cid parameter in links on this support forum only because it was displayed by my forum as part of a relevant permalink.)

Thanks,

Steve

Hi Hugo,

I just had a user send me an email on this exact same issues..    Here is the email content to me:

Sometimes when I post a reply as a logged in registered user it will use a different users name on the post and vice versa. It's more annoying than anything else but I don't want to get yelled at through replies for something I did not post

My forum is embedded on my website..

http://ruralinfo.net/ruralmailtalk.html

Thanks for your help...

Thanks a lot for reporting this. We have improved our security again and the next release will be the end of this problem. Sorry for the inconvenience.

Hugo Teixeira
Nabble.com