Amiga.org
Amiga computer related discussion => Amiga Software Issues and Discussion => Topic started by: Piru on December 22, 2006, 10:02:42 AM
-
Because i just popped in from my pc and it thinks i'm logged in as Piru, when infact this is actually koaftder. Wayne, somethings up.
-
:-o
-
Koaftder: Could it be a metamorphosis :lol:
Any other signs of change :-o
-
Oh that's just great. Lets see if I appear as koaftder or someone else (this is the real Piru speaking).
[EDIT]Well it looks like I am me myself.[/EDIT]
-
I don't know why it did that, i was logged in some 12 hours ago, and when i hit reply in another thread a few minutes ago it posted it as Piru. I was using tor when it did that.
-
(http://elpistachoveloz.blogia.com/upload/twilight-zone.jpg)
-
Hmmmm, sounds like your sessions got mixed up or something. Scary! :nervous:
--
moto
-
I'm pretty sure that isnt Dennis up there either?
Am I me?
(Coldfish)
edit, yep!
glitch in the matrix.
-
oops, well, now I'm koaftder. (really Piru)
scary... (http://upload.wikimedia.org/wikipedia/en/thumb/a/a8/Face-Off_(Movie_Poster).jpg/260px-Face-Off_(Movie_Poster).jpg)
-
Dude...you missed out on some opportunity for pranks there, man.
Nothing serious of course, but if it was me I would have changed Piru's avatar to a boing ball and underneath, in the location field I would write "You just got boinged by X-ray!"
:evilgrin: :hat: :-P
-
X-Ray: How can we be sure that its you :crazy:
-
Well, I know you're not Homer. Wrong shade of yellow. ;-)
-
The session ID is only an MD5 hashcode at the end of the day. It has been demonstrated not so long ago that this algorithm has a collision rate several orders of magnitude greater than its theoretical limit.
Once you get sufficient users with enough login turnover, this problem can be difficult as the number of open sessions increases and with it the likelihood of collision.
More worrying is the fact that XOOPs itself uses MD5 hashcodes for various keys within its implementation.
Also, it is sometimes the case that in PHP, the session ID is passed on the URL if for some reason cookies aren't working and the page allows it (it will usually use an invisible form field in preference, if it can). If you ever see PHPSESSID=<32 character hex string> in your url, don't post it as a link ;-)
-- this post by the actual Karlos, accept no imitations!
-
Wouldn't increasing the length of the session ID decrease the likelihood of a "collision"? Personally I use a 128 character key as the session ID when I'm writing a web app.
--
moto
-
X-ray wrote:
Dude...you missed out on some opportunity for pranks there, man.
Nothing serious of course, but if it was me I would have changed Piru's avatar to a boing ball and underneath, in the location field I would write "You just got boinged by X-ray!"
:evilgrin: :hat: :-P
I've been holding this one in reserve for just such an occasion:
(http://extropia.co.uk/img/piru_68k.gif)
;-)
-
motorollin wrote:
Wouldn't increasing the length of the session ID decrease the likelihood of a "collision"? Personally I use a 128 character key as the session ID when I'm writing a web app.
--
moto
PHP itself uses a 128-bit session ID by default. Normally this should be fine, but the actual hashing algorithm itself is the problem. It just isn't as unique as first thought.
-edit-
According to the manual (http://uk.php.net/manual/en/ref.session.php), PHP5 allows you to set the hash function and bits per character used for the session ID. This functionality is not available in PHP4 and I am not sure which version is used here.
Just setting session.hash_function in the php.ini to 1 would switch to SHA-1 which is a better hash function than MD5.
A second point to consider is that the database schema may also reference the session ID and expect them to be a particular type, which would complicate fixing things...
-/edit-
Your 128-character ID would be 1024-bit, assuming that every bit of the byte is used, or 512-bit if the string is a hex code. If the algorithm were poor, you could still get collisions a lot sooner than you expect.
Another thing to consider is that excessively long hashcodes take time to generate and lookup. If you have a lot of hits, you might find a fair amount of server time is spent just doing this one job ;-)
To put things in perspective, however, this is a busy site with >1000 users constantly coming and going. It has happened just this once (as far as we know) in the entire time since it has been open (spanning several years)
-
Karlos wrote:
(http://extropia.co.uk/img/piru_68k.gif)
Genuine LOL moment there, well done! :lol:
-
Actually I don't know how to do sessions properly in PHP :oops: I normally generate 128 numbers at random, check whether that combination of numbers currently exists in the users table, and if it doesn't it gets stored in the user's row in the users table. The session ID gets passed from page to page in the URL and is retrieved with $_GET[session]. The first thing any page does is connects to the database and attempts to match the session ID with a user.
I know this isn't particularly secure. When I develop something that requires a higher level of security I'll learn how to do it properly :-)
--
moto
-
Either that or the site recycles hashes but does a check against the ip of the client before assignment.
I somehow ended up gaining Pirus session. I logged that out, and logged back in as me. 20 minutes later Piru ends up with my session. If thats just a random one in a billion collision, two times in 20 minutes involving the same two user account, thats highly improbable.
-
Did Piru get your session? I thought you just got his.
-edit-
It's not generally the case that the site code itself handles session management as PHP provides an entire set of functions for this purpose. It's only when you wish to enhance the session system you'd rely on your own code and even then the chances are you'd build on top of the existing library.
-/edit-
The session is not generally tied to IP or anything else about the remote client. Some systems will match IP against session ID but it's quite unusual to do this simply because IPs can change or that several machines behind NAT might appear to have the same IP.
Consequently, 2 different machines using the same session ID will "work" at the same time, it just appears to the server as if the client is a bit "busier" than normal ;-)
Accidentally giving out your session ID as it appears on the URL is one of the biggest methods of "session hijacking". I've experimented with making systems secure against this but it is not as trivial as you might think.
The web developer plugin for firefox, for instance, allows you to edit any cookie on your system, including session cookies. In a lot of cases, if someone gives you their session ID accidentally, you can simply edit your session ID cookie for the site and "become" them.
-
motorollin wrote:
Actually I don't know how to do sessions properly in PHP :oops: I normally generate 128 numbers at random, check whether that combination of numbers currently exists in the users table, and if it doesn't it gets stored in the user's row in the users table. The session ID gets passed from page to page in the URL and is retrieved with $_GET[session]. The first thing any page does is connects to the database and attempts to match the session ID with a user.
I know this isn't particularly secure. When I develop something that requires a higher level of security I'll learn how to do it properly :-)
--
moto
At least use a cookie. Anybody posting a link to a page they were viewing would get their session hijacked in an instant.
-
lol Karlos
Good avatar
-
I deleted out about 500 sessions from the database, but honestly at this point, it's anyone's guess.
We -- as always -- are caught between the rock and hard place between providing legacy support for the Amiga, and not being able to upgrade any farther than we already are because the authors pretty much abandoned backwards compatibility.
If anyone has any ideas, I'm all ears.
Wayne
-
bah,
...birds of a feather...
:-P
-
Wait and see what improvements IBrowse brings. It may be that an improved forum engine will work ok on 2.4 so an upgrade will be possible.
--
moto
-
I propose that today be named International Piru Day.
I think we should all 'become' Piru, in honour of this historic event.
Hell, I will even take a Piru avatar if enough people go along with it.
-
Wayne wrote:
I deleted out about 500 sessions from the database, but honestly at this point, it's anyone's guess.
We -- as always -- are caught between the rock and hard place between providing legacy support for the Amiga, and not being able to upgrade any farther than we already are because the authors pretty much abandoned backwards compatibility.
I'd say you're serving two communities. The retro lot who're into original Commodore hardware, old games and demos, mod tracking, etc., and those who still want to see the Amiga become a viable desktop alternative, with an interest in PPC or even x86, off-the-shelf PCI, USB, etc.
IMO in the long run you benefit neither by holding the site back. Internet access is barely relevant to the retro scene and as for the new Amiga peeps - how many times do people use that same spiel about the Amiga doing everything they need, only to turn around and complain when site x doesn't work? What's the point in browsing the small subset of sites that are willing to compromise on functionality for what is a minority of users?
Surely it'd be better to move onwards and upwards, and hope that as one of the bigger Amiga sites, in doing so you spur on development in the Amiga browser market.
Tough love, if you will.
-
OMG, I'm me again. Lets see for how long!
-
Hey, it's me, koaftder!
-
Oh dear. Whatever next :crazy:
-
erase your cache and cookies ya goof.
-
NoFastMem wrote:
Surely it'd be better to move onwards and upwards, and hope that as one of the bigger Amiga sites, in doing so you spur on development in the Amiga browser market.
Tough love, if you will.
It's not quite that simple. There is no upgrade path any longer between what was, and what now is current. There's also a massive amount of work involved, so in essence, to upgrade the site at this point would require a complete and total reboot (meaning lose all accounts, all posts, all data, everything).
Still think it's a good idea?
Wayne
-
Wayne wrote:
erase your cache and cookies ya goof.
I just did that as instructed. Didn't think to do that. Hopefully that will be the end of it.
-
Maybe, just maybe having 500 stored sessions, it randomly started recycling some of the session ids's. The idea of it doing that would be mind boggling when you consider the hash is 128-bits, but considering;
1) the sessions table hasn't been cleaned in forever
2) we get thousands of hits a day
It's possible. Unlikely, but possible.
Hopefully, deleting your cookies and caches, then logging in again will help because honestly I'm not sure what else to do at this point.
Wayne
-
Wayne wrote:
2) we get thousands of hits a day
Wayne
Congratulations. How many are unique hits?
*whew* I'm not Piru. :lol:
-
Karlos wrote:
I've been holding this one in reserve for just such an occasion:
(http://extropia.co.uk/img/piru_68k.gif)
;-)
I knew it, Piru si powered by motorola!
-
@X-Ray
I propose that today be named International Piru Day.
I think we should all 'become' Piru, in honour of this historic event.
Hell, I will even take a Piru avatar if enough people go along with it.
I can see a movie coming on... "Being Harry Sintonen"
(I hope I didn't mispell that too badly)
-
Wayne wrote:
2) we get thousands of hits a day
Damn,
Sell some ad space and take the money and pocket half and the other half, donate to AROS bounties.
-
X-ray wrote:
I propose that today be named International Piru Day.
I think we should all 'become' Piru, in honour of this historic event.
Hell, I will even take a Piru avatar if enough people go along with it.
Unfortunately I did try this by copying his avatar, but when I tried to upload it I came across the new 100*100 pixels limitation :smack:
Guess what happened when I tried to put back my old avatar :boohoo:
ah well, I'm all for streamlining for a faster response :lol:
-
@ Homer
You have just been boinged by X-ray !! :lol:
-
X-ray wrote:
@ Homer
You have just been boinged by X-ray !! :lol:
Kinky bugger.
-
Doh !!!!!