mrblackbird Wrote:Thanks guys but i have come accross one problem, which is what i think is causing the trouble. These are codes that should be used:
This worked for me on older themes to work in 1.2.8 and avoid the unable to logout error.
The logout code should be:
In header_welcomeblock_member:
Code:
<a href="{$mybb->settings['bburl']}/member.php?action=logout&uid={$mybb->user['uid']}&sid={$session->sid}">{$lang->welcome_logout}</a>)<br />
In index_logoutlink:
Code:
<a href="{$mybb->settings['bburl']}/member.php?action=logout&uid={$mybb->user['uid']}&sid={$session->sid}">{$lang->index_logout}</a> |
In changeuserbox:
Code:
<a href="{$mybb->settings['bburl']}/member.php?action=logout&uid={$mybb->user['uid']}&sid={$session->sid}">{$lang->change_user}</a>
How ever on this one:
In header_welcomeblock_member:
Code:
<a href="{$mybb->settings['bburl']}/member.php?action=logout&uid={$mybb->user['uid']}&sid={$session->sid}">{$lang->welcome_logout}</a>)<br />
Thanks for the Tip
It works perfectly with previous 1.2.x templates in myBB 1.2.9 here
I still can't fix this issue for some reason .. i reverted the stuff noted before, but it didn't solve anything. Plus, it messed up my template, so I was forced to re-import it. Can someone please help? Thanks.
I don't think that changing the logout manner was a good idea after all. Actually nobody can log s.o. else out because of the session id (and or cookie). If the attacker can get these information he can get everything (even the login password), because he compromised the system.
Nevertheless this feature is annoying for me, because I use Proxomitron that sometimes changes the "Client-ip" and then I'm not able to log out
I don't think that it adds much security (for the reasons above).
AFAIK MyBB is the only BB that uses such a behavior.
sacharja Wrote:I don't think that changing the logout manner was a good idea after all. Actually nobody can log s.o. else out because of the session id (and or cookie). If the attacker can get these information he can get everything (even the login password), because he compromised the system.
Nevertheless this feature is annoying for me, because I use Proxomitron that sometimes changes the "Client-ip" and then I'm not able to log out I don't think that it adds much security (for the reasons above).
AFAIK MyBB is the only BB that uses such a behavior.
Incorrect, phpBB uses sessions in ALL their URLs. Also, the attacker can't get the session id or cookie. Sessions expire usually fast and you still need the cookie information to officially authenticate, which, unless a hacker actually gets into your computer through another exploit in one of MS's apps, it's impossible.
Either way, we've fixed it for MyBB 1.2.10 to work with proxies.
Tikitiki Wrote:Incorrect, phpBB uses sessions in ALL their URLs.
As it should be, so what's incorrect?
Quote:Also, the attacker can't get the session id or cookie. Sessions expire usually fast and you still need the cookie information to officially authenticate, which, unless a hacker actually gets into your computer through another exploit in one of MS's apps, it's impossible.
That's exactly what I wrote:
sacharja Wrote:Actually nobody can log s.o. else out because of the session id (and or cookie). If the attacker can get these information he can get everything (even the login password), because he compromised the system.
Did you actually read my post?
Tikitiki Wrote:Either way, we've fixed it for MyBB 1.2.10 to work with proxies.
So v1.2.10 uses only sessions and cookies to logout?
No - 1.2.10 passes a different identifier to the script which is not based on your IP address.
We need to pass an identifier to the script to prevent CRSRF attacks (Cross Site Request Forgery).
As for the user having the session ID, in MyBB, there is nothing that a malicious user can not do to it. Due to the way sessions work, they cannot be hijacked in MyBB.
sacharja Wrote:Tikitiki Wrote:Incorrect, phpBB uses sessions in ALL their URLs.
As it should be, so what's incorrect?
sacharja Wrote:AFAIK MyBB is the only BB that uses such a behavior.
I'll let you answer your own question.
Chris Boulton Wrote:No - 1.2.10 passes a different identifier to the script which is not based on your IP address.
We need to pass an identifier to the script to prevent CRSRF attacks (Cross Site Request Forgery).
As for the user having the session ID, in MyBB, there is nothing that a malicious user can not do to it. Due to the way sessions work, they cannot be hijacked in MyBB.
Thanks, that'll be a good reason to upgrade then.
@Tikitiki
I feared that you didn't apply this statement to the sentence before it.
I am having this problem too and have read through the posts but still cant figure out a solution for this. If anyone is able to help please let me know. My forums link is
http://www.cland2.com/forums