Getting people to join a new forum isn't easy, so I want to make a pretty large number of accounts for family, friends, etc (in advance, saved as a .csv file). Fields like 'password' and 'email', for example can easily be changed by the user.
What about duplicate login keys? Will they be a big problem (with function and / or security)?
Thanks again.
Login keys? I'm sorry what is that? Like a username or user id?
In the user table right next to password and salt.
I'll experiment and check back.
Thanks
EDIT:
Two users with the same login key can both login and out.
Would it be a big security risk to have multiple users with the same login key?
Why not just make the accounts through the admin cp since then you don't have to worry about it?
I don't even know where the login key is used(by the user I mean it's used to login of course).
Why not just make the accounts through the admin cp...?
I'm wanting to make several hundred accounts (pre-registering potential users), on a spreadsheet, then use a csv file to import.
The basic idea should work, but I'm looking to avoid unexpected problems.
Duplicate login keys work fine with MyBB, however, I'd suggest just leaving it blank. MyBB will automatically generate a login key that way.
Login keys are used to authenticate users without a password (ie, when you choose to be "remembered"), thus if everyone has the same login key, yes, that is a security problem.
I believe you can also use a Login Key to logout as well. If you get the Logout URL and switch your Key to somebody elses, they'll be forced to logout/end their session.
So if there are two users logged in with the same Key and one of them logs out, both of them would end up logging out. I'm not too sure about logging in though, unless the login key isn't actually used with logging in.. O.O
(2008-10-21, 07:29 PM)Infernolized Wrote: [ -> ]I believe you can also use a Login Key to logout as well. If you get the Logout URL and switch your Key to somebody elses, they'll be forced to logout/end their session.
So if there are two users logged in with the same Key and one of them logs out, both of them would end up logging out. I'm not too sure about logging in though, unless the login key isn't actually used with logging in.. O.O
That's not true.
The login key is placed in the your user cookie
once you have logged in. MyBB identifies you with this cookie. Each time you visit a page, MyBB checks that your user ID and login key match.
The logout key is used so that malacious links cannot log you out without knowing your logout key (say a logout link hidden in an image).
Even if you know another user's logout key, you cannot log somebody else out -- you have to be logged in as that user to be logged out with the corresponding particular logout key.
Ohh! Well I was basing my guess from the way IPB seems to work. All you'd need to know is the users LoginKey and you can log them out by replacing their Key with your own in the Logout link (has been tested by a bad friend >.>). I was also basing this off of the Admin Hijack plugin:
{$mybb->settings[\'bburl\']}/member.php?action=logout&do=regenkey&uid={$uid}&my_post_key={$mybb->post_code}
Well thanks for clearing that up for the both of us ^^.
(2008-10-21, 11:55 PM)Infernolized Wrote: [ -> ]Ohh! Well I was basing my guess from the way IPB seems to work. All you'd need to know is the users LoginKey and you can log them out by replacing their Key with your own in the Logout link (has been tested by a bad friend >.>).
We're not IPB, SMF, vBulletin, or anything else for that matter.
(2008-10-21, 11:55 PM)Infernolized Wrote: [ -> ]I was also basing this off of the Admin Hijack plugin:
{$mybb->settings[\'bburl\']}/member.php?action=logout&do=regenkey&uid={$uid}&my_post_key={$mybb->post_code}
Well thanks for clearing that up for the both of us ^^.
That is a third party modification/plugin. It has no bearing on how the logout works on a vanilla installation of MyBB.