Group Leader
- Joined
- Jan 18, 2018
- Messages
- 2,461
It's getting kind of annoying. I stop reading manga, go play a few games of CR, then come back and I have to log in again.
Can we extend the auto-logout timeout at least 1 hour more?
- Thread starter JustNatsuki
- Start date
Dex-chan lover
- Joined
- Aug 18, 2018
- Messages
- 3,542
Anything that increases the auto-logout timeout.
They had been 24h session cookies and got reduced to 1h?-ish, I guess. An extension of 1h would be pretty cool, so pretty please? <3
For one whole year, that is. I'm sorry, but this looks just shady. Like that sort of amazonian cookie, that can be read by all kind of amazon related sites to create a profile. Sometimes I use tor and sometime a vpn. I know I should switch browsers in those cases, but... This cookie just give me the wrong vibes. I know I'm a privacy nutjob and I'm sure the auto-logout session cookies may do the exact same thing in their lifetime, but they rub me in the better places. Not sure if this was a correct figure of speech.
They had been 24h session cookies and got reduced to 1h?-ish, I guess. An extension of 1h would be pretty cool, so pretty please? <3
- Joined
- May 29, 2012
- Messages
- 594
You said it, you're a nut job.
The cookie is there so people don't have to log in every hour/every time they visit - it's annoying.
I'd suggest just deleting the cookie after every visit. I'm against making logging in more annoying for the masses to alleviate one person's tinfoil hat.
The cookie is there so people don't have to log in every hour/every time they visit - it's annoying.
I'd suggest just deleting the cookie after every visit. I'm against making logging in more annoying for the masses to alleviate one person's tinfoil hat.
Dex-chan lover
- Joined
- Aug 18, 2018
- Messages
- 3,542
->"tinfoil hat" Wow. Ehmm... Thanks, I guess? I'll try to wear it proudly.
I hope my reply doesn't sound too crazy, this time around. XP
Sincerely,
Qelix
I frankly don't get your point here. Just guessing now: I never suggested to get rid of the 1 year cookie, just because I don't want to use it, if you thought that's what I wanted.
Now, this would be annoying. I, for my part, would really prefer if you simply increase the logout time a little bit, as it has been much longer some time ago any ways. But this was just a little request. I'm sorry, if the implications in my previous post might have offended you or the mangadex staff in general.
That's just me being sloppy. I try to not be logged in, clear all my data or simply use a different browser profile while using tor, but sometimes...you get the idea. A short logout time of the session cookie actually helps there, but...it's so short it's inconvenient. It's just an attempt to minimize traces on my side of the internet.
Ah. Good to know.
I hope my reply doesn't sound too crazy, this time around. XP
Sincerely,
Qelix
VIP
- Joined
- Apr 23, 2018
- Messages
- 1,071
@Qelix Some browsers have an option along the lines 'delete cookies when browser closes'. I believe this was what they were suggesting.
In regards to your use of Tor (now spoilered to reduced derailing)
I don't see what issue you would have with a login cookie. If it's a personal account on the computer, the cookie should be secured by your login info (and encrypted tor folder). If your worried about the cookie being intercepted, its https. If your worried about https being broken, or accidentally using http.... your already screwed, since the login post request would be intercepted. Still don't recommend logging into any public account via Tor, but if you do, I can't think of a reason not to use the remember me button on whatever site that is.
In regards to actual length. I can't imagine many people not using the remember option, but the places it shouldn't be used are public locations such as libraries, school computer rooms, and friends homes. IMHO 1hr is suitable in any of these cases
In regards to your use of Tor (now spoilered to reduced derailing)
The option above is often recommended for tor browsers anyways. If this is a problem for other websites your logging into... honestly, I think your on your own. If your just trying to get around a firewall, a VPN would be better.
If you need anonymity (which it sounds like you do), then TOR is fine, but stop trying to login to your public accounts with it. This site may not sell or share your data, but if you login to a site that does you would effectively break the anonymity. It's just a bad practice, terrible idea, not recommended by anyone anywhere, and a horrible habit that you will screw yourself over with. For your own sake, either stop logging into public accounts, or stop needing anonymity. If you don't need anonymity, stop using TOR.
If you need anonymity (which it sounds like you do), then TOR is fine, but stop trying to login to your public accounts with it. This site may not sell or share your data, but if you login to a site that does you would effectively break the anonymity. It's just a bad practice, terrible idea, not recommended by anyone anywhere, and a horrible habit that you will screw yourself over with. For your own sake, either stop logging into public accounts, or stop needing anonymity. If you don't need anonymity, stop using TOR.
In regards to actual length. I can't imagine many people not using the remember option, but the places it shouldn't be used are public locations such as libraries, school computer rooms, and friends homes. IMHO 1hr is suitable in any of these cases
- Joined
- May 29, 2012
- Messages
- 1,441
Standard php cookies are actually 30minutes long. They are short by design because they are meant to be a temporary storage of data. We have it set at 1 hour, which is already double the standard time.
On a separate note, a "remember me" cookie simply consists of a random string of 32 characters. It does not contain any identifying information like your username or ip address. If someone did manage to intercept your mangadex cookie, you have more important things to worry about, like your online bank logins/cookies also being intercepted.
On a separate note, a "remember me" cookie simply consists of a random string of 32 characters. It does not contain any identifying information like your username or ip address. If someone did manage to intercept your mangadex cookie, you have more important things to worry about, like your online bank logins/cookies also being intercepted.
- Joined
- Jan 19, 2018
- Messages
- 2,453
The web would be wide open security-wise if 3rd parties could just arbitrarily read other sites' cookies, that's just not real. The only 3rd party script that gets run on this site is Google Analytics and you can pretty easily just block it if you want.
Also, just like @firefish5000 said, logging in to a service completely negates the point of using Tor. If anything, you're making it worse for yourself by effectively broadcasting to a whole bunch of Tor nodes exactly who you are.
VIP
- Joined
- Apr 23, 2018
- Messages
- 1,071
@Holo I'm sure that its more secure enough, but since I have run into cookies that actually were nothing but "random" strings on a collage site, and managed obtain a teacher account because of that, I would like to voice my concern. Unorganized rambling in
The data available on this site is not nearly as valuable as that on a collages website. So you could say your at least as secure as a collage web-server, which I guess should be good enough for a site hosting manga. Not to mention this is still a pretty common practice and still recommended in some tutorials, so its not like you would be alone. Extremely low probability after all, but high risk (includes admin accounts unless their cookie is crafted differently).
Please have the user id encoded into the cookie as well. For instance, cookie containing "userid_randomstring", optionally encrypted or signed. Encrypting/signing would only be there to ensure attackers can't generate their own cookies for a brute force attack or replay attack using previously used cookies with a different userid. The cookie should be encrypted via https transport anyways, so no risk of revealing your identity.
Reason being, if cookies are just random and server unique string, it is possible for the randomstring to eventually be reused. If a browser fails to delete the expired cookie, the server forgot about an active cookie (due to power loss or unexpected restart) and reuses the random string, or an attacker extends the life of existing cookies or sends random cookies, it is possible to gain access to arbitrary accounts.
Even if you skip securing the cookie with a signature, just prepending a userid at least limits the attack scope and completely prevents purely accidental authorization as another user. Without that, the attacker can gain access to arbitrary accounts if they are lucky. With it, they can only gain access to that one account they are targeting, and the accident case can only occur on their own account(barely a problem at all), both of these are numberofusers * less likely to occur than with a purely random string.
Just increasing the random string length does not add the same level of protection, since that depends entirely on the randomness of the rng, and the methods used to prevent the duplicates. Likelihood of a repeat is probably significantly low already(how low depends on length of the string and randomness of rng), but these off cases do occur. Especially if the rng isn't seeded, is just a list of unique values which loops once it hits the end, the generated string length isn't sufficiently large enough to prevent repeats within the duration of the session, or is just the session id hashed. What worse, some algorithms may allow a repeat to change existing sessions rather than automatically regenerating until a unique string is found.
These issues can also be largely negated with a nonce to tie it to a session, or timestamp/just about anything that absolutely could never be reused with another session from a different user. The main risk is that the random string is used alone for authorization, and thus is very loosely tied to the user who was authenticated.
I would not expect anyone to ever report this issue in practice, but if the server ever did suddenly forget all active cookies, that would be the time when reuse would most likely occur and (probably only after several thousand other users re-authenticate) a few people refreshing their page would find themselves suddenly authorized as as other users, and possibly as moderators and administrators.
Of course, so long as whatever database holding the cookies doesn't hiccup, random-string isn't allowed to be repeated for a good while (preferably longer than the cookies lifetime), and the randomstring is sufficiently long. It works great. Problems can only arise once reuse occurs. and with normal users and no db hicups, shouldn't occur at all.
Reason being, if cookies are just random and server unique string, it is possible for the randomstring to eventually be reused. If a browser fails to delete the expired cookie, the server forgot about an active cookie (due to power loss or unexpected restart) and reuses the random string, or an attacker extends the life of existing cookies or sends random cookies, it is possible to gain access to arbitrary accounts.
Even if you skip securing the cookie with a signature, just prepending a userid at least limits the attack scope and completely prevents purely accidental authorization as another user. Without that, the attacker can gain access to arbitrary accounts if they are lucky. With it, they can only gain access to that one account they are targeting, and the accident case can only occur on their own account(barely a problem at all), both of these are numberofusers * less likely to occur than with a purely random string.
Just increasing the random string length does not add the same level of protection, since that depends entirely on the randomness of the rng, and the methods used to prevent the duplicates. Likelihood of a repeat is probably significantly low already(how low depends on length of the string and randomness of rng), but these off cases do occur. Especially if the rng isn't seeded, is just a list of unique values which loops once it hits the end, the generated string length isn't sufficiently large enough to prevent repeats within the duration of the session, or is just the session id hashed. What worse, some algorithms may allow a repeat to change existing sessions rather than automatically regenerating until a unique string is found.
These issues can also be largely negated with a nonce to tie it to a session, or timestamp/just about anything that absolutely could never be reused with another session from a different user. The main risk is that the random string is used alone for authorization, and thus is very loosely tied to the user who was authenticated.
I would not expect anyone to ever report this issue in practice, but if the server ever did suddenly forget all active cookies, that would be the time when reuse would most likely occur and (probably only after several thousand other users re-authenticate) a few people refreshing their page would find themselves suddenly authorized as as other users, and possibly as moderators and administrators.
Of course, so long as whatever database holding the cookies doesn't hiccup, random-string isn't allowed to be repeated for a good while (preferably longer than the cookies lifetime), and the randomstring is sufficiently long. It works great. Problems can only arise once reuse occurs. and with normal users and no db hicups, shouldn't occur at all.
- Joined
- Jan 19, 2018
- Messages
- 2,453
???
That's essentially what login cookies are everywhere
You don't say how you managed to obtain the teacher's cookies when that's the actual important part here. Did you copypaste them from their browser? Did you phish the login details? Did you exploit an XSS vulnerability on the website? There's a world of difference with these.
VIP
- Joined
- Apr 23, 2018
- Messages
- 1,071
@Teasday I questioned myself after posting it, but no undo for that, and deleting everything wouldn't undo the notification, probably. Please consider it as shoddy programming of the community collage. As for what happened
The server itself reused the cookie before it was set to expire. 3 to 4 errors occurred that enabled this
1) server failed to remember a active session cookie
2) server regenerated an active session cookie for a different account
3) server didn't clear active, but invalid(logout/timeout. cookies lasted 1 month, but the server rejected any session that didn't have activity within the last 30 minutes) session cookies from the browser (it redirected you to a 'your session has expired' page, but the cookies remained set).
4) (possibly) sever permitted session cookies it invalidated (logout/timeout), but were still not expired, to be reused
Number 3 I suppose was the biggest issue. I hadn't logged in in 2 weeks, the only reason I even noticed was bc it was set to open in its own window. Every day when I opened firefox, that page would load the 'Your session has expired' pure white page. Then, after 2 weeks, it loaded a colorful page with options to send emails, view and change grades, view roster, and request tech support (which I attempted to use to report the error, but gave up and sent an email instead since I couldn't figure out their system. email was one of the few items students and teachers shared). Had it cleared the cookie or properly remembered it, there would be no issue
On an unrelated note that doesn't matter at all. Mangadex does clear the browser's cookies on logout, and successfully remembers the cookie as well. However, it does not seem to invalidate the old cookie.
This means if I click the keep me logged in for 1 year button on a less than admirable friends computer, and they recorded the cookies, even if I log out the cookie could be reused to log back in and make troll posts as me. Furthermore, this cookie could be used on other computers/devices to log me in after logout.
Doesn't really matter since, in that case, we could just as easily record keystrokes and get the password. perhaps if they went to your house and stole the cookie as you suggested. Maybe one day the ability to logout all other sessions would be nice. But who is crazy enough to go that far to troll someone anyways
While I expect no fix, when you login via stolen/copied session cookies, logout button does not work. Must delete/clear cookie
I was confused because it seems to linger for a few minutes, less than 30, but longer than 3. Prety sure it lingers since I tested accross browsers with private windows, but it vanishes soon enough not to matter
1) server failed to remember a active session cookie
2) server regenerated an active session cookie for a different account
3) server didn't clear active, but invalid(logout/timeout. cookies lasted 1 month, but the server rejected any session that didn't have activity within the last 30 minutes) session cookies from the browser (it redirected you to a 'your session has expired' page, but the cookies remained set).
4) (possibly) sever permitted session cookies it invalidated (logout/timeout), but were still not expired, to be reused
Number 3 I suppose was the biggest issue. I hadn't logged in in 2 weeks, the only reason I even noticed was bc it was set to open in its own window. Every day when I opened firefox, that page would load the 'Your session has expired' pure white page. Then, after 2 weeks, it loaded a colorful page with options to send emails, view and change grades, view roster, and request tech support (which I attempted to use to report the error, but gave up and sent an email instead since I couldn't figure out their system. email was one of the few items students and teachers shared). Had it cleared the cookie or properly remembered it, there would be no issue
This means if I click the keep me logged in for 1 year button on a less than admirable friends computer, and they recorded the cookies, even if I log out the cookie could be reused to log back in and make troll posts as me. Furthermore, this cookie could be used on other computers/devices to log me in after logout.
Doesn't really matter since, in that case, we could just as easily record keystrokes and get the password. perhaps if they went to your house and stole the cookie as you suggested. Maybe one day the ability to logout all other sessions would be nice. But who is crazy enough to go that far to troll someone anyways
While I expect no fix, when you login via stolen/copied session cookies, logout button does not work. Must delete/clear cookie
I was confused because it seems to linger for a few minutes, less than 30, but longer than 3. Prety sure it lingers since I tested accross browsers with private windows, but it vanishes soon enough not to matter
- Joined
- May 29, 2012
- Messages
- 1,441
Actually, when you log out, your cookie identifier is reset. So if you logged on at a dodgy friend's computer, and they recorded your cookie string, provided that you log off, they can't use the same cookie string to impersonate you, because your cookie string is now different.
Similar threads
