Logging in will log out all other devices

[rllmukforum]

I just came here looking or an update on this issue. Look at the sort of scenario some of my members are stuck with:

Quote

I've just checked and it's happening every time I log in anywhere. I logged in on my phone this morning. Accessed the forum on my work PC at lunch time and I had been logged out since yesterday, so I logged back in there. Then checking my phone, I've been logged out there - and logging back in on the phone has logged out the PC.

He claims no cache/cookie clearing, etc. It seems pretty unreasonable.

Anyway, we'll try this plugin.

[Simon Woods]

Ah, OK. I misunderstood -- people are being logged out instantly.

I thought the software was supposed to only log you out once you pass the 6 month mark. I have not experienced being logged out instantly in several months.

[TSP]

12 minutes ago, Simon Woods said:

Ah, OK. I misunderstood -- people are being logged out instantly.

I thought the software was supposed to only log you out once you pass the 6 month mark. I have not experienced being logged out instantly in several months.

It works in a very peculiar way, that is a bit difficult to explain. 

There's no logic in it. I've simply given up trying to be logged in on numerous devices on the communities I frequent. "Yay"

That this topic is tagged "Completed" is beyond me, they completely misunderstood the problem when they decided to "fix it".

[Linguica]

I think the current issues may have to do with the software setting the login key expiration to 3 months in the future, and then checking if that value is greater than 90 days, except that "3 months in the future" is often greater than 90 days. More here:

 

[Charles]

The plugin posted in this topic simply ignores the 90-day login key. While it may be annoying to have to login again now and then, we all do many things that may be a touch annoying to ensure security on the web.

That key is there for very good reasons and simply ignoring it is a bit of a scary change to me in terms of security. I would personally not suggest you install the plugin but of course it's up to you. It is very easy to look at things from the outside and declare something "silly" and make a quick plugin to change functions but when you look at it from our side and have the responsibility to secure thousands of communities it is anything but "silly" to be cautious when making such core-changes to security mechanisms.

Version 4.2 will introduce a proper and modern approach to multi-device authentication. Until then, I advise being wary of quick fixes to anything having to do with authenticating logins.

[Morgin]

5 minutes ago, Charles said:

The plugin posted in this topic simply ignores the 90-day login key. While it may be annoying to have to login again now and then, we all do many things that may be a touch annoying to ensure security on the web.

That key is there for very good reasons and simply ignoring it is a bit of a scary change to me in terms of security. I would personally not suggest you install the plugin but of course it's up to you. It is very easy to look at things from the outside and declare something "silly" and make a quick plugin to change functions but when you look at it from our side and have the responsibility to secure thousands of communities it is anything but "silly" to be cautious when making such core-changes to security mechanisms.

Version 4.2 will introduce a proper and modern approach to multi-device authentication. Until then, I advise being wary of quick fixes to anything having to do with authenticating logins.

Is there anything to this? 

 

[Colonel_mortis]

6 hours ago, Charles said:

The plugin posted in this topic simply ignores the 90-day login key. While it may be annoying to have to login again now and then, we all do many things that may be a touch annoying to ensure security on the web.

That key is there for very good reasons and simply ignoring it is a bit of a scary change to me in terms of security. I would personally not suggest you install the plugin but of course it's up to you. It is very easy to look at things from the outside and declare something "silly" and make a quick plugin to change functions but when you look at it from our side and have the responsibility to secure thousands of communities it is anything but "silly" to be cautious when making such core-changes to security mechanisms.

Version 4.2 will introduce a proper and modern approach to multi-device authentication. Until then, I advise being wary of quick fixes to anything having to do with authenticating logins.

 

Quote

Security at the expense of usability comes at the expense of security

The problem with this feature is that it doesn't actually offer any significant security benefit to balance the considerable loss of usability (and yes, it is considerable, because before I patched it, it was one of the most common complaints that I received). I know you disagree with that sentiment, but please hear me out.

• I am all for being automatically logged out of a device that you last used 90 days ago.
• I can understand being logged out of a device 90 days after you last authenticated with it, though that will frustrate users and drive them away, so I don't think it's a good idea.
• I cannot accept being logged out of a device the day after you logged into it, just because you logged into some other device 90 days ago, and happened to log into something else today.

I am curious though, what do you actually think this timer protects against? The ways that I can think a session could be hijacked are:

• A malicious intermediary intercepting your ips4_pass_hash cookie, and setting it in their own browser to be logged in as you (this doesn't protect against that at all - you must have been logged in when it was intercepted, so the attacker will also be logged in for plenty long enough to do whatever damage you are afraid of)
• A stolen device (this doesn't protect you against that, because you were logged in before and will therefore remain logged in to the stolen device, at least until you log in somewhere else and the 90 day check is run to invalidate the session, giving the attacker plenty of time to do whatever damage it is that they want to do to your forum account).
• You log in to your account on a public/shared/friend's machine (this doesn't help because you will remain logged in until the 90 days is up and you log into a new device).
• You're logged into some old device that you forgot about, and give it away to someone else (it is pretty stupid not to at a minimum clear cookies before doing that, and the cookie will expire in the browser after 90 days anyway, but in principle the timeout would protect against this (if it was still within the lifetime of the cookie but the 90 days on the server have passed), provided that you have logged into a different device since (all the other websites that you logged into are screwed though)).

So basically all it does is limit the amount of time that an attacker has access to your account, but not by enough to stop them from being able to do pretty much anything, and not in a way that is predictable to the user (being logged out of other devices when you log into a new one is not at all intuitive), and potentially protect against a particular edge case when you have given away a device that is less than 90 days since you last used the site but you forgot to clear your browsing data.

That doesn't sound like a reasonable tradeoff to me.

I'm assuming there must be some reasons that I have missed, which are why you are so insistent that this is important. Please do tell me so that I can assess whether I should remove the plugin from my site.

[Linguica]

I understand the reticence to suggest anything at all related to login security - IPS is a real actual company and telling users it's a good idea to muck around in the security components of their software is just asking for some sort of liability.

That said, the attitude of "we all have to do annoying things sometimes" is a little frustrating. Facebook has their own security practices and security mechanisms that might sometimes forcibly log you out / make you prove your identity again, but it's Facebook with a capital F. Most people running IPS don't have a billion users who rely on it as one of their primary forms of media consumption, and telling underwaterbasketweavingforums.com that "whatever, your users will deal with it" underestimates just how important convenience is to a lot of people - if a minor website they occasionally visit forcibly logs them out, they might just say, well, hell with it, and never come back. I know on my own forum there are a *LOT* of people who literally do not know their password and were entirely reliant on their login cookie.

Furthermore, the "3 months != 90 days" thing IS a legitimate bug, and one that is not only infuriating to people logging in on multiple devices, but actually completely counterintuitive - if you log in on device 1, wait a day, and then log in on device 2, you'll be logged out of device 1. On the other hand, if you log into device 1, wait *three* days, and then log into device 2, you'll still be logged into device 1.

Hopefully in 4.2, login keys will be promoted from a field in the members table to their own dedicated table, so you can have a unique login key per device with a unique expiration time.

Also @Colonel_mortis I see you're a moderator for the LTT forums - that was one of the primary "big site" examples I looked at in deciding to buy IPS in the first place

[waccoe.com]

This has started happening with our site since the recent update

[waccoe.com]

Still happening, even after latest patch.

[Mark H]

As Charles noted, this will be addressed in version 4.2, not 4.1.19.1 which was just released.

[waccoe.com]

17 hours ago, Mark H said:

As Charles noted, this will be addressed in version 4.2, not 4.1.19.1 which was just released.

Cheers...thought his post was only relating to the plugin.

[Day_]

On 08/03/2017 at 2:11 PM, Colonel_mortis said:

The plugin to fix this absurdity has been published on the marketplace (actually it was published a while ago, but I've had several requests for it so I figured I should probably post it in here too).

 

Will this work with 4.1.19.4?

For some reason my site has been fine and managed to avoid this mess until recently, I was able to stay logged in on 3 devices, MacBook, iPhone and iPad. Great.

Now if I go from MacBook to iPhone I have to login there, return to MacBook and login again, enter a topic, click the logo to go back to the homepage and get signed out, takes a few attempts to stay signed in. Apparently this isn't "normal behaviour" but won't be fixed until 4.2. so 4.1 feels like it's EOL already.

Don't want to risk my sites security but at the same time it's annoying members and myself already, the alternative of jumping on a beta of a major update that will bring it's own bugs and issues isn't tempting at all, I was an early adopter from 3 to 4, not making that mistake again.

 

 

[Colonel_mortis]

1 hour ago, daveoh said:

Will this work with 4.1.19.4?

For some reason my site has been fine and managed to avoid this mess until recently, I was able to stay logged in on 3 devices, MacBook, iPhone and iPad. Great.

Now if I go from MacBook to iPhone I have to login there, return to MacBook and login again, enter a topic, click the logo to go back to the homepage and get signed out, takes a few attempts to stay signed in. Apparently this isn't "normal behaviour" but won't be fixed until 4.2. so 4.1 feels like it's EOL already.

Don't want to risk my sites security but at the same time it's annoying members and myself already, the alternative of jumping on a beta of a major update that will bring it's own bugs and issues isn't tempting at all, I was an early adopter from 3 to 4, not making that mistake again.

 

 

Yes, it works with 4.1.19.4 (but most likely not with 4.2, and may cause issues, so I would advise disabling before updating).

I maintain that it doesn't actually reduce security, because the thing that it fixes doesn't actually provide any security, but clearly IPS disagree.

[Aiwa]

I stay logged in on multiple devices just fine, as long as I don't try and log in to those multiple devices within the same 24 hour window.  After 24 hours, you can log into a second device, and the 1st will remain.