[Dshield] A few issues at the DShield site…

Johannes B. Ullrich jullrich at sans.org
Thu Aug 10 16:47:35 GMT 2006


I worked on the 'remember me' function this morning and I think I found
a stupid error with the cookie. see if its better now.


Peter Stendahl-Juvonen wrote:
> 
> Valdis et al.
> 
> Thanks for prompt reply.
> 
> Please find elaboration (on one of the DShield challenges) below your post.
> 
> 
> 8.8.2006 17:32 (UTC+3), Valdis.Kletnieks at vt.edu kirjoitti/wrote:
>>> On Tue, 08 Aug 2006 00:25:11 +0300, Peter Stendahl-Juvonen said:
>>>> *The 'Remember me' option does not function* .  :-(
>>>>
>>>> Only once, when leaving the DShield site and returning before closing
>>>> Firefox (1.5.0.6 FI), did I manage to avoid the redundant re-login
>>>> procedure.
>>> This is quite often the result of a cookie blocker.  Are you accepting
>>> cookies from the DShield site?
>>>
> 
> 
> 1) Yes, am accepting cookies from the DShield site.   :-D
> 
> 2) I have also turned in the browser's settings the wiping of the
> cookies off at close of browser (exit, un-launch).
> 
> 3) For the purpose, use instead a browser extension doing the erase of
> *unprotected* cookies at start-up (launch) of the browser.
> 
> Please, however note, that I have set the DShield auto-login cookie as a
> 'Protect[ed] cookie', which means the DShield auto-login cookie will
> stay as it is in the browser cache, until the respective (DShield in
> this case) site alters the content of the cookie.
> 
> 4) Also have classified the auto-login cookie (set by the DShield site
> into my browser's cache) as 'Protect cookie' in the privacy tool I use.
> 
> Therefore, the privacy tool does *not* erase, i.e. wipe its contents
> beyond recovery, scramble its name and dates and finally remove it from
> disk.
> 
> Thanks anyway for checking.  :-)
> 
> 5) Please, also accept apology for the disinformation regarding the "one
> time automatic successful re-login" as it was unluckily clearly just
> disinformation and factually never happened, as I clarified in another
> post [8.8.2006 19:37 (UTC+3)] to this list:
> 
> (START QUOTE)
> Being able to get back into the authenticated http connection was due to
> using the Internet browser's 'return to previous page' function.
> 
> If and when attempting to return to the DShield site by targeting for,
> e.g. URL https://secure.dshield.org/myreports.php does not invoke an
> authenticated http connection (with the help of the auto-login cookie in
> browser cache). The DShield server changes the previously valid content
> of the cookie to contain the text string "invalid" (without the quotes)
> as soon attempting authentication by means of the auto-login cookie.
> 
> Unluckily, the malfunction of the 'Remember me' feature causes multiple,
> redundant logins.   :-(
> 
> Nevertheless, please consider removing the 'Remember me' feature, if it
> cannot be fixed (by obtainable means).
> 
> Not having the malfunctioning 'Remember me' feature available would save
> one hand movement as well as a tick in the box (in the 'Remember me'
> fill in form).   :-)
> 
> Thanks in advance for fixing the bug (or removing of the broken feature).
> (END OF CITATION)
> 
> 
> BTW, *the DShield site is the one and only site*, where I experience
> *issues with automated login*.
> 
> 
> Therefore, the question remains;
> *does the DShield auto-login feature work properly for someone*?
> 
> What Internet browser do you use?
> 
> 
> Does the does the DShield auto-login feature work *frequently* properly
> for someone?
> 
> 
> Thanks in advance for any pointers.
> 
> - Pete
> 
> 
>       "Absence of proof is not proof of absence."
>         Carl Sagan (1934-1996); US astronomer.
> 
> 
> 
_________________________________________
Learn from the founder of DShield how to secure your Internet presence
with Linux, Apache, MySQL, PHP.

Las Vegas, Oct. 2nd-6th 2006

Details: http://www.sans.org/ns2006/description.php?tidC3
(Brochure Code: ISC)




_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://lists.dshield.org/mailman/listinfo/list



-- 
---------
Johannes Ullrich                        jullrich at sans.org
Chief Research Officer                     (617) 639 5000
http://isc.sans.org
PGP Key: https://secure.dshield.org/PGPKEYS

"We use [isc.sans.org] every day to keep on top of
 security at our bank" Matt, Network Administrator.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
Url : http://lists.dshield.org/pipermail/list/attachments/20060810/60d7f300/attachment.bin 


More information about the list mailing list