[Dshield] A few issues at the DShield site…

Peter Stendahl-Juvonen peter.stendahl-juvonen at welho.com
Thu Aug 10 18:57:42 GMT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


10.8.2006 19:47 (UTC+3), Johannes B. Ullrich kirjoitti/wrote:
> I worked on the 'remember me' function this morning and I think I found
> a stupid error with the cookie. see if its better now.
> 

Thanks for prompt response.

*It is better now*.

*However, not fixed, though*.

Will send you a detailed progress report off-list, as contains possibly
sensitive information (from DShield's viewpoint).

(It's a quick and dirty written report but hope it will support solving
the issue.)


> 
> Peter Stendahl-Juvonen wrote:
>> Valdis et al.
>>
>> Thanks for prompt reply.
>>
>> Please find elaboration (on one of the DShield challenges) below your post.
>>
>>
>> 8.8.2006 17:32 (UTC+3), Valdis.Kletnieks at vt.edu kirjoitti/wrote:
>>>> On Tue, 08 Aug 2006 00:25:11 +0300, Peter Stendahl-Juvonen said:
>>>>> *The 'Remember me' option does not function* .  :-(
>>>>>
>>>>> Only once, when leaving the DShield site and returning before closing
>>>>> Firefox (1.5.0.6 FI), did I manage to avoid the redundant re-login
>>>>> procedure.
>>>> This is quite often the result of a cookie blocker.  Are you accepting
>>>> cookies from the DShield site?
>>>>
>>
>> 1) Yes, am accepting cookies from the DShield site.   :-D
>>
>> 2) I have also turned in the browser's settings the wiping of the
>> cookies off at close of browser (exit, un-launch).
>>
>> 3) For the purpose, use instead a browser extension doing the erase of
>> *unprotected* cookies at start-up (launch) of the browser.
>>
>> Please, however note, that I have set the DShield auto-login cookie as a
>> 'Protect[ed] cookie', which means the DShield auto-login cookie will
>> stay as it is in the browser cache, until the respective (DShield in
>> this case) site alters the content of the cookie.
>>
>> 4) Also have classified the auto-login cookie (set by the DShield site
>> into my browser's cache) as 'Protect cookie' in the privacy tool I use.
>>
>> Therefore, the privacy tool does *not* erase, i.e. wipe its contents
>> beyond recovery, scramble its name and dates and finally remove it from
>> disk.
>>
>> Thanks anyway for checking.  :-)
>>
>> 5) Please, also accept apology for the disinformation regarding the "one
>> time automatic successful re-login" as it was unluckily clearly just
>> disinformation and factually never happened, as I clarified in another
>> post [8.8.2006 19:37 (UTC+3)] to this list:
>>
>> (START QUOTE)
>> Being able to get back into the authenticated http connection was due to
>> using the Internet browser's 'return to previous page' function.
>>
>> If and when attempting to return to the DShield site by targeting for,
>> e.g. URL https://secure.dshield.org/myreports.php does not invoke an
>> authenticated http connection (with the help of the auto-login cookie in
>> browser cache). The DShield server changes the previously valid content
>> of the cookie to contain the text string "invalid" (without the quotes)
>> as soon attempting authentication by means of the auto-login cookie.
>>
>> Unluckily, the malfunction of the 'Remember me' feature causes multiple,
>> redundant logins.   :-(
>>
>> Nevertheless, please consider removing the 'Remember me' feature, if it
>> cannot be fixed (by obtainable means).
>>
>> Not having the malfunctioning 'Remember me' feature available would save
>> one hand movement as well as a tick in the box (in the 'Remember me'
>> fill in form).   :-)
>>
>> Thanks in advance for fixing the bug (or removing of the broken feature).
>> (END OF CITATION)
>>
>>
>> BTW, *the DShield site is the one and only site*, where I experience
>> *issues with automated login*.
>>
>>
>> Therefore, the question remains;
>> *does the DShield auto-login feature work properly for someone*?
>>
>> What Internet browser do you use?
>>
>>
>> Does the does the DShield auto-login feature work *frequently* properly
>> for someone?
>>
>>
>> Thanks in advance for any pointers.
>>
>> - Pete
>>
>>
>>       "Absence of proof is not proof of absence."
>>         Carl Sagan (1934-1996); US astronomer.
>>
>>
>>
> _________________________________________
> Learn from the founder of DShield how to secure your Internet presence
> with Linux, Apache, MySQL, PHP.
> 
> Las Vegas, Oct. 2nd-6th 2006
> 
> Details: http://www.sans.org/ns2006/description.php?tid=433
> (Brochure Code: ISC)
> 
> 
> 
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
> http://lists.dshield.org/mailman/listinfo/list
> 
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _________________________________________
> Learn from the founder of DShield how to secure your Internet presence with Linux, Apache, MySQL, PHP.
> 
> Las Vegas, Oct. 2nd-6th 2006
> 
> Details: http://www.sans.org/ns2006/description.php?tid=433
> (Brochure Code: ISC)
> 
> 
> 
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://lists.dshield.org/mailman/listinfo/list
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE24GmQ21KCihDnSQRAgdBAJ9lIwiTBG0vcHK7o2c/jiRjqz7uuwCfcHI5
PNhnBrt6oxsPYF9wqba2GEQ=
=utzg
-----END PGP SIGNATURE-----


More information about the list mailing list