26

Re: feeds to all forum content

quaker wrote:

feeds as in rss feeds?

Yup.

Re: feeds to all forum content

MattF wrote:
Smartys wrote:

As opposed to cookie authentication for logins, which is what we use? wink
The idea is simply to use the login cookie as the authentication mechanism. That means nothing changes for regular RSS readers, but those which are integrated with a browser can view the RSS feed with the permission of the logged in user.

That cookie authentication part is a bit of a misnomer though. The cookie, in essence, doesn't mean diddley when the user isn't logged in. Plus, what's the point of a feed that you can only access once you're logged in? And if the auth mechanism contains some form of system whereby you don't have to be logged in to view it, then again, that comes back around to my original point. Security.

I'm quite willing to be corrected on my viewpoint if I've grabbed the totally wrong end of the cluestick, btw. big_smile

lol tongue
The idea is fairly simple. Instead of having the code force guest permissions, it just uses the permissions of the logged in user. No security issues there, since the authentication is done via the same cookie that PunBB uses. Now, only RSS readers that are integrated into the browser would be able to take advantage of this.

Re: feeds to all forum content

I wouldn't say totally wrong, but quite not in the spot.

There is no security issue as no new system would be implemented.

What i am suggesting is to extend the user authentication check to the feeds instead of simply not having feeds if they are not world readable.

If for example you receive a topic notification by email and click the link it might also be a link that requires authentication. I see no difference between both situations.

The cookies are not stored on a machine basis, they're stored in a browser's ( or other sort of http client ) runtime environment context. Like, I use a computer that is used by other people but i have my own acount. No cookies of mine are assecible to other peoples' browsing environment, therefore I usually stay logged in continuously on some sites. For example, I don't login each time i pass by punbb.org/forums... nor to the forums i run.. do you?
If you don't, there you go, you would be able to subscribe feeds of all your forums.
Only limitation is feedreaders without cookie support.

Re: feeds to all forum content

Smartys wrote:

SuperMAG: It will not be the only feature in 1.4. There is no roadmap at this point for what will be in 1.4, just a few ideas that we've pushed there. When it is released, it will be just as big a change as 1.3: hence bumping to 1.4 instead of 1.3.1.

yea as i thought so ... that will be good ...

MyFootballCafe.com  is Now Online!

30

Re: feeds to all forum content

pedrotuga wrote:

For example, I don't login each time i pass by punbb.org/forums... nor to the forums i run.. do you?

Always. big_smile

31

Re: feeds to all forum content

Smartys wrote:

lol tongue
The idea is fairly simple. Instead of having the code force guest permissions, it just uses the permissions of the logged in user. No security issues there, since the authentication is done via the same cookie that PunBB uses. Now, only RSS readers that are integrated into the browser would be able to take advantage of this.

Are you working on the basis of the feed only being available to the user when they are actually logged onto the forum, rather than extracting cookie info from the browser when the in-browser feed client updates the feed?

Re: feeds to all forum content

No cookie info is extracted. If the RSS reader uses the browser cookies, than the authenticated user's cookie is sent and their information is used. Otherwise, no cookie is sent and the user is treated as not logged in. Tell me if I misunderstood what you were trying to say.

33

Re: feeds to all forum content

I think we may have crossed our wires then. big_smile If I understand correctly, your method would only allow access to those non-guest feeds when the user is actually logged in, regardless of whether it uses the cookie or not?

From what I understood of pedrotuga's initial post, however, (and I hope they will correct me if I'm wrong), is that it would use and extract info from the cookie to find the users g_id, if the user was not logged in, and decide on the feed contents accordingly.

Re: feeds to all forum content

Urgh. Read very carefully.

PunBB uses cookie authentication. Since extern.php includes common.php, which populates $pun_user, and reads from the PunBB cookie, it'd be just like any other page on the forums.

35

Re: feeds to all forum content

elbekko wrote:

Urgh. Read very carefully.

PunBB uses cookie authentication. Since extern.php includes common.php, which populates $pun_user, and reads from the PunBB cookie, it'd be just like any other page on the forums.

Simple question then. If PunBB uses cookie authentication, why the need to log in?

Re: feeds to all forum content

To set the cookie? hmm

37

Re: feeds to all forum content

elbekko wrote:

To set the cookie? hmm

My simple point is that if the cookie alone is not enough for general usage, why should it be an exception for an alternative connection method?

Re: feeds to all forum content

...I'm not understanding you hmm

39 (edited by pedrotuga 2008-04-10 21:43)

Re: feeds to all forum content

MattF, I think you are mixed up with the ways cookie work.
If you navigate from page to page on a website (a punbb forum for example) while being logged in, you have to have a cookie stored in your computer. That's how php sessions work. If you don't have cookies suport PHP will add a parameter to all the links in your website so the session id is passed via querystring.
In other words, punbb already uses cookies in it's authentication system. Each time you request a page and are loggind in, your browser will fetch some information on the cookie and send it allong with your http request so the server knows that it can trust the request source.

Try this experiment: deactivate your browser's cookies, login into punbb.org and notice the urls. They will have a long random alphanumeric string passed by querystring.

To be honest i never went and check how cookies reall work in detail. I take the chance to make a side general question:
How is cookie-stored information sent to the server?
thought the headers?

40

Re: feeds to all forum content

Smartys wrote:

...I'm not understanding you hmm

I have that effect on occasion. big_smile The presumption I'm working upon is that the cookie stores, under normal conditions, the user id, password hash, etc. Upon login, the information is checked, verified against the login details, and any necessary cookie alterations/updates are then made. Is that correct?

41

Re: feeds to all forum content

pedrotuga wrote:

MattF, I think you are mixed up with the ways cookie work.
If you navigate from page to page on a website (a punbb forum for example) while being logged in, you have to have a cookie stored in your computer. That's how php sessions work. If you don't have cookies suport PHP will add a parameter to all the links in your website so the session id is passed via querystring.

PunBB doesn't use sessions, does it?

Re: feeds to all forum content

"The presumption I'm working upon is that the cookie stores, under normal conditions, the user id, password hash, etc. Upon login, the information is checked, verified against the login details, and any necessary cookie alterations/updates are then made. Is that correct?"
Upon login a cookie is set with the proper details. That cookie is then used to authenticate the user on each page.

"PunBB doesn't use sessions, does it?"
No, but it works the same except without the URL part. And without a session ID.

43

Re: feeds to all forum content

Smartys wrote:

Upon login a cookie is set with the proper details. That cookie is then used to authenticate the user on each page.

Right. That's the part I'm referring to then. big_smile The login is literally used to check and update the cookie. The cookie is then the roving authorisation, so to speak. However, if the cookie was to be trusted as is and used at all times, what's the point of the login timeout and re-login mechanism? The cookie could easily be updated without it. So why, if that's the case, should the cookie be trusted/used as an auth mechanism, (when the user hasn't logged in for a period of time), to authenticate their entitlement and access to the feed categories/forums? Normally, if the user has timed out, they need to login again to update the cookie as required, and the details are again checked against the db? However, if it was used as the auth key against the feeds, one part of the system is being removed, i.e: the login process. By virtue, that also removes one layer of security.

Btw, this all does make perfect sense in my head, but I've a feeling it's different when it's posted. big_smile If I'm still confusing everyone now, I'll concede the point. big_smile

Re: feeds to all forum content

You're missing something very important. The cookie would be authenticated IN THE EXACT SAME WAY. Right now, we do so anyway and then ignore the results and treat the user as a guest. Instead, we would just use the data that we already have.

45

Re: feeds to all forum content

That's different then. smile I had thought you meant to just extract the information and use straight off. (I ought apologise for making that assumption. One should have known you, (the devs), would sure there were proper checks first). smile I'll go quietly into the corner now. big_smile

46

Re: feeds to all forum content

Bugger. It's amazing how one can get side-tracked through the course of a single thread. big_smile Just remembered that this wasn't specifically the original point I was making. big_smile Although it's now obvious that stringent checking will be done upon the cookie credentials, it still leaves the situation that it is in fact only down to the cookie, and that login isn't required, i.e: a stored cookie on the machine means that anyone who uses that machine has the potential to access restricted feeds quite easily.

Re: feeds to all forum content

If they can access the restricted feeds, they can equally easy just open up the forums. I don't see your point.

48

Re: feeds to all forum content

Both scenarios, the cookie is present upon the machine.

To view the forums: Cookie info is used once login is successful.

To view the feeds: Cookie authentication alone would be used.

Re: feeds to all forum content

I give up. You just don't want to understand.

50

Re: feeds to all forum content

elbekko wrote:

I give up. You just don't want to understand.

Understand what? What does the following actually mean. No offense, but it makes no sense. I've probably just missed your point completely, but missed it I have.

If they can access the restricted feeds, they can equally easy just open up the forums.