I've been tweaking some of the addons for some security/visibility changes and have come across something.

I have installed the User Mod from this site - the more detailed block. One of the things I didn't like about it was the fact that it showed things like IP and last 5 users regardless of user level - guest, etc. So I added a simple isRank check in a few places to hide certain parts unless they were at least a user.

I logged out of the site, but forgot to log out as admin - I just closed the page. When I revisted the front page, the admin was still effectively logged in, althought I hadn't, so details were being shown.

Is the admin login based on a cookie, or a database table entry? And if so, does this entry age - like a cookie expiry?

HI Docwyatt2001

I guess it work's with cookies and yes they expire (see image below)




hope it will help you

Peace
Freakyyy

Hopefully yeah... I will need to look a bit further now that I know what I'm looking for....

Does that cookie have an expiry date and time?

EDIT: I should look closer at the image next time...

I just think 7days is maybe alot!! I would of set this to 24hours or 12hours! would this be actually usefull to set tthe expire date to 48 hours or 24 hours ??

I was thinking less... 1 hour tops... But I was thinking the logic should change a bit. Every time the admin access a page, the cookie should be updated for T+1hr. But that doesn't help with the original issue. You can log into the admin site, with out having to login to the normal user end. The admin stuff will still show up when you're not logged in... That's the bit I was concerned with.

mmm that thing with 1hours is maybe to much because if a admin is editing a New post and maybe he will have more than 1hours and then what happens?? he will have to log back in when hi finished and presses ok or Submit. I think you should set the cookie expiration at 10hours or 12hours. I mean a Admin has a big responsibility like changing his Password frequantly, make a hard Password ect. and an other big responsibility is login him self out when his finished doing his thing. Or am I totally wrong! And the Admin and User Interface works totally differently and not depending from itch other! That is then a good solution against session injection and all different types of attack !! Correct me if I am tottaly wrong

If you "touch" the cookie on each page load... So that time is always reset to an hour later than the current time, so he will never have that issue. If it takes more than hour to make a change for a single thing, that's a bit worrying. You could make that a site setting for the admin... 1 hour, 2 hours, 8 hours, 1 day, never...

You could add a onClose to the page that checks if they are admin, and if so, delete the cookie. Removes the onus of logging out - lazy I know, but a saftey thing. Some of these things maybe implemented, I didn't look at the code.

I understand the two are seperate, and one would hope so. I guess I could be paranoid. I just don't think admin details should be seen on the normal pages unless the admin is logged into both the admin console and the actual website.

OK that isn't a bad idea, with the admin setting. mm just one thing the admin details are only gonna be shown on your computer for example: you go on the site log your self on the Admin panel and then it will compare your IP with the all the User on your site if it matches it will display the box with the special details!! maybe you could solve the problem by comparing IP's, I hope my way of thinking isn't stupid but maybe if you would save your current IP (admin logged in) in your DB your could compare like every 5min if the IP is still on the site logged or simply on the site if not disable the cookie :S... Correct me If somethings impossible or stupid

I was thinking of a shared machine.... If I logged in as admin, and forgot to log out and left the machine, and then someone else uses that machine, they will have access to the admin functions on the user side for the duration of the cookie.

Something for me to ponder more over I think... Thanks for the feedback though.

yes you are right but maybe you could solve this problem by saving IP's and comparing if his only or not!

because when you log in as admin you will have for example the following IP: 874.231.66.2;
user IP: 874.231.66.2;

like you see the User and admin IP matches and then it will show the admin box on the user with the same IP. and youcould extend this by maybe saving the admin's IP and comparing with all the Ip's logged on the site if you find a IP's that matches you could like update the cookie and it will set him self back to one hour and if the IP isn't wasn't found you could disable the last cookie or just let it be and after a hour it will desable it self.

I don't know if it's logical but It's the way I would Try to do this
or is this a stupid idea