Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#24 XOOPS reports why people can't login

XOOPS_2.2
closed
Jan Pedersen
5
2012-09-25
2004-03-20
Herko Coomans
No

http://www.xoops.org/modules/xoopsfaq/index.php?cat_id=13#25

http://www.xoops.org/modules/newbb/viewtopic.php?topic_id=3257&forum=7#forumpost74611

Many people cannot log in or register at Xoops sites
without first disabling the default cookie settings on
e.g. Zone Alarm ("Block third party cookies" and
"Remove private header information"), or Norton Firewall.

When Xoops tests the $HTTP_REFERER var and find it
empty (function myRefererCheck) connection is not allowed.
I had the same problems when I released my
http://dreambox.sjerom.com made with Xoops.
I had the first week 1700 assignment BUT also 150
people inactive because of this.... and all 150 did
send me an email how this could happen and what to do
about it!!!! So many work to send all an email to
explain that is was their own settingsfault at their PC!

To avoid this all, Trollix have written this little hack:
http://www.xoops.org/modules/newbb/viewtopic.php?topic_id=2685&forum=14jump=1

But with this you make so a security hole for your
MySQL and xoops, function myRefererCheck prevents that
nobody can make link from his site to your site with
xoops ...

Though we want do keep up our security level...
So I think the solution named by Spiff in the above
article is a good one, just to tell people why they
cannot login or register!!!


"Hello everyone,

We just ran into this problem this week, although it's
likely a number of users simply didn't bother to
contact us about a failed registration earlier on, and
gave up.

It's nice to know that Xoops is secure, and that the
problem comes from improperly set up firewalls.
However, as previously mentioned, not all users have
the patience to set up a rule in their firewalls, or
even know how to enable cookies for a specific site.

For the sake of security and user-friendliness, I think
it would be nice if the error message that comes up
after a failed registration actually explained what the
problem is, in replacement for the blunt "Cannot
register new user."

This could take the form of a special xoops page that
could be linked to whenever a failed referrer-checking
occurs, which would encourage the user to tackle
his/her firewall installation.

Quote:

Your last request failed because it seems your computer
is set up behind a firewall, which blocks sending
information to {SITE_NAME}.

Our site uses Referrer-checking to secure contents
being posted; this method prevents improperly
identifiable users from placing undue content on the site.

When you click a Web page, your browser notes the
current page that you are on and sends that information
to the server before accessing a new page. This way,
the server knows the last Web page that you viewed.

Some firewalls block this information by default. It
appears this is the case for your connection, which
means we were unable to ascertain that the data you
submitted before accessing this page was typed on a
page belonging to this website. That's a security issue
for us.

If you are using a firewall such as Norton Internet
Security (NIS), ZoneAlarm Pro, etc., please modify your
settings accordingly. (For an example of firewall
setup, see
http://www.xoops.org/modules/xoopsfaq/index.php?cat_id=13#25)

Additionally, your browser must be set up to accept
cookies from {SITE_NAME}.

These simple steps are necessary for us to keep this
site secure; it prevents untrustworthy users from
accessing it. Please check your firewall and cookie
settings, then try again.

Is this complete enough? Anything missing? Let's try
and work on a page that would address all the basic
issues, until the Core team fixes the problem in a more
elegant way.

A comprehensive response would address Xoops users'
questions and not deter them (and webmasters) from
using the Xoops CMS.

Eric


Quote:
I like this idea...but is there an easy way to hack
XOOPS to make such a message display ?

I thought the easiest way to do it would be to replace
the error message's variable with a complete message
similar to the one I've posted.

_US_REGISTERNG variable is defined around line 37 in
/language/english/user.php:

define('_US_REGISTERNG','Your last request failed
because it seems your computer isset up behind a
firewall, which blocks sending information to
{SITE_NAME}.

Our site uses Referrer-checking
to secure contents being posted; this method
preventsimproperly identifiable users from placing
undue content on the site.

Whenyou click a
Web page, your browser notes the current page that you
are on and sends thatinformation to the server before
accessing a new page. This way, the server knows the
address ofthe last Web page you viewed.

Some
firewalls block this information bydefault. It appears
this is the case for your connection, which means we
were unable to ascertainthat the data you submitted
before accessing this page was typed on a page
belonging to thiswebsite. That\'s a security issue for
us.

If you are using a firewallsuch as
Norton Internet Security (NIS), ZoneAlarm Pro, etc.,
please modify your settingsaccordingly. (For an
example of firewall setup, see
<ahref=\\"http: www.xoops.org="" modules="" xoopsfaq="" index.php?cat_id="13#25\\"target=\\"_blank\\"">http://www.xoops.org/modules/xoopsfaq/index.php?cat_id=13#25).

Additionally, your browser must be set up to accept
cookies from{SITE_NAME}.

These simple steps
are necessary for us to keep this sitesecure; it
prevents untrustworthy users from accessing it. Please
check your firewall and cookiesettings, then try again.');

I'm not sure whether the SITE_NAME variable requires
the brackets to be rendered, or whether it needs to be
specified as "$SITE_NAME". From the looks, register.php
doesn't do any templating on the variable, so SITE_NAME
and the http link may need to handled differently.

Some other variables may need to be modified as well
(upon failed login, failed post, etc.)

Another possibility is to leave the message alone, and
modify register.php (login.php, post.php?) to redirect
to another page, like so:

Lines 206 & 212:CHANGE: echo _US_REGISTERNG;TO:
redirect_header('firewall.php', 4, _US_REGISTERNG);

I'll try setting myself behind a firewall to test this
if I have the time.

Eric

Quote:
When you click a Web page, your browser notes the
current page that you are on and sends that information
to the server before accessing a new page. This way,
the server knows the last Web page that you viewed.

I would change that to:

Quote:
When you click a link or button on a web page, your
browser notes the current page that you are on and
sends that information to the server before accessing a
new page. This way, the server knows the last web page
that you viewed.

I would also mention the actual header tag HTTP_REFERER
somewhere, for the benefit of people who understand that.

I think the expanded message is a good idea, as long as
it's easy to customize. On sites that tend to be
targeted by abusers, detailed information could be of
value to the abuser, and a terse, less informative
message may be preferred.

Hope you can insert this into the new version of Xoops
or bring a Notification Patch concerning this login and
register problem (Referrer- and Cookies checking), due
to the articles it is allready their since 2002!!!
(First topic about this is Posted on: 2002/9/6 0:56)

Regards, Hemertje

hemertje@sjerom.com

Discussion