Hi i just tried logging out and had a vb error message appear. :)

This is due to the lack of &u=$bbuserinfo[userid] in the "navbar" template.

In admin CP click on

Style Manager --> Edit Templates --> NavBar/Breadcrumb Template/ Navbar

Scroll down until you see this:


<if condition="$bbuserinfo['userid']">
<td class="vbmenu_control"><a href="login.php?$session[sessionurl]do=logout&amp;u=$bbuserinfo[userid]" onclick="return log_out()">$vbphrase[log_out]</a></td>
</if>


Make sure you have that bold bit ;)

I have always wondered why there is a log out button. Isn't it easier to just go to another site when you are finished?

Does anyone know?

When you goto another site you aren't necessarily logged out. And here I get to use the nice little phrase

cookies, cookies everywhere but not a bite to eat

I love doing that. Right, time to explain. When you login one of 3 things is done:

a) you are sent a cookie with some encrypted information about your username/password/userid etc.
b) you are sent a cookie with a session name in [this session name relates to a server stored file with the userid/encrypted data and is unique]
c) you are given a session id. This generally happens if the above 2 won't work due to your security settings. If this happens your URL will always have an &s=randomhash where randomhash is some random numbers and letters. This is a similar hash to the one I was talking about in part b, except this one is carried around in the URL which isn't the nicest of things sometimes.

So, if we use #a we have COOKIES!! [Chocolate Chip, Oat, whatever you want :p] Now because the cookie is stored on your computer and is set to expire in a few months time, it just sits there.

So when you open randomgames again, the forum notices that you have this cookie, checks all the information inside the cookie (the login information) and if they are OK [tasty], it say, "well..Hey..you're logged in!". So, anyone using your computer could just pop open randomgames and they would be logged in with your account!

[i]But that's great, it means I don't have to type in that stupid password all the bloody time!

Yes, if your computer is yours and only yours. But what if you're on a public computer? SO the person after you gets super mod rights on RG? O_o That could be a little...reckless ;)

So what about #b and #c ? Well they rely on sessions. Sessions are little more complicated because they can be set to expire in a number of ways. They could be set to expire when the window closes, or after 15 minutes of inactivity etc. So thats a little harder to explain what happens. The weakness in #b is if your session hasn't yet expired and you have a cookie with the session's ID. What's the problem then? Well, the next person on your computer uses that cookie and they have practically then stolen your session.

#c, well anyone looking over your shoulder can see the session id from the URL. So potentially they could take that computer after you, retype it..and..they might well be in.

Note: All this is simplified, a lot. A large proportion of security for this board depends on server settings [which obviously I haven't seen] and I haven't read the login code for vbulletin 3 so I can't detail specifics.

Although account theft could potentially happen with multiple users on one computer it doesn't happen that often if you are careful and very rarely happens if you have a computer all to yourself.

To give some examples:

Me :D As an administrator on Oldgames.NU there are a lot of functions which can cause some considerable damage. If I'm on a public computer I would ALWAYS logout and make sure all cookies are cleared and my internet history was cleared. Usually however I am on my computer which only I have access to so, I keep the cookies and remain permanently logged in.

Arkacia + Bloodnok [hubby] - When they shared one computer, Prideth would have to logout [hence clearing her cookies] so that Bloodnok could login and he would have his cookies set.

What exactly happens when I logout?
Well, a few things. Your session is deleted from the server. SO Randomgames no longer recognises that session. However, you still have your cookies. So, Randomgames then deletes all the cookies on your computer which IT has set [it won't delete any of your other cookies - it can't]. Then you are redirected to the index and you are no longer logged in.

Questions? Fire Away.
For any enthusiasts out there, sorry for the rather extreme simplification.

That is simplification??? I would hate to see a detailed explanation :D J/K

Thanks for the explanation Lex, having never used a public computer on the net I didn't think of that aspect, now it makes sense...

Are you a teacher by any chance :D .... I know you're not but you should be :)

well, simplification in the sense that if there are any techies on this forum they'll probably shoot me :p

Nah, Med Student. I've done some little bits of teaching before, but nothing truly major :)

glad thats sorted then :| hope everyone was paying attention :D :rolleyes: