GMG Classical Music Forum

Announcements => GMG News => Topic started by: Dungeon Master on February 14, 2011, 09:50:37 PM

Title: Logging out problem
Post by: Dungeon Master on February 14, 2011, 09:50:37 PM
Dear members


This topic has been discussed on the "Bug Report" thread, but deserves a thread of its own.


Some members are experiencing a problem where, although they choose the "Always Logged In" option, seem to get logged out at random times, requiring a new log-in each time. Especially frustrating when it happens frequently, and during making a post.


I have been looking into this problem. It seems that the cause is spambots accessing member usernames (but not passwords) and trying to gain access by guessing passwords. If they fail to guess (currently 3 times), the member gets logged out. If you are not familiar with what a spambot is, read this (http://en.wikipedia.org/wiki/Spambot#Forum_spambots). Note that these are automated programs, that focus on particular log-in systems, in this case SMF forum. There aim is to get access to a members account, and then post Spam on the forum.


What I am doing to address this:   

It will takes a few days or weeks to collect the IP addresses, and add them to the list of banned addresses


What you can do in the meantime:
   
Note that once the Spambots have your username, even if you change your Display Name, they will keep trying to access your account by repeated guessing of your password. If this is becoming a big problem for you, wend me a  PM and I can change your actual Username (the one you use to log-in). If you want me to change it, send me your preferred new Username, and don't forget to make sure your Displayed Name is different. Changing your log-in username requries a password reset which is emailed to you, so please ensure you have a valid email address on file with GMG (in your profile). Changing your username does not delete your account - your account remains intact, but with a new username for log-in purposes.

cheers
Rob (now Dungeon Master)

Title: Re: Logging out problem
Post by: Opus106 on February 14, 2011, 11:13:53 PM
Hi, Rob. Here's something I was thinking about a couple of days ago: when you provide a pair of non-existent username and password to the forum, you'll get a message back saying that "that username does not exist." This is unlike other sites, e.g. GMail, which would say something along the lines of that one or both of the entered values is/are incorrect. Now, I don't know how the forum software is coded, but if somehow the bot is given the information that the username is correct (as in the case when it attempts to login with the display name), then would it not have a foothold, so to speak, on the user's account? It then just has to run through a list of possible passwords without 'worrying' about the usename. I realise that a solution to this problem, if it exists, may not solve the issue faced by existing members, but perhaps will, at the least, decrease the chances of new members being logged out frequently. Just thinking out loud.... :)
Title: Re: Logging out problem
Post by: Dungeon Master on February 14, 2011, 11:56:05 PM
That's a good thought - I will put that to the developers, as it is beyond my programming abilities.


However, I think the current problem is that the bots have harvested existing usernames. All members reporting problems had their Username the same as the Displayed Name, and so the Username was visible to all (members, guests and bots). I did too, but luckily have not had the log-out problems. Having harvested visible usernames, all it has to do is try to guess passwords. After a set number of failed guesses, the forum logs the member out as a security measure.
Title: Re: Logging out problem
Post by: mc ukrneal on February 15, 2011, 12:29:04 AM
   
  • Increased the failed login threshold so that members don't get logged out after 3 spambot attempts
Rob (now Dungeon Master)
I am out of depths here, but is it possible to set things up so that anyone who tries to login when someone is not logged out cannot even get in? That would get rid of the probllem. Of course, I have no idea if what I am suggesting is a major programming task -I guess you'll let us know.   :) After that... :-X
Title: Re: Logging out problem
Post by: George on February 15, 2011, 03:58:00 AM
Note that once the Spambots have your username, even if you change your Display Name, they will keep trying to access your account by repeated guessing of your password. If this is becoming a big problem for you, wend me a  PM and I can change your actual Username (the one you use to log-in). If you want me to change it, send me your preferred new Username, and don't forget to make sure your Displayed Name is different.

PM sent.

Title: Re: Logging out problem
Post by: The new erato on February 15, 2011, 04:11:29 AM
PM sent.
Me too.
Title: Re: Logging out problem
Post by: Harry on February 15, 2011, 07:23:28 AM
PM sent
Title: Re: Logging out problem
Post by: mc ukrneal on February 15, 2011, 07:42:45 AM
Do you think it is safe to assume that the username is still ok if the logging out has only occurred a few times? Or would you suggest changing the username with even that small number? I have upped the security of my password to include numbers, symbols, and capital letters, so they are highly unlikely to hit upon the combination, but still. Better to be safe than sorry.
Title: Re: Logging out problem
Post by: DavidRoss on February 15, 2011, 09:39:18 AM
Well, I tried the name change but I'm still getting logged out by the system.  Just a minor irritant, no big deal.
Title: Re: Logging out problem
Post by: Gurn Blanston on February 15, 2011, 11:05:46 AM
Do you think it is safe to assume that the username is still ok if the logging out has only occurred a few times? Or would you suggest changing the username with even that small number? I have upped the security of my password to include numbers, symbols, and capital letters, so they are highly unlikely to hit upon the combination, but still. Better to be safe than sorry.

Neal,
Well, I can only speak from my dim understanding, but they already know your and my user names, having gleaned them earlier, so they will keep hacking away at those. They are welcome to some good luck with my combination 12 character password though, according to the Business Week password guide, a mixed 9 character password takes about 44,000 years to crack. 12 should be exponentially better. Shit, I hope I don't forget it! :o :o   :D

8)
Title: Re: Logging out problem
Post by: Gurn Blanston on February 15, 2011, 11:07:06 AM
Well, I tried the name change but I'm still getting logged out by the system.  Just a minor irritant, no big deal.

You should feel loved, they are still hacking away at you. If your password is decent, you shouldn't have a problem. I have the same issue. it gives me a warm and fuzzy.... :)

8)
Title: Re: Logging out problem
Post by: DavidRoss on February 15, 2011, 11:26:23 AM
You should feel loved, they are still hacking away at you. If your password is decent, you shouldn't have a problem. I have the same issue. it gives me a warm and fuzzy.... :)

(http://t0.gstatic.com/images?q=tbn:ANd9GcRzqSkQIwPuCZ_uQqmC2994QZ8rrozmK_tuafhPyTG4z9CmBga9XQ)

Uh, "password" is a good password, right?
Title: Re: Logging out problem
Post by: Gurn Blanston on February 15, 2011, 11:35:59 AM
(http://t0.gstatic.com/images?q=tbn:ANd9GcRzqSkQIwPuCZ_uQqmC2994QZ8rrozmK_tuafhPyTG4z9CmBga9XQ)

Uh, "password" is a good password, right?

I prefer 'default' but 'password' should work. Who would guess that?

:D

8)
Title: Re: Logging out problem
Post by: Scarpia on February 15, 2011, 12:15:25 PM
Neal,
Well, I can only speak from my dim understanding, but they already know your and my user names, having gleaned them earlier, so they will keep hacking away at those. They are welcome to some good luck with my combination 12 character password though, according to the Business Week password guide, a mixed 9 character password takes about 44,000 years to crack. 12 should be exponentially better. Shit, I hope I don't forget it! :o :o   :D

8)

By telling them your password is 12 characters you have made it dramatically easier for them to guess.   :P
Title: Re: Logging out problem
Post by: Gurn Blanston on February 15, 2011, 12:38:45 PM
By telling them your password is 12 characters you have made it dramatically easier for them to guess.   :P

Not if I was lying...  $:)

8)
Title: Re: Logging out problem
Post by: Dungeon Master on February 18, 2011, 04:58:40 PM
Those of you for whom I have changed your log-in username, can you tell me if the log-out problem is now solved?


cheers
Rob
Title: Re: Logging out problem
Post by: George on February 18, 2011, 05:09:40 PM
Those of you for whom I have changed your log-in username, can you tell me if the log-out problem is now solved?


cheers
Rob

Indeed, it is, I am happy to report. Much thanks, Rob!  :)
Title: Re: Logging out problem
Post by: Gurn Blanston on February 18, 2011, 06:06:29 PM
Those of you for whom I have changed your log-in username, can you tell me if the log-out problem is now solved?


cheers
Rob

Oddly enough, I now have the problem, when I didn't have it previously. I have to re-log in 3 or 4 times a day now. :)

8)

----------------
Now playing:
Christine Schornsheim - Schulz Op 1 #6 Larghetto con Variazioni for Keyboard
Title: Re: Logging out problem
Post by: Willoughby earl of Itacarius on February 18, 2011, 11:22:28 PM
The problem is solved Rob. :)
Title: Re: Logging out problem
Post by: Holden on February 18, 2011, 11:59:13 PM
The problem is solved Rob. :)
.....but not for me.

adsI use the 'go to unread topics' option and while I can read all threads on page one, when I click on page two I get asked for my logon and password and then get nothing on page two. Is it possible to resolve this? It's annoying  me to the point where I just want to walk away from the forum.
Title: Re: Logging out problem
Post by: The new erato on February 19, 2011, 01:05:20 AM
Those of you for whom I have changed your log-in username, can you tell me if the log-out problem is now solved?


cheers
Rob
Yep so it seems. But the spambots doesn't try every day, so it will be some time until I can say for sure.
Title: Re: Logging out problem
Post by: Dungeon Master on February 19, 2011, 03:00:11 AM
.....but not for me.

adsI use the 'go to unread topics' option and while I can read all threads on page one, when I click on page two I get asked for my logon and password and then get nothing on page two. Is it possible to resolve this? It's annoying  me to the point where I just want to walk away from the forum.


Hi Holden


Did you read the first post in this thread? Especially the last paragraph re changing your username.


Let me know if you want it changed.


cheers
Rob
Title: Re: Logging out problem
Post by: Dungeon Master on February 19, 2011, 03:03:31 AM
Oddly enough, I now have the problem, when I didn't have it previously. I have to re-log in 3 or 4 times a day now. :)

 8)

----------------
Now playing:
Christine Schornsheim - Schulz Op 1 #6 Larghetto con Variazioni for Keyboard


Hi Gurn


I was referring to those members who requested I change their actual Username (not their Displayed Name).


Even if you change your Display name, the bits already have your Username, and will keep trying to guess the password. The only solution for existing members is for me to change their Username (only and Admin can do it). Send me a PM if your want your Username changed.


cheers
Rob
Title: Re: Logging out problem
Post by: petrarch on February 19, 2011, 04:40:11 AM
Those of you for whom I have changed your log-in username, can you tell me if the log-out problem is now solved?

It appears to have solved it for me.
Title: Re: Logging out problem
Post by: Marc on February 19, 2011, 04:53:54 AM
[....]
What you can do in the meantime:
   
  • Make your Displayed Name different to your actual Username. You can do this in your Profile --> Account Settings. Your displayed name is shown on every post you make, but if that is not the same as your actual username (which is not displayed), the bots won't be able to try to log in with your real username. All members currently reporting problems have their displayed name the same as their username.

But many members got quoted by their actual usernames for almost four years, and these quotes remain displayed. Wouldn't that be a problem?
Just asking, I'm a digit dumbie. :-[
Title: Re: Logging out problem
Post by: Gurn Blanston on February 19, 2011, 06:44:36 AM

Hi Gurn


I was referring to those members who requested I change their actual Username (not their Displayed Name).


Even if you change your Display name, the bits already have your Username, and will keep trying to guess the password. The only solution for existing members is for me to change their Username (only and Admin can do it). Send me a PM if your want your Username changed.


cheers
Rob

Oh, sorry, Rob. I went all cranio-rectal on myself there, hope I didn't get any on you. Yes, well I will conjure up a brilliant UN and give you a note shortly. Thanks!

8)

----------------
Now playing:
Orchestra of the Mariinsky Theater / Gergiev  Gautier Capu├žon  (Cello) - Prokofiev Op 125 Sinfonia Concertante in e for Cello & Orchestra 1st mvmt - Andante
Title: Re: Logging out problem
Post by: DavidRoss on February 20, 2011, 09:08:12 AM
Well, even with a screen name change, a user name change, and a password change I'm still getting logged out every hour.  No big deal and may be a good thing, as I often forget to log off and leave the window open for days!  :o

Addendum: Hmmm--this time it's kept me logged in for the past 3 hours.  Maybe the fix worked after all--thanks, Rob!
Title: Re: Logging out problem
Post by: Sergeant Rock on February 20, 2011, 04:33:20 PM
Changing my username has apparently worked. I haven't been logged out for more than 24 hours.

Sarge
Title: Re: Logging out problem
Post by: George on February 20, 2011, 04:51:23 PM
Changing my username has apparently worked. I haven't been logged out for more than 24 hours.

Sarge

I haven't been logged out in three days or so since changing my username.
Title: Re: Logging out problem
Post by: Dungeon Master on February 21, 2011, 04:27:49 PM
For those that are interested, this bot attack is affecting many forums across the internet, not just ours.
 
The good news is that the developers of SMF arwe working on a permanent fix - they are testing now and hopefully should be released in the next few days.
 
Stay tuned.
 
||Rob
Title: Re: Logging out problem
Post by: Dungeon Master on February 21, 2011, 05:11:48 PM
Update:
 
SMF has released a security patch to prevent bot hack attempts from loggin users out.
 
I have installed this patch, and there should be no further problems with people being logged out.
 
Please report any issues re logging in/out here.
 
cheers
Rob
Title: Re: Logging out problem
Post by: Gurn Blanston on February 21, 2011, 05:25:09 PM
Excellent! I really didn't want to change my user name after 10 years with it (8 here). Thanks, Rob. :)

8)

----------------
Now playing:
Costantino Mastroprimiano - Clementi WoO 03 Sonata in F 2nd mvmt - Rondeau: Spiritoso
Title: Re: Logging out problem
Post by: Luke, honestly! on February 22, 2011, 04:08:12 AM

Please report any issues re logging in/out here.
 

Maybe because I am at my work computer (though I've never had problems before) but I was logged out when I got here and can't log in again, as Luke or as my recently-changed-to-because-of-login-problems new name sul G (again). Hence the new account I've had to set up, hopefully temporarily. Would this be to do with your new patch, Rob?
Title: Re: Logging out problem
Post by: Gurn Blanston on February 22, 2011, 05:31:02 AM
Maybe because I am at my work computer (though I've never had problems before) but I was logged out when I got here and can't log in again, as Luke or as my recently-changed-to-because-of-login-problems new name sul G (again). Hence the new account I've had to set up, hopefully temporarily. Would this be to do with your new patch, Rob?

Sorry to hold you up, Luke, I just got online and found your sad, sad plea for help... :'( 

:D

8)
Title: Re: Logging out problem
Post by: DavidRoss on February 22, 2011, 06:26:01 AM
Maybe because I am at my work computer (though I've never had problems before) but I was logged out when I got here and can't log in again, as Luke or as my recently-changed-to-because-of-login-problems new name sul G (again). Hence the new account I've had to set up, hopefully temporarily. Would this be to do with your new patch, Rob?
Ack!  Does this mean we've lost the ability to search and access all of Luke's old posts?  Drat!
Title: Re: Logging out problem
Post by: Opus106 on February 22, 2011, 06:32:00 AM
can't log in again, as Luke or as my recently-changed-to-because-of-login-problems new name sul G (again).

Those were your just your display names, right?
Title: Re: Logging out problem
Post by: DavidRoss on February 22, 2011, 10:05:40 AM
Those were your just your display names, right?
No -- look at his post count!
Title: Re: Logging out problem
Post by: Opus106 on February 22, 2011, 10:09:31 AM
No -- look at his post count!

I was referring to the affected account (display name: sul G (again)), which, I checked, has over one thousand posts.
Title: Re: Logging out problem
Post by: DavidRoss on February 22, 2011, 10:12:04 AM
I was referring to the affected account (display name: sul G (again)), which, I checked, has over one thousand posts.
Oh, good--so he didn't close the old account, just started a new one (didn't know you could do that...duh?  diff email address, prob?)
Title: Re: Logging out problem
Post by: Scarpia on February 22, 2011, 10:16:59 AM
Oh, good--so he didn't close the old account, just started a new one (didn't know you could do that...duh?  diff email address, prob?)

He reported being unable to log in, so wouldn't have been able to delete his account even if he wanted to.   :)

Luke, did you try the "forget your password?" function on the login page?
Title: Re: Logging out problem
Post by: Brewski on February 22, 2011, 12:49:19 PM
Thanks, Karl--I'll send this to Rob, as well.

--Bruce
Title: Re: Logging out problem
Post by: Scarpia on February 22, 2011, 01:01:15 PM
Posting on behalf of Luke:

For what it's worth, Luke and Luke, Honestly are still listed as users (not sul G).  You are remembering to use your internal username and not your displayed username for logging in?  (We have been encouraged to make them different these days.)
Title: Re: Logging out problem
Post by: karlhenning on February 22, 2011, 01:58:37 PM
Posting (emended) on behalf of Luke:

Quote
I still can't login, using either my old account or the one I opened this morning. Nothing I try works, from the moment I logged in at work this morning till now. It isn't the work computer, because I am now on my home one and that is having the same problems. For Rob's information, the following happened:

Got to work, turned on computer and went to GMG, and found that I was logged out, as has been happening recently. Since I was on holiday from work last week, which was when I changed my screen name and my password, as suggested, the details that were saved in the login boxes were not correct, so I entered the correct password. I was told it was incorrect, so I rechecked and also tried the old password, and all combinations I could think of.

Then I opened the new account just for the purpose of sending the above post

When I got home I tried again, but couldn't log in using either my proper account, NOR the one I'd made this morning. In the case of the 'Luke'/'sul G again' account I was told the password was wrong. In the case of the 'Luke, honestly' one from this morning, I was told the user name doesn't exist.

Scarpia, I've also tried having a password reminder sent to my email; I'm told one has sent, but it hasn't arrived

I've also tried changing my password by answering my secret reminder question, but am told I got the answer wrong. Needless to say, I didn't, and I am quite spooked by that!

Makes me think that either a) my account has been hacked and all details changed or, more likely, since my new account won't work either, b) the new patch Rob talked about has buggered things up, for me at least. It's the only thing that has changed on the site since last time I logged in successfully that I know of.

BTW I also note that when I look at the site my posts appear as 'Luke', which was my screen name until a few days ago, not as 'sul G again' which is what it was changed to - is it the same for others? I stress that can't log in using the previous password either, or any other combination of passwords, user names and screen names I can think of!
Title: Re: Logging out problem
Post by: Luke, honestly! on February 22, 2011, 02:50:13 PM
Curiouser and curiouser - was unable to log in as ANYTHING at all, using any username or password I've ever had. So, as 'Luke', I asked for a password reminder to be sent to my hotmail account, which is the one associated with that username. Did it twice, but nothing came. Then, tried to log in again as 'Luke, honestly', but was told that username doesn't exist. Then, as 'Luke' once more, tried getting reminder sent to my googlemail account, which is really the one associated with 'Luke, honestly', and when I checked there had received a password reminder for the 'Luke, honestly' account despite having not asked for that one.) (and also despite the fact that GMG has just told me that 'Luke, honestly' doesn't exist!)

At least it means I'm able to post here for now anyway, until next time I am logout and can't get back in again. But I'd rather be here in my comfy, worn in account! This one feels all itchy...
Title: Re: Logging out problem
Post by: karlhenning on February 22, 2011, 03:01:53 PM
A sighting!
Title: Re: Logging out problem
Post by: DavidRoss on February 22, 2011, 03:02:42 PM
This one feels all itchy...
;D
Title: Re: Logging out problem
Post by: Scarpia on February 22, 2011, 03:03:51 PM
At least it means I'm able to post here for now anyway, until next time I am logout and can't get back in again. But I'd rather be here in my comfy, worn in account! This one feels all itchy...

If you want to make an impression, try registering as M forever.   ;D
Title: Re: Logging out problem
Post by: petrarch on February 22, 2011, 05:03:36 PM
Curiouser and curiouser - was unable to log in as ANYTHING at all, using any username or password I've ever had. So, as 'Luke', I asked for a password reminder to be sent to my hotmail account, which is the one associated with that username. Did it twice, but nothing came. Then, tried to log in again as 'Luke, honestly', but was told that username doesn't exist. Then, as 'Luke' once more, tried getting reminder sent to my googlemail account, which is really the one associated with 'Luke, honestly', and when I checked there had received a password reminder for the 'Luke, honestly' account despite having not asked for that one.) (and also despite the fact that GMG has just told me that 'Luke, honestly' doesn't exist!)

At least it means I'm able to post here for now anyway, until next time I am logout and can't get back in again. But I'd rather be here in my comfy, worn in account! This one feels all itchy...

Might be your browser(s) getting confused with the cookies associated with GMG. I would delete those cookies and then try to log in again, on all computers you use to access the forum. I got some similarly weird behavior when I asked for my username to be changed. I had to explicitly log out, then delete the cookies, then log back in. Haven't had any problems since.
Title: Re: Logging out problem
Post by: Luke, honestly! on February 22, 2011, 05:07:34 PM
Might be your browser(s) getting confused with the cookies associated with GMG. I would delete those cookies and then try to log in again, on all computers you use to access the forum. I got some similarly weird behavior when I asked for my username to be changed. I had to explicitly log out, then delete the cookies, then log back in. Haven't had any problems since.

I'll try that, thanks - but it's odd because it happened on the work computer which I haven't used for about 10 days too, and which was fine last time. the behaviour there was identical to on my own machine. It's the bizarre messages that don't make sense that are confusing me most - the fact that the answer to my personal question is not recognised, for instance, or the fact that this new account I am (hopefully temporarily using) would also not log in for a while, and indeed I was told it 'did not exist'!

Thanks, though - will try that option too.
Title: Re: Logging out problem
Post by: Luke on February 22, 2011, 05:25:03 PM
Huge thanks to Rob, who's got me all sorted. The fundamental problem - that my passwords and security questions were all lost - remains unsolved, but the fact that I wasn't receiving the password reminder emails is something that must be a fault with my hotmail account, as I realised: for years now I haven't received emails from GMG as eg PM notifications, though I used to and never turned off that option; nor do they go to junk. I'd never thought about why I don't get PM notification anymore, assumed it must be some setting I'd changed without knowing it, , but it must be the reason I wasn't getting the password email either, nothing more simlar - my email simply doesn't like GMG! So Rob sent it to my googlemail instead, and voila!

Happy now!  :)  :)  :)  :)

Thanks Rob