For those of you that have logged into the http://freewebspace.net/forums URL, you'll look like you're logged out if you navigate to a link that has www. at the front of the top-level domain (unless you logged into both). Keep this in mind when posting links as well. However, you'll be logged in still (unless you set the session to expire) if you come back to the other URL.

This is a known bug in vBulletin 3 (Because gzevolution.net fixed it by changing all of the links in the shoutbox.) Also, this was triggered when I clicked a http://www.freewebspace.net/forums link in the threads to remember topic.

Say what? :S Care to clarify?

Say what? :S Care to clarify?

http://www.freewebspace.net/forums/showthread.php?t=21313

Click that when only logged into http://freewebspace.net/forums (It'll show you as logged out if you are. If it shows you as logged in... ...you've got two cookies for this site sister!)

I get it. :) If you go to freewebspace.net/forums normaly but then click on a link to www.freewebspace.net/forums you need to log in again or remove the www part.

I'm not sure what you suggest we do about it though?

I am always logged into www, but changing to /FWS I am still logged in.

I am always logged into www, but changing to /FWS I am still logged in.

Then you have two cookies as I said.

Pardon?
Forgive me, Sire... but what's cookies in Chingrish?

It's not really a problem. Might even be different with different browsers. Nothing to worry about here!

It's working as intended. It could be resolved, but why bother?

It's not a bug, most sites act like that.

It's working as intended. It could be resolved, but why bother?

It's not a bug, most sites act like that.

I haven't experienced it with IPB, SMF or OvBB for that matter. (However, on IPB 2.x, I noticed it happens.) I haven't ran into it on exocrew.com, t35.com, acnova.com, zero-outpost.com, markforums.com nor my current host however.

It's a setting in the cookie, it would allow for all or just a single subdomain to be set, it can be enabled in vBulletin, but it would be a security risk, as any subdomain could call out the data of that cookie.

Example:

User logs into Forum A on domain: http://examplehost.com the cookie is wildcarded to the domain ("*.examplehost.com", rather than "www.examplehost.com" or "examplehost.com")

A user with a subdomain (http://example.examplehost.com) can create a script that reads the cookies from the user, it would read all the cookies that meet the rule: "*.examplehost.com" or "example.examplehost.com".

The user that logged into Forum A visits http://example.examplehost.com.

Walla, the script catches their cookie data, if it's an unsecure forum, the user can see the password, if it's not, the user can spoof the cookies in his cookies.txt file and is logged into your account making posts on your behalf.

I always disable wildcard cookies, for that very reason.

That's some scary poop there bro! :nervous:


It's a setting in the cookie, it would allow for all or just a single subdomain to be set, it can be enabled in vBulletin, but it would be a security risk, as any subdomain could call out the data of that cookie.

Example:

User logs into Forum A on domain: http://examplehost.com the cookie is wildcarded to the domain ("*.examplehost.com", rather than "www.examplehost.com" or "examplehost.com")

A user with a subdomain (http://example.examplehost.com) can create a script that reads the cookies from the user, it would read all the cookies that meet the rule: "*.examplehost.com" or "example.examplehost.com".

The user that logged into Forum A visits http://example.examplehost.com.

Walla, the script catches their cookie data, if it's an unsecure forum, the user can see the password, if it's not, the user can spoof the cookies in his cookies.txt file and is logged into your account making posts on your behalf.

I always disable wildcard cookies, for that very reason.

That's some scary poop there bro! :nervous:

My point exactly.

My point exactly.
Woah, I never knew that.

I've never had this problem, with any vBulletin forum. What browser are you using?

I've never had this problem, with any vBulletin forum. What browser are you using?
I thought it isn't a bug?

If you never had that, maybe you logged into both. I believe that this is the default setting.

vBulletin:


Cookie Domain

This option sets the domain on which the cookie is active. The most common reason to change this setting is that you have two different urls to your forum, i.e. example.com and forums.example.com. To allow users to stay logged into the forum if they visit via either url, you would set this to .example.com (note the domain begins with a dot.)

Its the same as http://www.example.com and http://example.com