ClassCreator.com | Blockbuster sites, amazing reunions

Share Tips

New Topic Reply Subscription Options  

security test failed

Forums: Suggestions and Feedback
Created on: 12/18/08 10:57 PM Views: 2059 Replies: 9
Thursday, December 18, 2008 at 10:57 PM

Hi, oh great, creator! I have just started building my site and I am testing the security protections to see what I can get to with out logging in. Password protection seems to be failing. I have Classmate Profiles protected yet when I open the homepage from a google search (homepage is not password protected) remain unlogged in, and click on Classmate Profiles I can get to the list of names intermitently. Click and I'm in, click and I get the log in page. It also happens when I click on the Log In box that is on my Home page. This is a problem cause it makes it useless to have a secret password if anyone can pose as a classmate. It works then it doesn't a second later. Any insight?

Reply
Friday, December 19, 2008 at 12:03 AM - Response #1

The security is working fine. One of two things is happening to you:

1) When you access the Classmate Profiles page you're pulling a cached version of the page prior to the time you password protected it.

2) You aren't truly logged out. Either you didn't click log out, or for whatever reason clicking logout didn't remove your login cookie.

There's only one way you can really give this a real test, and that's the following:

1) Clear your browser's cache AND cookies
2) Shut down your browser and open it back up
3) Go to your site either via Google, or directly -- doesn't matter.
4) Now try to access any password protected area of your web site, or any restricted Classmate Profile.

You'll see that the security is working fine. Trust me, if this wasn't working correctly we'd get about a gazillion complaints in 2 seconds.


Reply
Edited 12/19/08 12:05 AM
Friday, December 19, 2008 at 4:47 AM - Response #2

No. Not if you click the "Log Out" link before leaving the public computer, anyway. And even then, you'd only have to click that if you selected the "keep me logged in" option when you first logged in from the home page login box.

Some individual computer settings (security settings and otherwise) COULD make clicking the Logout link NOT reset the login cookie. Although rare, if you want to be extra cautious, also clear cookies after logging out. That'll do the trick every time. Even better still though, don't select the "stay logged in" option from a public computer in the first place, and just shut down your browser when done.


Reply
Sunday, December 28, 2008 at 1:27 AM - Response #3

Is it at all possible if a classmate is logged in for someone not logged in to visit their profile? I just did it and I am very concerned now. I tried to visit a profile of someone not online and I was stopped, but was able to go to the person online. I made sure I was completely logged out.

Reply
Sunday, December 28, 2008 at 2:02 AM - Response #4

No, somebody being logged in or not would be completely irrelevant. When you were not logged in and you got into a Classmate's Profile, was this Profile open to the public, or restricted? If it was not restricted, then this would be normal.

If it was restricted, then go do it again after following these steps:

1) Clear your browser's cache AND cookies
2) Shut down your browser and open it back up
3) Go back to your web site
4) Now try to access the Profile

If the Profile is restricted, and you've run the test above, you'll be denied.


Reply
Edited 12/28/08 2:04 AM
Sunday, December 28, 2008 at 2:34 AM - Response #5

Can you clarify for me "is this profile restricted?" The person did not have her address or information checked. Is that your question?

I thought I had made the profiles restricted globally, unless they specifically checked the box to show their info. I will need to wait for people to be online, in order to test the above (logout, clear cache and cookies, close browser, reopen browser, then try to access an online person ?correct?)

Reply
Sunday, December 28, 2008 at 11:49 AM - Response #6

Well, you certainly can if you want to, but because somebody being online or not has nothing to do with anything, it really won't matter.

What you need to do is look at the Classmate's Profile and specifically look at the little checkbox where the Classmate chooses whether or not to make their information publicaly viewable, or restricted to only logged in fellow Classmates. This security feature is located near the bottom of each Classmate's Profile. I'm nearly 100% certain that the Profile you're getting into while somebody happens to be online is publicy viewable and not set to be restricted. Thus you or any other non logged in individual is going to get into that Profile 100% of the time regardless of whether or not that particular user is logged in or not.


Reply
Edited 12/28/08 11:51 AM
Sunday, December 28, 2008 at 2:07 PM - Response #7

I did the clean and check this morning. 2 people were online. One person I could get to profile and one I could not. I checked their profiles, and as you suggested the person I could get into had not checked that box. I checked the person I mentioned yesterday, and hers is checked. So, maybe that was my cache. I will check hers when I see her online again.

How is that box defaulting. Can we have the preference to default to have that box clicked and at the end in () Recommended? This scares me that someone on the net can get to personal info. I doubt any of my classmates understands the outcome of not clicking this box.

Reply
Edited 12/28/08 2:08 PM
Monday, December 29, 2008 at 2:10 AM - Response #8

Bear in mind that email address, telephone number, and street adddress are never shown to the public even if somebody doesn't check this box. Nearly half of Classmates choose to not restrict their Profiles because they like to share them with others, such as family, friends, colleagues, etc.

I made the assumption when creating that feature that people would actually read as they join the site. But you know what they say about assuming... Am I safe in assuming most of you would prefer that checkbox be preselected by default, thus restricting Profile access for those Classmates who don't read carefully (or at all) while signing up?


Reply
Monday, December 29, 2008 at 2:23 AM - Response #9

I would like it checked by default and I think it would be helpful to put (Recommended) at the end of the line. I know for me when I am unsure, I look for what the site recommends and choose that.

I sent out an email tonight to all the registered classmates, asking them to check the box. (I will forward you a copy of the email.) I combined Welcome, Happy New Year, please keep your profile updated and security/privacy in one email. Within minutes of sending it, people starting logging in...

Reply
New Topic Reply  
Subscription Options: Have all new forum posts sent directly to your email.
Subscription options are available after you log in.