UBB.Developers Forums UBB.classic V5 Mod Questions LOGIN.CGI Version 3.0 public available for download 1/6/01

OK I have installed this hack now and have these comments.

It's very good code in general. Thanks!

1 - Be great if the last login date was stored in the member profile (in a spare field), then I could identify inactive users and remove them (also a hack to automate that would be handy).

2 - It would be nice if the "processing.." forwarding pages picked up the local UBB color settings (as most sites have different color schemes). I had to edit the CGI here.

3 - If you could supply a sample login form inside a table to align the fields neatly (I know you supply your HTML but that contains a lot of other stuff). Most people probably just want to include a login box on their existing home page (a bit like the Email login box on UBBDEV).

4 - Need to remind people to adjust other hyperlinks that they mave have to the UBB scripts for "registration" and "lost password" to use your CGI instead - or these UBB links will just bounce users out.

I'm not using SSI, as I don't need total security - just trying to get normal users to register first, before viewing.

Cheers

This message has been edited by Pilot on January 13, 2001 at 12:59 PM

>1 - Be great if the last login date was >stored in the member profile (in a spare >field), then I could identify inactive >users and remove them (also a hack to >automate that would be handy).

Pilot, that's a request for the UBB folks, not me.

>2 - It would be nice if the "processing.." >forwarding pages picked up the local UBB >color settings (as most sites have >different color schemes). I had to edit the >CGI here.

Sure, but others told me it should remain as is because the screens, being different, draw attention to the them and also they only display briefly. But I see your point and shall consider it for next release.

>3 - If you could supply a sample login form > inside a table to align the fields neatly

HTML is up to the user. Do as you see fit and the example is more for the forms tags and not the layout. You missed the point of the example page if this bothers you, the example page is to remind folks to create a login page, what to include on it, and also how to call the script in the HTML. The rest is window dressing. So if you're bugged by this minor problem, send me a file you feel should be included in the docs. My time is better spent on improving the script.

>4 - Need to remind people to adjust other >hyperlinks that they mave have to the UBB >scripts for "registration" and "lost >password" to use your CGI instead - or >these UBB links will just bounce users out.

You couldn't be more wrong. Don't take offense at this, please. The login script means ALL users login from a central starting point so the authorized cookie gets created so no bouncing. This is emphasized in the documentation as is this concept. I even went so far in the docs to stress folks should promot the login page URL, inform users to bookmark the new page, and that the login page is THE most important part. Obviously in your mind you completely missed this basic and crucial concept of my hack.

Pilot, I've listened to you, and addressed your concerns. If you have any other issues, please send them privately. I tremendously appreciate your feedback, as I do from all UBB webmasters, and appreciate you using the hack and saying nice things about it. Thanks so very much, and now I will move on to other folks issues.

Take care, Pilot. :-)



------------------
From: Jim Goldbloom
UBB Code Hacker
http://www.accessdeniedbbs.net/downloads for latest hacks

Anyway to clarify one point. I had links to register and lost password on the SAME page as the login fields (my home page) - so they didn't work until they were changed. Maybe I did something wrong - but that is what happened to me and may happen to others.

I post here, on this public UBBDEV site to share my experiences with the other members and don't expect a personal reply from the author of the hacks. Free feel to concentrate on the more important tasks that you have.

I have updated the docs and perl-cookie.lib for Windows users to assist them in setup.

For latest version:
http://www.accessdeniedbbs.net/downloads

Thanks to all the UBB users who helped me work out the kinks for Windows users in 3.0!

------------------
From: Jim Goldbloom
UBB Code Hacker
http://www.accessdeniedbbs.net/downloads for latest hacks

This message has been edited by hate98 on January 14, 2001 at 10:16 AM

wanted: beta testers for 4.x

email [email protected]

This message has been edited by hate98 on January 14, 2001 at 10:26 AM

hate98,

I'm running the UBB on Unix btw...

AgentX

H, I've tested the changes you made re: Win32 servers and I'll have to go back on what I said about changing the cookiepath.

Only '/'; works for me, anything else 'c:/'; or 'c:\'; DOES NOT WORK. I'd got this a bit wrong recently, sorry about that, but I'm now quite sure.

BTW I do have a c: drive.

Thanks spiffy, I've had others help out with this and I've updated my docs for Windows folks. Issue is now resolved. Take care.

------------------
From: Jim Goldbloom
UBB Code Hacker
http://www.accessdeniedbbs.net/downloads for latest hacks

Can you explain how to make the cookie expire after a certain time period instead of after the browser session? I would like to make it so a person would have to login every 24 hours, but in your documentation of the cookie script you only show how to make a fixed expiration date/time.

Thanks for the great script.

------------------
Mike
------------------
Visit STCC: stcchat.com

In the next beta I am going to add an option for the cookie expiration and some traps that will force a logout. This will be a new config option in login.cgi and I'll allow you to decide how users are to be forced logged out in terms of cookie expiration.

However, with that said, can you please explain why you want to ensure users cannot remain online to your web site for >24hrs? I'd just like to hear what you have to say as this will help me construct the beta options accordingly.

-jim

------------------
From: Jim Goldbloom
UBB Code Hacker
http://www.accessdeniedbbs.net/downloads for latest hacks

This message has been edited by hate98 on January 15, 2001 at 02:19 PM

Mainly because I have installed the little line of script checking for their cookie, so as long as they have logged in, in the last day, they will be able to post and stuff without re-entering data, but the board should not be viewable to those that haven't.

A lot of my board's members are really pissed that they have to spend 10 seconds typing in data every time they come to the page.

------------------
Mike
------------------
Visit STCC: stcchat.com

I know they get pissed, but I want everyone reading this thread to think about something...

The login concept is to ensure ONLY authorized users can gain access, in addition to solving UBB missing cookie problems with UserName and Password.

With the current concept, a user logs in once, can leave their browser open for all eternity and they will not have to login. Unless, of course, they either logout or close browser session.

I could add in a javascript cookie detect routine in the login page which would allow users have either their username and password already filled out so all they need to do is click on the submit button. Or, if cookies detected, simply take them to your $welcome page defined in the config.

BUT --- and folks, pay attention to this --- what if someone else comes by and uses the computer? Or what if a child gets into an adult UBB because the cookies still exist? Or some folks in a work environment where everyone shares a lan and PC's are all over the room with Internet access? One employee could "use the login" of another employee who stepped away from his desk more easily than before.

You see, a login being required is a GOOD thing, and my original concept of additional security does mean users will and should type in their username/password at each visit.

This is how the old dialup BBS's worked, and how high end secured web sites work. The "convenience" features such as bypassing login to avoid "pissed off users having to type in something which takes 10 seconds" are really dangerous at their core.

I'd like to get some opinions on this, what do you think is the best strategy? I personally think those extra 10 seconds provides you, the webmaster, and unknowingly the user, with some peace of mind that only they are using their account.

So, bells and whistles can be a bad thing.

Thoughts, comments?




------------------
From: Jim Goldbloom
UBB Code Hacker
http://www.accessdeniedbbs.net/downloads for latest hacks

I realize doing something like this would undermine the security aspect of the login somewhat, however, people with IE5 already have their usernames filled in most of the time and sometimes passwords. I installed this hack primarily because a good chunk of our userbase doesn't show up in the Who's online hack, which this remedies.

Adding an optional javascript code to add to the login page to remember username/password would be good. Or to simply have it bypass the welcome screen entirely. I still think my idea of having the login expire after a set ammount of time provides improved UBB security, while being more convienient for users that are against having to login at all. That way, for a limited time their login info would be "insecure" but it would be secure after the set ammount of time.

------------------
Mike
------------------
Visit STCC: stcchat.com

Yes, that's my thinking also. The reason your who's online script works better (and also why username/password are filled in properly each time when posting) is because the login page sets cookies. It's pretty easy to retreive when you know they've just been set!

For now I think the best plan of attack for the upcoming beta is to allow the option of a UBB webmaster to set a time limit on the life of the "authorized" cookie. So your request will be granted and expect it in the next public release in one form or another. Thanks for the excellent suggestion.

I strongly feel the login fields should be blank upon each visit to the login page for the obvious security implications. You seem to agree and thank you for your opinions.

Other opinions encouraged, please speak up, I will check this thread occasionally.

On a side note: If I was designing UBB, I would have used cookies to store certain things, but other things such as list visit time, last post, preferences and private forum access are better stored in the member database. I had folks ask me to design that into the UBB and my script, but such integration would make my hack no longer an "Addon" hack, but instead a new UBB which would undoubtedly BREAK any other UBB hack which accesses the member files. Plus, I'd have to maintain any files if I opted to store such data externally. Bottom line? It's easier for us to suggest this type of behavior to the UBB folks and not me!

-Jim



------------------
From: Jim Goldbloom
UBB Code Hacker
http://www.accessdeniedbbs.net/downloads for latest hacks

The HTML code attribute you need to add to thetag is just:that way, no matter what a person's autocomplete settings are, they can't use autocomplete on it.

------------------
Mike
------------------
Visit STCC: stcchat.com

This message has been edited by mmnatas on January 15, 2001 at 03:21 PM

Not necessary. I prefer to allow UBB webmasters to design their own login page and add whatever bells and whistles they want, as that's external to my script. Besides, nothing wrong with autocomplete because the password field is still **** and that's a time saving feature which I feel is nice to have and offers benefits. In other words, I'm all for security, but I'm not saying logging into a UBB should be like breaking into a bank's ATM machine either! heheh

------------------
From: Jim Goldbloom
UBB Code Hacker
http://www.accessdeniedbbs.net/downloads for latest hacks

This message has been edited by hate98 on January 15, 2001 at 03:22 PM

Another thing that could be improved on is the logging. Instead of just deleting the log, could you either delete off the oldest entries, or have it save back so many hours/days?

------------------
Mike
------------------
Visit STCC: stcchat.com

I've decided againt making a super fancy log which reads/writes and does archiving and more intelligent decision making. Why? The script needs to run very fast behind the scenes and it's called quite often. I opted to use a simple append write function (with file locking) to speed up things and it really, really makes a difference.

You'll need to manage the logs on your own via server side scripting (i.e. cron jobs which move the logs to an archive directory every Xth day of the month for example) to avoid nasty server performance hits. That's why I put in the logging disable commands also.

Less is more in my opinon.

-Jim


------------------
From: Jim Goldbloom
UBB Code Hacker
http://www.accessdeniedbbs.net/downloads for latest hacks

Jim I do find the suggestion by mmnatas very usefull. I wanted to install this hack but didn't in anticipation of what he is seeing.
The security concept should be that it is upto the user whether they want to take the extra 10 seconds and type the password or whether they want it pre-filled.
This is a very neat hack specially for those who have Who's online installed.

Jim if you are working on a newer verion with these bells and whistles it wouldn't be a bad idea to wait few more days and make it UBB6 compatible

I'm all for that! :-)

------------------
From: Jim Goldbloom
UBB Code Hacker
http://www.accessdeniedbbs.net/downloads for latest hacks

Hi! i made a little change to this hack to make it look like your board when processing missing login, invalid login, etc...

find:

require "UltBB.setup";
require "ubb_library.pl";
require "Date.pl";
require "perl-cookie.lib"; # special cookie library for perl - IMPORTANT
};

and add after:

#adjust bgcolor variables
if ($BGColor ne ""){
$BGColor = qq(bgcolor="$BGColor");
}
if ($AltColumnColor1 ne ""){
$AltColumnColor1 = qq(bgcolor="$AltColumnColor1");
}
if ($AltColumnColor2 ne ""){
$AltColumnColor2 = qq(bgcolor="$AltColumnColor2");
}
if ($CategoryStripColor ne ""){
$CategoryStripColor = qq(bgcolor="$CategoryStripColor");
}
if ($TableColorStrip ne ""){
$TableColorStrip = qq(bgcolor="$TableColorStrip");
}
if ($PageBackground ne ""){
$PageBackground = qq(background="$NonCGIURL/$PageBackground");
}

find:



and replace with:



find and remove: (right under the )

color="#ffffce"

do it twice

that's all...

what do you think?

this is my first "hack" in a hack...

------------------
TyRaN = tyranausaure



This message has been edited by TyRaN on January 18, 2001 at 02:34 AM

Excellent. I will implement a form of that in the next release. I am waiting for UBB6 to come out and will release mine after that.

-Jim

------------------
From: Jim Goldbloom
UBB Code Hacker
http://www.accessdeniedbbs.net/downloads for latest hacks

thanks... i apraciate the compliment...

------------------
TyRaN = tyranausaure

Any new developments with beta 4?

------------------
Mike
------------------
Visit STCC: stcchat.com

No beta 4 until UBB6 out which is end of this month according to the InfoPOP site. I am on hold until then.

------------------
From: Jim Goldbloom
UBB Code Hacker
http://www.accessdeniedbbs.net/downloads for latest hacks

why your going to make me cry

------------------

First, nice hack.... great instructions!!! A++++[br]but how can I stop the pages from breaking out of my frames... I have tried multiple attempts at editing the login.cgi but to no avail... Please anyone help...

------------------

Are you referring to the SSI frames hack?

If not, the script does not set any targets so by default pages will load in _SELF which means the same page from which the script was called. I run frames on my page and everything works great. It's a fatal mistake to use crazy target names and not keep track of 'em. That has nothing to do with the script. Or, maybe you use a javascript routine which forces a breakout of the frames? Remove it, if so, but that's not performed in login.cgi, rather that's in your login page HTML (i.e. the demo login page included in the docs).

If you are referring to the SSI hack where a user visits a forum topic and gets redirected back in a frames setup, then you simply did not cut/paste the correct URL into the config of login.cgi. I use it on my site, and trust me, it works fine. No bug reports from anyone on this aspect of the script.

Hope this reply addresses your issue. If not, I need the URL of your site and an explanation of what I need to do to create the problem when I visit.

------------------
From: Jim Goldbloom
UBB Code Hacker
http://www.accessdeniedbbs.net/downloads for latest hacks

thanks for replying so quickly... The base target in the sample was set to _top, when it should of been to main_scrren.... thanks for kicking the cob webs out... now I know it's time to get to bed...

------------------

I use basic authentication on my site, is there any way to get the username and password from an NT session and pass it to the login script, thus bypassing the need to enter details twice?

Sorry, the script was not designed to be used in conjunction with other auth methods, but rather to replace any existing method.

I suggest you do not use the script.


------------------
From: Jim Goldbloom
UBB Code Hacker
http://www.accessdeniedbbs.net/downloads for latest hacks

Thanks, Jim. I'll use the script because it's really impressive, I'll just implement the SSI part.

Another query please: I have a chat room on my site, is there a way I could use the cookie information from your login script to integrate into the chat script which requires a username/password to be inputtd before accessing, i.e. getting u/p from the cookie and filling in the appropriate text boxes?

Thanks, again.

On my web site I have user chat in the form of an applet. Instead of using HTML to display the applet and so forth, I made a perl script instead. If you know Perl, then I do not have to explain, you'll know what I mean and how to integrated variables into HTML (that's for advanced users only.)

The other way to do this is to write a javascript routine which loads cookies and fills in the username field automatically.

None of this has anything to do specifically with the login script, please note.

Visit my BBS http://www.accessdeniedbbs.net and go to my chat function and you'll see how I did it. I used the Perl method.

-jim

------------------
From: Jim Goldbloom
UBB Code Hacker
http://www.accessdeniedbbs.net/downloads for latest hacks

LOGIN.CGI - Version 3.5 [Public Release]
Supports versions 5.xx of UBB Licensed ONLY
By Jim Goldbloom [email protected]

Release date: 02/02/01 3pm

This is my final release for 5.xx series of UBB.
A new beta for UBB6 users will be available in a few weeks.

What is LOGIN.CGI?

So you're thinking why not just use .htaccess and be done with it? HA! I say, HA HA HA! ;-)

This version supports support for UBB styles (colors/fonts/etc.) plus a nifty new option to ban users who do not have posting enabled in their profile, if you wish. Other cosmetic fixes and it's an EXTREMELY stable version. I also updated the docs and perl-cookie.lib to help Windows users. This is a complete front end to tighten security on your UBB and allow a customized login screen complete with guest login support (optional), SSI redirects of forum topic pages requiring login first, IP ban checking, invalid/missing/illegal logins, and fixes problems with a few cookies. This is a powerful front end and I am sure you'll enjoy, it's highly customized and even includes custom redirect option you can use as you see fit.

Full features listing in this version:

* authenticates username/pass with UBB member files
* catches/logs ALL invalid/missing/illegal logins
* full support for IP ban list in CP
* Optionally force logout users who do NOT have
posting capability enabled but are registered.
* login username displayed in UBB; logout prompt hack
* full support for guest login mode
* support for registration screen (new members)
* support for lost password function in UBB
* when posting, username/pass fields *always*
filled in automatically even if other cookies expire
* guests are restricted from posting - full control
* custom entry point login screen integration for
unique online experience for your users
* automated logging (creates browser viewable HTML)
including date/time/user/IP/hostname lookup
and ability to disable events as you wish
* optional SSI support for max. data protection
(such as accessing UBB HTML topics/forums) with
registered user auto-redirect after login
* forced/manual login/logout, integrated into UBB
* allow custom private forum/screen redirect to
expand functionality of your UBB
* demo screens included in release archive
* full documentation and examples in archive
for UBB hacks, login screen demo, SSI setup
* friendly login-setup.txt - new and improved
* very streamlined UBB hacks, easy to install
* redirects have sensible timing delays
* colors and fonts are pulled from UBB styles
settings so clean, integrated interface for
any HTML generated by the script.

See it in action: http://www.accessdeniedbbs.net
(support forum in place on the BBS) - UBB6 with beta login script

Download the latest files/zip from: http://www.accessdeniedbbs.net/downloads

Enjoy, and feedback always appreciated.
If you wish to become a beta tester, send me email please! I need beta testers for 4.x run on the UBB6 platform!

DO NOT RESPOND TO THIS EMAIL
SEE THE NEW THREAD I POSTED.
THANK YOU.

Moderator - please kill this thread.