Strange Happenings

[Enough!Participant @enough]

This evening (Canada) I got an email telling me I had received a PM in response to an earlier PM of mine. When I went to the site to read it, I first found that I had been logged out (I hadn't used another computer in the interim). Then I discovered that my login wouldn't work.

I finally had to request a new password which then worked. Then, when I went to read the PM, it didn't exist. Earlier replies were there as well as the messages that I'd sent.

All this was happening around 1 am (UK time). Was there any site maintenance being done then?

[Enough!Participant @enough]

[Danny M2ZParticipant @dannym2z]

Three days ago I found that I was 'logged out' so re-logged in.

The next day I was 'logged out' again but having nothing to contribute, I just read the messages without logging in as this seemed a bit unusual.

The next time that I connected, I was logged in as usual without updating my details. I have noticed that the site is a bit paranoid about re-logging members, but usually one has a week or so before being prompted and as it's for our own protection I don't mind it too much.

Strange! It appears that something is going on.

* Danny M *

[Paul LousickParticipant @paullousick59116]

I now find that I have to log in each time, even though I have ticked the "remember me" button when logging on. Previously did not have to do this all of the time.

Paul.

[JasonBModerator @jasonb]

I too have found myself logged out more often that usual in the last week or so, maybe Neil can shed some light on it.

I have put the thread on te report list so he should see it.

J

Edited By JasonB on 10/02/2017 07:35:29

[Martin King 2Participant @martinking2]

+1 for repeated log in requests

martin

[John Stevenson 1Participant @johnstevenson1]

Had the same happen a while ago.

A while ago I had trouble accessing the Yahoo newsgroups, two of which I run. Did a google and I wasn't the only one.

Tried a variety of options suggested and finished up with an ad-aware type program [ wasn't Ad-aware ] that cure the Yahoo problem but then I started seeing problems on other sites like this one having to log in etc.

What brought it to a head was a lot on inline logins where you had to enter numbers I had to do it twice, first time I entered the number in a box and then moved on it disappeared. When it stared acting up with the on line banking that really raised flags and I got rid of it.

This is W7 on Firefox.

Still having problems with Yahoo but virtually given up on these ijits now but this site works fine IF I don't have ad blockers running.

[Ian PParticipant @ianp]

This logging out problem has been on this site for years as far as I can see.

I can go for weeks staying logged in and then one day find I am logged out, I then find I have to log in every time I visit the forum regardless of the remember me box. After a few days the site get fed up with me logging in each time and gives me easy access until the same thing happens again.

Ian P

[Mick HenshallParticipant @mickhenshall99321]

Yep same for me I have logged in gone to another site returned shortly to find out I am logged out , only a problem if I want to post which isn't that often and its no problem to log in again

Mick n

[Neil WyattModerator @neilwyatt]

There are an awful lot of things that can log you out:

• There's a time limit.
• If your ISP changes your IP address
• You clear your cookies
• Your security settings stop you staying logged in
• If the webserver resets or there's a significant change to the database (not sure of the details but when they do work on the server I know that it logs everyone out, sometimes several times).
• You log on to one of the related MTM websites at the bottom of this page.
• You log on using a different device.
• You or someone else logs on using a different account on the same machine.
• The phase of the moon is wrong.

Neil

[Ian PParticipant @ianp]

Neil

I agree totally with you on the items you listed, but…..

I never ever see the same erratic logging out behavior that this site has, on any other forum I visit. One I visit every 12 months has remembered me for at least the last 5 years.

I do get odd things happening with Yahoo but I don't count them as setting a good standard.

Ian P

[Neil WyattModerator @neilwyatt]

I happily believe you Ian

I'm sure the way the website verifies whether or not people are logged in is part of the issue – I suspect the system was designed to be as secure as possible and is probably too cautious.

Neil

[Ian PParticipant @ianp]

My last post was only intended as an observation but I am glad I made you happy!

I think its best not to make any changes to this site, it might not be perfect but it works and we are all used to it.

Ian P

[Enough!Participant @enough]

Posted by Neil Wyatt on 10/02/2017 11:41:17:

 

• There's a time limit …. previous session was ~2hrs earlier
• If your ISP changes your IP address ….. I have a static IP
• You clear your cookies …. nope
• Your security settings stop you staying logged in …. nope, and nothing changed anyway
• If the webserver resets or there's a significant change to the database …. the reason for my question in part
• You log on to one of the related MTM websites at the bottom of this page ….. nope
• You log on using a different device …. nope
• You or someone else logs on using a different account on the same machine ….. nope
• The phase of the moon is wrong … it's coming up for a full moon (Saturday, I think). Would that do it? The wife has started howling.

  Actually, the "logging out" bit that the thread seems to have focussed on is the least concern for me. I don't recall it happening before except when, on reflection, I realised I used another machine previously but I can pass it off with a shrug.

  What is of more concern is that my password would no longer work. And apparently it wasn't a widespread problem (such as if a file got trashed during site maintenance) or I'm sure there would have been uproar. If my login has been breached by a third party, they don't seem to have done anything with it other than change the password (but not the email address). No malicious postings in my name for example.

  Does this site send an email if the user changes his password as many sites do? if so, I didn't get one which would seem to suggest it wasn't changed by a third party (I know an email is – necessarily – sent if you request a password change at login due to forgetting).

Edited By Bandersnatch on 10/02/2017 15:08:58

[SillyOldDufferModerator @sillyoldduffer]

Posted by Neil Wyatt on 10/02/2017 11:41:17:

There are an awful lot of things that can log you out:

…

Neil

At last we've touched on a problem where a superannuated Software Engineer might be able to offer something!

Just as a boiler can only take so much pressure, there is a limit to the number of logged in users that a website can manage. It might be a very large number, or it might be a low one. The existence of a limit could explain some of the symptoms reported.

When people 'log in' to a website, the software adds them to a list held in computer memory. The list contains much more than usernames; for each logged on user there will be a record containing timestamps, cookies, IP addresses, browser type, permissions, and whatever else is needed to provide the user with a 'login necessary' service. All this takes space and there will be a limit somewhere.

What happens when you try to login when a web server doesn't have the capacity to take you on? I've seen all these reactions in the real world, and there are probably more:

• web server falls over in a mumbling heap and has to be restarted to empty the login list. (Such installations usually go down for regular maintenance.)
• web server sends a series of alerts to the system administrator as the login list approaches maximum, but still crashes if nothing is done.
• web server declines new logins until someone logs out.
• web server operates a ring list, where new users overwrite old ones on a first in first out basis. People who've been logged in for a while suddenly get knocked on the head and don't know why.
• web server scans the list trying to find a login to delete to create space. Some software does this one at a time, but more usually a 'garbage collector' scans the whole list and prunes people out wholesale according to some design criteria. Whether or not you are considered 'garbage' is implementation specific, for example, ordinary users are much more likely to be dumped than moderators. Garbage collection is often so intensive that the entire site slows to a crawl whilst it's in progress.

Those of you with criminal minds will have realised that flooding a website with fake login requests might be a good way of hurting it. These types of attack are rather common, and most web servers have some means of recognising and containing assaults without shutting down completely. Self protection may be the reason that a website suddenly becomes slow and inaccessable; it may be fending off an intruder.

Web services are exceptionally efficient if you don't log in. Maintaining lists of users and their privileges adds a heavy overhead compared with servicing anonymous page requests. For that reason, I don't login to the forum unless I intend to post, and I try to log out when I've finished. Back in the day, this was encouraged as 'good neighbour' policy. Nowadays, me worrying about overloading the internet probably means I'm old fashioned! Even so, the forum might have more zip if large numbers of members didn't stay logged in for long periods.

Or there might be a fault…

Dave

[Neil WyattModerator @neilwyatt]

@Dave, We do seem to have picked up a lot of new members recently and the overall list of verified members is a bit huge… so it may well be sheer weight of numbers logging people out.

@Bandersnatch, no one else has reported a password issue, it may just be a file going bad? We send password reset emails when asked for but don't send a confirmation email on a change.

Also, time limit applies from when you last logged in, not teh last time you accessed the site.

Neil

[brickyParticipant @bricky]

I am logged out nearly every time so I just thought this was normal.

Frank

[Enough!Participant @enough]

Posted by Neil Wyatt on 10/02/2017 17:30:39:

@Bandersnatch, ….. We send password reset emails when asked for but don't send a confirmation email on a change.

 

That's a pity actually. The confirmation email to the existing email address when the password and/or email address is changed is a useful security feature in the event that an account is hacked.

(Even if the email is simply for information and doesn't require a return confirmation, it's a warning for the user).

Edited By Bandersnatch on 11/02/2017 01:37:38

[Enough!Participant @enough]

Just to wrap this up.

I checked with the sender of the PM that I was notified of but wasn't there when I looked. He confirmed that at his end, it was marked as read 09/02/2017 23:46:27. That's 6:46 pm my local time and it certainly wasn't me. It would appear that it was read and then deleted.

It would also appear that, in the same time frame, my password was changed and my machine was logged out (as it would be if someone had accessed the account from another machine).

Since it seems unlikely that all of these things together were the result of a system glitch, I have to conclude that my account was accessed by a third party. Luckily, they only changed the password and not the email address which enabled me to get a password reset. If they had changed the email address too I'd have been unable to access the account at all and they would have been free to pose as me and do whatever these people jerks do.

As Neil has pointed out, there is no safety net in the sense of having to approve password/email changes from the existing email address to preclude a complete hijack.

[Author]

Posts