Rocksolid Light

Welcome to Rocksolid Light

register   nodelist   faq  


rocksolid / rocksolid.nodes / Re: Postmill thread

SubjectAuthor
* Postmill threadtrw
+- Re: Postmill threadtrw
+* Re: Postmill threadtrw
|`- Re: Postmill threadanonymous
+* Re: Postmill threadtrw
|`* Re: Postmill threadRetro Guy
| `* Re: Postmill threadanonymous
|  `* Re: Postmill threadRetro Guy
|   `* Re: Postmill threadtrw
|    `* Re: Postmill threadanonymous
|     `* Re: Postmill threadanonymous
|      `* Re: Postmill threadanonymous
|       `* Re: Postmill threadanonymous
|        `* Re: Postmill threadRetro Guy
|         `* Re: Postmill threadanonymous
|          `* Re: Postmill threadRetro Guy
|           `* Re: Postmill threadanonymous
|            `- Re: Postmill threadanonymous
+* Re: Postmill threadtrw
|+- Re: Postmill threadtrw
|`- Re: Postmill threadRetro Guy
`* Re: Postmill threadanon
 `* Re: Postmill threadRetro Guy
  `* Re: Postmill threadanon
   `- Re: Postmill threadanon

Subject: Re: Postmill thread
From: anonymous@def2.anon (anonymous)
Newsgroups: rocksolid.nodes
Organization: def2org
Date: Mon, 9 Sep 2019 17:57 UTC
My idea on ff was to require a password to post every time (like rslight). If
you want to save that at your browser, that's the user's decision, but I figured if that was required even if someone gets your session, they can't post as you. I guess this can be broken down to these steps:

-create a custom theme
-take out all the login forms and links to them from the start page and forum views
-patch index.php so that the post form can be accessed without login
-insert a login form into the post form
-patch index.php so that the login is performed with the data provided in the post form, the article is posted and the user is logged out again.

Sounds plain and simple. I will get started on it. Might be that some patching has to be done to login.php and forum_login.php as well.

cheers

trw
Posted on def2




Subject: Re: Postmill thread
From: anonymous@def2.anon (anonymous)
Newsgroups: rocksolid.nodes
Organization: def2org
Date: Mon, 9 Sep 2019 19:03 UTC
more precisely, I believe that the key is in the three functions in index.php (lines 278 to 417):

ses_make_sysid
ses_get
ses_anon_make

the second could be used to make all sessions anonymous. i cannot shake the feeling that the root cause for the issue is also in these.
Posted on def2




Subject: Re: Postmill thread
From: anonymous@def2.anon (anonymous)
Newsgroups: rocksolid.nodes
Organization: def2org
Date: Mon, 9 Sep 2019 19:10 UTC
maybe it is enough to add some random number to the sys_id generated in ses_make_sysid. this is how it is done in ses_make_anon. Posted on def2




Subject: Re: Postmill thread
From: anonymous@def2.anon (anonymous)
Newsgroups: rocksolid.nodes
Organization: def2org
Date: Mon, 9 Sep 2019 19:25 UTC
uncommenting line 350 in index.php might do the job. it looks like in case of unknown users there is a comparison for criteria which tend to be the same in the darknets (ip, user agent,...). also, it looks like this is a quick hack that is not from the author.
i checked and it least it did not break anything if you uncomment this line. i will check later if it fixes the problem on tor.

cheers

trw
Posted on def2




Subject: Re: Postmill thread
From: Retro Guy@rslight.i2p (Retro Guy)
Newsgroups: rocksolid.nodes
Organization: Rocksolid Light
Date: Wed, 11 Sep 2019 09:29 UTC
anonymous wrote:

uncommenting line 350 in index.php might do the job. it looks like in case of unknown users there is a comparison for criteria which tend to be the same in the darknets (ip, user agent,...). also, it looks like this is a quick hack that is not from the author.
i checked and it least it did not break anything if you uncomment this line. i will check later if it fixes the problem on tor.

Nice work tracking stuff down!

One thing to consider is that Tor Browser intentionally looks the same (all users) to a web server. I've thought about entirely removing sessions from ff (removing the actual session_start lines), but I have not tried this yet.

Retro Guy

--
Posted on Rocksolid Light



Subject: Re: Postmill thread
From: anonymous@def2.anon (anonymous)
Newsgroups: rocksolid.nodes
Organization: def2org
Date: Thu, 12 Sep 2019 21:13 UTC
Nice work tracking stuff down!

Thanks, I am not sure if I have it yet

One thing to consider is that Tor Browser intentionally looks the same (all users) to a web server.

Yes, that is the point. The session token for a user session is an md5 generated from stuff like:
-ip-address
-user-agent
-(other stuff which is meaningless when working with the torbrowser)
In constrast to this, the anonymous session is simply a random value. This should work for the user session too.
I guess when ff was written, tor or other darknets where simply not considered as a use case.


I've thought about entirely removing sessions from ff >(removing the actual session_start lines), but I have not tried this yet.

If you remove sessions completely, I believe you have to rewrite the post function, too.

cheers

trw

btw, the newsserver on def4 is missing some messages, I guess I have to reactivate the old pullnews...
Posted on def2




Subject: Re: Postmill thread
From: trw@anon.com (trw)
Newsgroups: rocksolid.nodes
Organization: def5
Date: Thu, 12 Sep 2019 21:21 UTC

testing something, can't use /test

Posted on def4


Subject: Re: Postmill thread
From: retro_guy@retrobbs.rocksolidbbs.com (Retro Guy)
Newsgroups: rocksolid.nodes
Organization: RetroBBS
Date: Thu, 12 Sep 2019 23:08 UTC
On Thu, 12 Sep 2019 21:13:25 -0000 (UTC)
anonymous@def2.anon (anonymous) wrote:

Nice work tracking stuff down!

Thanks, I am not sure if I have it yet

One thing to consider is that Tor Browser intentionally looks the
same (all users) to a web server.

Yes, that is the point. The session token for a user session is an
md5 generated from stuff like:
-ip-address
-user-agent
-(other stuff which is meaningless when working with the torbrowser)
In constrast to this, the anonymous session is simply a random value.
This should work for the user session too.
I guess when ff was written, tor or other darknets where simply not
considered as a use case.

Interesting, I see now what you're saying, use the opposite of trying
to find differences and use a random for everyone.

I've thought about entirely removing sessions from ff >(removing the
actual session_start lines), but I have not tried this yet.

If you remove sessions completely, I believe you have to rewrite the
post function, too.

I need to take a look also into this when I can. (Which won't be for a
few days, this is the end of my 'weekend').


btw, the newsserver on def4 is missing some messages, I guess I have
to reactivate the old pullnews...
Posted on def2

Do you sync between your two inn servers?

Retro Guy



Subject: Re: Postmill thread
From: anonymous@def2.anon (anonymous)
Newsgroups: rocksolid.nodes
Organization: def2org
Date: Fri, 13 Sep 2019 14:16 UTC
uncommenting line 350 in index.php seems to do the trick, at least I don't land in my own sessions anymore when connecting from i2p and tor.
for further testing i think i need to setup another instance of the forum, to get the address right. i don't remember how i used to do that (i mean run the forum on i2p and tor).
btw, this bug was reported by a forum admin on the fudforum in 2014, for multiple users all connecting from one vpn and with the same browser (ie). exactly the same issue. the response from the dev was that he would like to wait until this behaviour was confirmed by others ("could be a huge issue", well, no shit sherlock). that is the last message in the thread. i wanted to necrothread, but fudforum effectivly blocks tor users from registration, using some ip based blacklist in which tor exit nodes would be, of course.

i do sync my news servers with each other, but the one from def4 seems to have frozen or something, a restart fixed it.

cheers

trw Posted on def2




Subject: Re: Postmill thread
From: anonymous@def2.anon (anonymous)
Newsgroups: rocksolid.nodes
Organization: def2org
Date: Sat, 14 Sep 2019 16:28 UTC
btw, there is some useful ff documentation here:

http://cvs.prohost.org/index.php?title=Fud30_ses

and a ff hack fopr sso here:

https://github.com/phoxicle/FUDForum-SSO-Adapter/blob/master/index_sso.php


cheers

trw
Posted on def2




Pages:123
rocksolid light 0.6.5e
clearnet i2p tor