InformAction Forums

Posted: **Fri Nov 18, 2011 12:36 am**

(Split as O/T from topic twitter links don't work - escaped_fragment issue -- Tom T.)

sourcejedi wrote:THIS BOARD EATS MY DRAFT MESSAGES ON TIMEOUT AND I HATE IT

For many reasons, I find it best to compose longer messages in a simple text editor (on Windows, Wordpad is my personal chioce), or if composed in any web site, such as Yahoo mail, to copy/paste/save frequently to said text document. (Even though Yahoo has a nice auto-save-draft feature.)

Too many times, a connection was dropped, or I hit a wrong key, etc. I too hate losing a long message that is 3/4 complete.

Most TCP connections have a timeout, to handle someone who forgets to disconnect when through with the site, thus tying up server capacity that could be used for others.

"Save draft" *should* refresh the connection timer, because you have interacted with the site. ( @ Giorgio: Am I mistaken here?)
Then you can continue to compose, saving the drafts every 5-10 minutes or so.

But as said above, lots of reasons to compose in, or frequently save to, a document on your desktop or whatever.
Cheers.

Posted: **Fri Nov 18, 2011 10:02 am**

Entire post subject: Offtopic venting about PHPBB

Edit: tone

I didn't hit "save draft" every five minutes, not that that's a sane design. Nor are TCP timeouts relevant (HTTP 1.0 uses a separate TCP connection for each request). Nor is it necessary for the server to save any state or privileges to avoid losing data in this specific situation.

What seems to happen is that there's a ridiculously low timeout somewhere - something like 30 minutes? - after which I'm logged out of the forum.

I was using "draft" imprecisely. When I try to submit my finished post after the timeout (which I have no way of knowing!), I'm redirected to the post-without-a-login version of the page. The entire text of my post, which has just been POSTed, is dropped on the floor. And the back button didn't seem to recover it.

It may be related to the posting-without-a-login feature on this sub-forum, if that's custom code. It might not be; I've had bad experiences with PHPBB on MobileRead as well, but I think I've got used to using the back button there as a recovery method. (You have to go back and copy the message; I think if you log in again when it asks you to, that's when you lose the message. Thinking about it, it's not too surprising if the posting-without-a-login feature breaks that workaround, because it's skipping past the "you don't have a valid session; please log in" page, straight to (a different version of) the posting page.).

Unfortunately, the most natural workaround for me - saving drafts in Thunderbird - also seems to lose data when connectivity is disrupted. Looks like it's time I checked out Lazarus again.

Posted: **Sat Nov 19, 2011 1:32 am**

We can move this part to Metaforum if it continues, should you like.

sourcejedi wrote:What seems to happen is that there's a ridiculously low timeout somewhere - something like 30 minutes? - after which I'm logged out of the forum.

IMHO, 30 minutes without interaction is not unreasonable. YMMV

I was using "draft" imprecisely. When I try to submit my finished post after the timeout (which I have no way of knowing!), I'm redirected to the post-without-a-login version of the page. The entire text of my post, which has just been POSTed, is dropped on the floor. And the back button didn't seem to recover it.

It may be related to the posting-without-a-login feature on this sub-forum, if that's custom code. It might not be; I've had bad experiences with PHPBB on MobileRead as well, but I think I've got used to using the back button there as a recovery method.

Yes, that's worked for me at times.

(You have to go back and copy the message; I think if you log in again when it asks you to, that's when you lose the message. Thinking about it, it's not too surprising if the posting-without-a-login feature breaks that workaround, because it's skipping past the "you don't have a valid session; please log in" page, straight to (a different version of) the posting page.).

Unfortunately, the most natural workaround for me - saving drafts in Thunderbird - also seems to lose data when connectivity is disrupted.

Kinda' why I got in the habit of doing long messages on the desktop instead of in the compose box -- *everywhere*. Not just PHPbb, but also SMF and others.

Looks like it's time I checked out Lazarus again.

Didn't know about that one. Interesting! ... Will look into it, but, uh, the only real downside to the compose-in-text-doc is remembering to add your markup from the toolbar. (quote, bold, code, etc.)

btw, speaking of add-ons, there's a freeware called Texter that will let you make up your own hotkeys for anything. Which eliminates the need for the toolbar here when composed in Wordpad or whatever.

E. g., (for me) type the letter q+(enter) produces

Code: Select all

[quote]

qw (next letter on the keyboard to q, and an unlikely combo for a "false trigger") =

Code: Select all

[/quote]

u =

Code: Select all

 [url=

ue ("URL End" is my mnemonic) =

Code: Select all

 [/url]

Etc. I'm sure you'll find useful ones that suit you. Just a thought.

I think it would be better to split this off now. You can vent/suggest/etc., and I can ask Giorgio to consider your concerns about the timeouts and lost messages. Cheers.

Posted: **Sat Nov 19, 2011 7:32 am**

The session timeout is set to 3600 secs (1 hour).
Maybe your ISP reassigns you a dynamic IP very frequently, and you're experiencing this issue (work around included).

Posted: **Sat Nov 19, 2011 9:06 am**

Giorgio Maone wrote:The session timeout is set to 3600 secs (1 hour).
Maybe your ISP reassigns you a dynamic IP very frequently, and you're experiencing this issue (work around included).

Thanks for the information. (And to Tom for getting this moved). I suspect I really was that slow to post. It happens sometimes. An hour does sound like a reasonable threshold though.

When I last checked it, my external IP seemed pretty stable. It's currently [redacted by Tom T.] It survives rebooting the router. And AFAIK I'm not behind an ISP transparent proxy. (Feel free to compare the IP if you have mod powers).

I played a bit with the "Delete all board cookies" link, here and in the support forum. That causes a login form as expected, but once you've logged in you get your message back. And the back button also works very nicely for me.

So I'm not sure what my problem was. Unless Lazarus is doing something horribly magic now I've installed it, but it's advertised as an entirely manual process.

Posted: **Sat Nov 19, 2011 9:24 am**

sourcejedi wrote:... When I last checked it, my external IP seemed pretty stable. It's currently [redacted by Tom T.] It survives rebooting the router. And AFAIK I'm not behind an ISP transparent proxy. (Feel free to compare the IP if you have mod powers).

Yes, all of your posts here show that IP. (We'd never disclose the actual IP publicly, but since you already did... )

I played a bit with the "Delete all board cookies" link, here and in the support forum. That causes a login form as expected, but once you've logged in you get your message back. And the back button also works very nicely for me.

If you're still curious, try deleting your cookies manually. In Firefox Tools > Options > Privacy > Show Cookies, delete the entire folder
forums.informaction.com
and see if that changes anything.

So I'm not sure what my problem was. Unless Lazarus is doing something horribly magic now I've installed it, but it's advertised as an entirely manual process.

I'm curious and will give it a brief look.
Glad the issue is resolved for you, and will mark this thread accordingly.

ETA: I thought it might be better for you not to have your IP displayed to the world. Feel free to PM it if it ever comes up again.

Posted: **Sat Nov 19, 2011 9:28 am**

Deleting the cookies from forums.informaction.com doesn't seem to have any effect. Ok, it does show I'm logged out if I open a new tab at "forums.informaction.com". But it doesn't interrupt the process of posting in an existing tab. I can hit "submit" & the post goes through without having to log in again.

Probably because there's a session ID in the URL as well?

sid=178a72a57681522fe0d65ffbf25196c3

Posted: **Sat Nov 19, 2011 9:51 am**

Lazarus seems similar to the auto-save in Open Office, which saves a backup copy of your documents as you work on them. If you accidentally delete, or the program crashes, it will recover them. However, I think it's only at certain intervals -- every 5 minutes or so, perhaps user-configurable -- and only for docs in that program.

Very clever idea to save comments. etc. as you type (although my tinfoil-hat side sees it as a keylogger

).

I was a bit concerned about saving form entries that could include passwords, credit card #s, etc. They say RSA + AES, which is good, *if* correctly implemented. I''m not enough of a cryptogeek to know, but I know one or two people who are. I might ask them whether they care to look at it.

And where is the encryption key stored, and how? How often is it changed? My wireless router changes keys every X minutes, from 10 to 120 per user choice IIRC, even though the password never changes unless I change it manually. Not an issue unless others gain physical access to your machine (untrustworthy guest? Burglar?). Or remote access, but then you're hosed anyway.

And the top review:

This is easily the greatest Addon for Firefox, next to NoScript and AdBlockPlus.

Nice plug!

Overall: Interesting. IMHO, I"ll stick with composing in text editors like Wordpad and saving those frequently, but I can certainly see this saving a lot of people's (fill in the blank). Thanks for pointing to it.

Posted: **Sat Nov 19, 2011 9:54 am**

sourcejedi wrote:Probably because there's a session ID in the URL as well?

I think you nailed it.

Posted: **Sat Nov 19, 2011 12:04 pm**

Tom T. wrote: I was a bit concerned about saving form entries that could include passwords, credit card #s, etc.

That did make me a bit queasy. Those specific concerns have been considered. Password fields are blacklisted. Numbers long enough to be credit card numbers are replaced with a placeholder.

The encryption option is at least security by obscurity. It makes any identity-fraud data much less discoverable for a small-time laptop thief etc. The problem is the average user looking at the advertising will assume a bit more than that. It mentions encryption: that means it must be secure... well, it doesn't work like that. And then you've got another password to deal with... I bet Lazarus can't use mlock()... so if you reuse one of your existing passwords, you're leaking that password to the swap file.

Posted: **Sat Nov 19, 2011 7:24 pm**

Happened again to my last message. I did leave it for about an hour, with my laptop sleeping over dinner. Again, PHPBB dropped the message on the floor & I wasn't able to recover it using the back button. Lazarus saved me though.

So I don't think it's hard to demonstrate; you just need to leave a post window open for an hour (in one of the subforums that permits posting without logging in), and avoid interacting with the forums for that period. (You could perhaps do that in a separate Firefox profile). And I don't think it's good behaviour. You can certainly accuse me of not being sufficiently paranoid though.

Posted: **Sun Nov 20, 2011 1:17 am**

sourcejedi wrote:Happened again to my last message. I did leave it for about an hour, with my laptop sleeping over dinner.

I like to think and review my replies too, but an hour for two paragraphs?

So I don't think it's hard to demonstrate; you just need to leave a post window open for an hour ... and avoid interacting with the forums for that period.

No need to demonstrate; Giorgio already said that the forum timeout was one hour (without interaction).

And I don't think it's good behaviour.

I do. The purpose, again, is to avoid using server capacity for those long gone who forget to logout. Imagine if everyone did that. You have a DoS attack, even if by accident.

Yes, I've stayed logged in, put the laptop on standby, been gone longer than expected, and had to re-login. No big deal, especially with Password Safe doing auto-logins with a click or two. (Crypto by world-class cryptographer Bruce Schneier; pw file is always encrypted, decrypted only on-the-fly in RAM; browser can receive its inputs but can't read it or write to it.)

You can certainly accuse me of not being sufficiently paranoid though..... The encryption option is at least security by obscurity.

"Security by obscurity" is something, but not much, depending again on where and how the master pw is stored.

so if you reuse one of your existing passwords, you're leaking that password to the swap file.

FWIW, I added enough physical RAM to this machine to be able to disable swap-to-disk, or as Windows, in Their Infinite Wisdom, calls it, the pagefile.
Not only more secure, but faster. No pagefile.sys lookups, HD head searches and reads, etc., -- it's all in RAM, of which more than about 1/3 is never needed.
Cheers.

Posted: **Sun Nov 20, 2011 9:23 am**

Tom T. wrote: I like to think and review my replies too, but an hour for two paragraphs?

Ah, not that one. Back in the twitter thread.

No need to demonstrate; Giorgio already said that the forum timeout was one hour (without interaction).

The purpose, again, is to avoid using server capacity for those long gone who forget to logout. Imagine if everyone did that. You have a DoS attack, even if by accident.

You're missing the point :p. I don't mind re-entering login details after an inactivity timeout. I'd be happy to do so for every single post.

On this sub-forum, the timeout is fine. You have to log in again, and the POST'd message reappears.

On the support sub-forum, it's possible to post without a login. Instead of prompting to re-enter your login, you get a blank posting form, which assumes you want to post without a login. Your existing message is discarded. You can't get it back using the back button.

That second case is bad behaviour, an unnecessary trap for the unwary. It's doubly bad behaviour because it's inconsistent across sub-forums. And there's no fundamental reason for it; it's "just" an implementation issue.

Posted: **Sun Nov 20, 2011 5:04 pm**

I took a look at their website. I'll share a few of my thoughts on it.

"Lazarus securely saves forms as you type, allowing you to safely recover your lost work"

Essentially, a keylogger that builds a list of data before malware gets to the PC. A list of all the important data. Sounds like the risky aspect of the Single-Sign-On problem reimagined.

"Lazarus now comes with RSA and AES hybrid encryption, so your form history is more private and secure than ever!"

RSA and AES hybrid encryption? For local form saves? This is disconcerting as it sounds quite complex & the specifics aren't revealed. The algorithm matters less than how the crypto is applied. At least one USB storage device with "FIPS certified AES-256" was broken b/c the password was checked in software & an unlock code was sent to the device. Attackers just had to send the unlock code to bypass the encryption. (Worse, I think the unlock code was the same for all the devices.)

"A lot of my efforts over the last 6 months have been in doing a complete rewrite of Lazarus from the ground up (Lazarus 3.x). This is to solve the "Unresponsive Script Error" that many users have suffered from and to make Lazarus cross browser compatible (Yes, we now have versions for Chrome and Safari)."

Indicates to me the implementation isn't quite robust. If this thing is secure, it's only because hackers aren't targeting it yet. The code is a script in the browser, that I'm aware of. It's running with the browser's privileges. Anything that can compromise the browser can compromise its database. A targeted attack with a browser sploit should work now. Essentially, it's like running Mac OS X to be safe from malware: it works unless some hackers think your data's worth the extra effort.

Posted: **Sun Nov 20, 2011 11:29 pm**

sourcejedi wrote:
Tom T. wrote: I like to think and review my replies too, but an hour for two paragraphs?
Ah, not that one. Back in the twitter thread.

Oops, my bad.

sourcejedi wrote:You're missing the point <snip, both for length and for discourteous icon >On this sub-forum, the timeout is fine. You have to log in again, and the POST'd message reappears.

On the support sub-forum, it's possible to post without a login. Instead of prompting to re-enter your login, you get a blank posting form, which assumes you want to post without a login. Your existing message is discarded. You can't get it back using the back button.

That second case is bad behaviour, an unnecessary trap for the unwary. It's doubly bad behaviour because it's inconsistent across sub-forums. And there's no fundamental reason for it; it's "just" an implementation issue.

Thanks for elaborating. Yes, NoScript Support allows guest posting, so as not to discourage casual users who encounter a problem from posting, because they don't want to take the two minutes to register, or more likely, yet another set of user/pass. The other sub-forums tend to be geared to those who are a bit more committed and don't mind registering.

I'll ask Giorgio whether there's any easy way to fix the lost-message issue on guest posting. Thanks for pointing it out.

Nick P. wrote:The algorithm matters less than how the crypto is applied.

TUVM, supporting this writer's comment,

Tom T. wrote:good, *if* correctly implemented.

... and the comments about the "secure" USB drive having insecure pw mgmt mirror my own questions about how/where the pw was stored and implemented.

Nick P. wrote:The code is a script in the browser, that I'm aware of. It's running with the browser's privileges. Anything that can compromise the browser can compromise its database.

Eek.

I'd assumed it was a hook to the keyboard (perhaps with a discriminatory function that activates only when the cursor is inside a browser window), which is dangerous enough if not robustly secured. Running it as a browser script is kind of like this writer's comments on browsers sandboxing themselves. (It's a long post. Find "sandboxing".)

I'll stick with composing long messages in a text editor, or saving there frequently.
Thanks for the post, NickP.

InformAction Forums

[RESOLVED]Timeouts and lost messages (split from NS Support)

[RESOLVED]Timeouts and lost messages (split from NS Support)

Offtopic: venting about PHPBB

Re: Offtopic: venting about PHPBB

Re: Timeouts and lost messages (split from NS Support)

Re: Timeouts and lost messages (split from NS Support)

Re: Timeouts and lost messages (split from NS Support)

Re: [RESOLVED]Timeouts and lost messages (split from NS Supp

Re: [RESOLVED]Timeouts and lost messages (split from NS Supp

Re: [RESOLVED]Timeouts and lost messages (split from NS Supp

Re: [RESOLVED]Timeouts and lost messages (split from NS Supp

Timeouts and lost messages (split from NS Support)

Re: Timeouts and lost messages (split from NS Support)

Re: Timeouts and lost messages (split from NS Support)

Re: [RESOLVED]Timeouts and lost messages (split from NS Supp

Re: Timeouts and lost messages (split from NS Support)