Date   

moderated Re: Update login expiration on site visit #suggestion

Bruce Bowman
 

On Wed, Nov 7, 2018 at 03:35 PM, Mark Fletcher wrote:
I did some tests with Facebook. They apparently expire their login cookie after 3 months. I would be fine extending our expiration to that as well. Anyone have an objection?
Mark -- It seems to me that no one has been very clear about defining what the problem is. 

  • Users are becoming disoriented whenever the logon cookie expires.
Extending the cookie to expire at 90 days or (30 days or inactivity) only delays the inevitable. Even setting the cookie to NEVER expire doesn't really help. As soon as these subscribers delete cookies on their own, or attempt to open the site with another browser/device, they will become disoriented all over again.

The only way to "fix" this is with some clear indication that the subscriber is not logged in. Personally, I feel that a collapsed left-side menu and the "login" button at top right is adequate. Others seem to disagree. Perhaps a red banner or simply a different-colored menu bar/login button at the top of the page could serve to capture the attention of the inattentive.

Regards,
Bruce


moderated Re: Update login expiration on site visit #suggestion

 

Hi All,

Caveat: I know enough about computer security to know that I don't know much about computer security.

I think the general reason that sites use expiring cookies (ie log you out after N days) is to prevent attacks where a cookie is stolen and then is used to impersonate the user. With HTTPS, the chance of cookies being stolen is pretty low these days.

I agree that being 'silently logged out' can present a confusing situation. I can add another cookie that never expires that indicates that you've been logged in. That way, I will know when your cookie has expired. The question is, what should I do in that situation? Should I take you to the login screen with a notice that you've been automatically logged out? Or should I just show a banner on whatever page you're visiting? If I do that, should I only show the banner on the first page you visit after your login cookie expires, or something else?

I did some tests with Facebook. They apparently expire their login cookie after 3 months. I would be fine extending our expiration to that as well. Anyone have an objection?

Thanks,
Mark


moderated Re: Update login expiration on site visit #suggestion

Jeremy H
 

On Mon, Nov 5, 2018 at 09:19 PM, Shal Farley wrote:
Bob,
 
What should be done to assuage those who freak out when they can't siimply access groups.io but are sent to a page clearly informing them about what they must do and with all choices visible on the page?
 
You're missing the other case, the case where they are not taken to the login page. That's the case that motivated my suggestion.
 
Shal
Getting back to the original issue, the root of the problem is that, after 30 days of just going in to a page and doing whatever, a user is presented with essentially the same page (with only an inconspicuous change that I would suggest few people notice) but where you can't do whatever, in other words - from the user perspective - it's broken. (In a sense the '30 day' feature is it's own enemy - if people always had to logon, they'd be used to doing so, and so it wouldn't be a real problem).

If handling cookies differently to solve this is going to fall into the 'undesirable' category, the alternative is to make the page more obviously different - something probably most simply done by some sort of banner or popup, saying you need to login for full functionality (with appropriate butttons).

Possibly modifying the standard groups.io banner to be different colours for logged in or not is the way to go.

Jeremy


moderated Re: Group Setting to Enable From Address via groups.io #suggestion

Panagiotis Georgopoulos <panagiotis.georgopoulos@...>
 

I would certainly agree with that as I am facing bouncing problems with my corporate mailing service and I, and other colleagues, don't receive any messages to groups.io that we sent.  


moderated Marking members with Advanced Preferences for email delivery #suggestion

Frances
 

The list of members in Membership, Admin doesn't give me full information. Under Delivery, it shows Single for those who receive every post by email as well as those who receive only first posts in a thread plus following. They have the same status - Single.

It would be useful if there was a flag - even an asterisk or AP - for members who have chosen Advanced Preferences.

Frances


moderated Re: Update login expiration on site visit #suggestion

Chris Jones
 

On Tue, Nov 6, 2018 at 10:11 PM, Shal Farley wrote:
Otherwise the perp has time to change the password.
I've never had occasion to change my Groups.io password, but on other sites where I have changed my password the process involved entering the existing password first, presumeably as an assurance that it is me doing the change and not someone else. A quick check on my account points towards Groups.io not requiring any such security measure, so a "device" in the wrong hands could all too easily be used to change someone else's password. On the face of this this is something of a vulnerability.

I have not used 2FA, but I am now beginning to think it might be a good idea.

Chris


moderated Re: Update login expiration on site visit #suggestion

 

Toby,


You mean the two-factor authentication that would never be invoked because the auto renewing cookie would prevent the password prompt from ever displaying????

The expired cookie doesn't control two-factor authentication. It uses a non-expiring cookie to know whether you need to present a second form of authentication in addition to the password.

But you have a point. Two factor protects against stolen passwords and stolen cookies, but not against access to the member's device. So I shouldn't have mentioned it for "this kind" of intrusion. The only thing that would protect against access to the member's device would be very prompt logout (minutes of inactivity). Otherwise the perp has time to change the password.

Shal


moderated Re: Update login expiration on site visit #suggestion

Toby Kraft
 

Shal,
You mean the two-factor authentication that would never be invoked because the auto renewing cookie would prevent the password prompt from ever displaying????

That's exactly why the cookie expires. So that at some point in time the user proves he/she is who he/she says they are, by entering a password or via the 2 factor auth.  The time that Mark has implemented is 30 days which is generous and not onerous.

I agree it is not a big risk but I think we're beating a dead horse here and should let this discussion fade away....

Toby


moderated Re: Update login expiration on site visit #suggestion

 

Toby,

Circumventing the 30 day re-authentication requirement (which is what
the auto-renew cookie change would allow) would reduce the site
security and, in my opinion, would be ill-advised.
I don't believe it would have a substantive effect on site security.

Once the supposed intruder is in they can change the member's password (and email address), rendering the take-over permanent regardless of any pending cookie expiration.

Groups.io already offers a defense against this kind of intrusion: two-factor authentication.

Shal


moderated Re: Update login expiration on site visit #suggestion

Toby Kraft
 

Yet another thread that should be put to bed with no changes to the site....

The groups.io Terms of Service, Cookie Policy states (emphasis added):
Essential Cookies

These cookies are strictly necessary to provide you with services available through our Site and to secure our Site:

Domain Cookie Name Expiration Description
groups.io groupsio 30 days Authentication
groups.io flash 30 days Flash messages
groups.io cookieconsent_status 365 days For cookie consent
Circumventing the 30 day re-authentication requirement (which is what the auto-renew cookie change would allow) would reduce the site security and, in my opinion, would be ill-advised.
We're talking only 12 logins a year.  And the auto-renew wouldn't help infrequent users as they would not have been on recently enough to refresh the expiration anyway.  
I do support changes to provide a better user experience when links from an email are clicked.  Adding a term to the URLs in the email could accomplish that (page logic could be something like - URL says this came from a subscriber email but the authentication cookie is missing so let's should display an appropriate message perhaps "Please login to view this message in your group.").  Improving the communication to users when this happens would aid the inexperienced users.
Toby


moderated Re: Update login expiration on site visit #suggestion

Jim Higgins
 

Received from Jim Fisher at 11/5/2018 08:05 PM UTC:

The normal way for a cookie to be used for login purposes is to simply set it when a person logs in and subsequently check for its existence whenever they visit a page requiring a login.
That's not quite how LOGIN cookies are handled. You can't just check for EXISTENCE of the cookie because they aren't all the same. You must also check the specific cookie CONTENT against the subscriber database so that the specific user is authenticated and the areas he may visit and privileges he has are known before granting access. It's not enough to say a cookie EXISTS so it's OK to give the person privileges in whatever area of the site he happened to land on. You have to authenticate the cookie contents.

The cookie is simply deleted when they log out or when it expires (in the latter case by the browser). No record is maintained anywhere of why it was deleted or even if it ever existed.
Yes... in the case of a deletion by the browser. Not necessarily in the case of an explicit log-out. In that latter case some sites may want to replace the log-in credentials stored in the cookie with something else. The point being that what MIGHT be put in that cookie isn't as important as understanding that deletion isn't the only option.

To do anything more than that standard process would involve Mark in a whole lot of work using permanent special purpose cookies, if it's possible at all.
Having some experience in this area, unless the implementation of lasting log-in cookies is made as complicated and with as many interacting options as hashtags are, it should be almost trivial to implement. If the cookie authenticates, update the cookie's expiration date. It's as easy as that.

Jim H


moderated Re: Update login expiration on site visit #suggestion

 

On Mon, Nov 5, 2018 at 01:36 PM, Don Clark wrote:
Believe me when most of your members are seniors they don't even have "just a smidgeon" of  computer literacy I really have to hold the hands of most members.
I'm getting really tired of these ageist remarks. I'm over 50, and I'm betting that the majority of my group members are over 50, and it's only once in a blue moon that I have to hold anybody's hand. So please, tell us that your group members are computer illiterate. Tell us that you have to hold their hands. But please stop justifying that on the basis of their ages.
 
--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


moderated Re: Update login expiration on site visit #suggestion

Don Clark
 

Believe me when most of your members are seniors they don't even have "just a smidgeon" of  computer literacy
I really have to hold the hands of most members.


moderated Re: Update login expiration on site visit #suggestion

 

Bob,

What should be done to assuage those who freak out when they can't siimply access groups.io but are sent to a page clearly informing them about what they must do and with all choices visible on the page?

You're missing the other case, the case where they are not taken to the login page. That's the case that motivated my suggestion.
Shal


moderated Re: Update login expiration on site visit #suggestion

Bob Bellizzi
 

My gosh, The great majority of websites that  require one to log in, terminate that login either:
   When the browser window is closed
   When the user logs off
If the user wishes to again utilize the website, they must log in again.
Even yahoo would log one out after some period of time and we would have to log in again.  I think it was much more arcane and obtuse.

What's different about groups.io in this regard?
   Mark decided to make things much more easy for the untrained user by providing a cookie with a 30 day expiration date.

What should be done to assuage those who freak out when they can't siimply access groups.io but are sent to a page clearly informing them about what they must do and with all choices visible on the page?
  In my opinion, Owners and Moderators have the responsibility to educate their members.
   We have almost 3500 members in our late onset rare disease group.  It's a fairly even mix of email and online users.  About 60 new members join per month.  Our long term average age is about 55.
  They receive instructions in their Welcome email. 
  A weekly calendar note on "Where to find Help" is sent out. 
  Moderators have experience handling questions online.
But considering the number of members, questions about being "dropped" are few and far between and are usually handled easily by the Moderators.
--

Bob Bellizzi

Founder, Fuchs Friends ®
Founder & Executive Director, The Corneal Dystrophy Foundation


moderated Re: Update login expiration on site visit #suggestion

 

Jim,


So how is the web site (i.e. Mark when coding it) supposed to know that?

Not being a web developer I don't really know, but I'm confident Mark can easily work it out.

The cookie is simply deleted when they log out or when it expires (in the
latter case by the browser). No record is maintained anywhere of why it
was deleted or even if it ever existed.

I'm aware of that much about cookies, and have suspected that that is exactly how Groups.io's login mechanism currently works. Simple, effective and consistent with observation. A naive suggestion would be to use a second cookie that has a (much) longer expiration as a marker for "has been logged in". That one would also be deleted by explicitly logging out.
That said, I've come around to the point of view that refreshing the logon at visit would be the better user experience. But maybe something like this should be done in that case as well, if the user has stayed away "too long".

Shal


moderated Re: Update login expiration on site visit #suggestion

 

On 4 Nov 2018 at 12:00, Shal Farley wrote:

That's the key. The page or banner obviously should not appear for
someone who explicitly logged out, nor for someone who visits the site
having not been (recently) logged in.

Shal
So how is the web site (i.e. Mark when coding it) supposed to know that? The
normal way for a cookie to be used for login purposes is to simply set it when
a person logs in and subsequently check for its existence whenever they visit a
page requiring a login. The cookie is simply deleted when they log out or when
it expires (in the latter case by the browser). No record is maintained
anywhere of why it was deleted or even if it ever existed. To do anything more
than that standard process would involve Mark in a whole lot of work using
permanent special purpose cookies, if it's possible at all.

Jim Fisher

--
http://jimellame.tumblr.com - My thoughts on freedom (needs updating)
http://jimella.wordpress.com - political snippets, especially economic policy
http://jimella.livejournal.com - misc. snippets, some political, some not
Forget Google! I search with https://duckduckgo.com which doesn't spy on you


moderated Re: Give group owners control over how subscriptions are processed #suggestion

M Parker
 

Beth

I own a group that works in similar way to yours. It is restricted and is not listed in the Groups.io directory. As a result I get very few direct requests to join. My group has a public website where instructions on how to join, with an application form, are given. Links to the public website are given in other topic related websites and publications.

Maybe it is possible for you to opt to be not listed in the Groups.io directory? (See Settings, Privacy, Visibility <Group not listed in directory, private messages>

Margaret


On Sun, Nov 4, 2018 at 09:21 AM, Beth Weld wrote:
We have received numerous join requests for my group this weekend, I really would like to strongly suggest that for restricted groups, we have the option to remove both the Apply button as well as the subscribe email address on the group main page.  I'm trying to redirect people to our website where they need to fill out an application (and pay money), but it hasn't worked for the dedicated folks who won't read.


moderated Re: Update login expiration on site visit #suggestion

 

On Sun, Nov 4, 2018 at 06:40 PM, Don Clark wrote:
Too many of my members are computer illiterate and panic.
Do they panic when, I don't know, craigslist forums, for example, logs them out? Who do they turn to then? etc. One does need a modicum of computer literacy, just a smidgeon, to participate in any online forum.
 
--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


moderated Re: Update login expiration on site visit #suggestion

Don Clark
 

I agree with Shal. Too many of my members are computer illiterate and panic. 

9621 - 9640 of 28419