Date   

moderated Re: Update login expiration on site visit #suggestion

Jim Higgins
 

Received from Dave Sergeant at 11/8/2018 06:43 AM UTC:

I fail to see what the problem is. After all, Yahoogroups where many of the current users have come from, has a 14 day time out. Nobody ever had issues with this. Why is groups.io any different.

I NEVER encountered any 14-day time out in my 16 years of managing groups on Yahoo!

Unless I accidentally deleted cookies or manually logged out I NEVER had to enter Username and Password to access Y! or Y!Groups.

I currently have no Y! cookies that expire in 14 days (or less) most are at least a year and some expire in 2038.


But the fact that you are logged out needs making more obvious. If you visit anything other than groups.io homepage such as a private group that requires login or parts of a group that needs login to access you should get a prominent login box, just like any other forum on the internet does. Taking you to the groups.io homepage with a fairly well hidden login link in the corner is NOT the way to do it.

What you say should happen already does happen, EXCEPT when the group visited is readable by non-subscribers. Is it possible that you've formed an opinion based on incorrect information?


I am not in favour of extending the timeout.

Why not? Why can't those of use who would like to manage our own security have the convenience of a longer expiration (and preferably one that renews upon each visit)? Why can't the folks who want cookies to expire in 14 days simply log themselves out on the 1st and 15th of the month and log back in? Would that be annoying? Yep... about as annoying as finding yourself unexpectedly logged out. And that's precisely why some would like a longer expiration period (and preferably renewable on each visit).

Jim H


moderated Re: Update login expiration on site visit #suggestion

 

Say a login cookie is stolen somehow, never mind how. If the legitimate user logs out and logs back in, getting a new login cookie, does that invalidate the stolen cookie? If so, then a 90-day expiration is likely OK, as any user suspecting cookie theft has an easy way to fix it.

I would recommend adding a second cookie that lasts a year, indicating the user is logged on, but doesn't provide any authorization. If the user logs out, that cookie also gets deleted. If the user has that cookie but not the authorization cookie, a "pop-up" (not a real pop-up, as those tend to get blocked these days) message should be displayed: "Your login session has expired. Click here to log back in, or here to continue without being logged in.". Either click deletes the year-long cookie, so the message won't keep re-appearing.

If the user hasn't logged in in a year, or if the user deletes cookies, it's not your responsibility to remind the user to log in.

JohnF


moderated #cal-notices/page refreshing

 

I have a few suggestions that would make handling in groups.io easier:

- in the Message Policies section there should be a way to prevent the automatic appearance of #cal-notice on the "Top Hashtags" display of the home page every time a cal notice is generated. I find it quite bothersome to have to check on the homepage regularly, then click and delete each notice individually. Clarification: I send regular notices via calendar, each member gets them anyway, so reminders on the "Top Hashtags" display are bothersome since they must be deleted individually.

- even better would be an option in the files (like yahoo-groups has) for documents to be  sent to the group in regular intervals. In that case they would not have to be sent via #cal-notices.
- Another issue is that pages do not refresh automatically. For example each time I delete one of the #cal-notices the side is changed to the messages side. Another example: members trying to join a certain group are sent to the groups.io starting page instead of remaining on the one they wanted to join.

Victoria


moderated Re: Update login expiration on site visit #suggestion

Dave Sergeant
 

I fail to see what the problem is. After all, Yahoogroups where many of
the current users have come from, has a 14 day time out. Nobody ever
had issues with this. Why is groups.io any different.

But the fact that you are logged out needs making more obvious. If you
visit anything other than groups.io homepage such as a private group
that requires login or parts of a group that needs login to access you
should get a prominent login box, just like any other forum on the
internet does. Taking you to the groups.io homepage with a fairly well
hidden login link in the corner is NOT the way to do it.

I am not in favour of extending the timeout.

Dave

On 7 Nov 2018 at 13:47, Bruce Bowman wrote:

The only way to "fix" this is with some clear indication that the
subscriber is not logged in.

http://davesergeant.com


moderated Re: Update login expiration on site visit #suggestion

 

I don’t do FB any more either. But of course you can log yourself out any time, just like every other site. The issue for me is the long length of time they keep you logged in. Logging out of anything and then back in is a PITA. So you’re generally not going to do it. OTOH you want to feel that a site takes even the smallest measure to protect your security. Three months doesn’t cut it for me personally.

On Nov 7, 2018, at 5:12 PM, Jim Higgins <HigginsJ@sc.rr.com> wrote:

Received from J_Catlady at 11/7/2018 11:41 PM UTC:

It's not a big deal to me, but I have really always disliked Facebook's policy. It seems like they never log you out (although you're saying it's three months), and frankly it's always made me nervous.

I don't do Facebook, so I have to ask... isn't there something to click to log yourself out?

Jim H



--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


moderated Re: Update login expiration on site visit #suggestion

Jim Higgins
 

Received from J_Catlady at 11/7/2018 11:41 PM UTC:

It's not a big deal to me, but I have really always disliked Facebook's policy. It seems like they never log you out (although you're saying it's three months), and frankly it's always made me nervous.

I don't do Facebook, so I have to ask... isn't there something to click to log yourself out?

Jim H


moderated Re: Update login expiration on site visit #suggestion

Jim Higgins
 

Received from Bruce Bowman at 11/7/2018 09:47 PM UTC:

Extending the cookie to expire at 90 days or (30 days or inactivity) only delays the inevitable.

Exactly, but it's a step toward the ***OPTION*** of a cookie that doesn't expire.


Even setting the cookie to NEVER expire doesn't really help. As soon as these subscribers delete cookies on their own, or attempt to open the site with another browser/device, they will become disoriented all over again.

There are certain things you can't fix... but at least then it's their own fault... while the ones who are savvy benefit from a cookie that doesn't expire.

Jim H


moderated Re: Update login expiration on site visit #suggestion

Jim Higgins
 

Received from Mark Fletcher at 11/7/2018 08:35 PM UTC:

I did some tests with Facebook. They apparently expire their login cookie after 3 months. I would be fine extending our expiration to that as well. Anyone have an objection?

Strongly in favor of extending the expiration to 3 months, but...

...in addition to that, could you also offer the option of a cookie that never expires, effectively letting each of us decide how to manage our own security. Since Groups.io uses secure connections, the liklihood that anyone would try to steal my login data is remote.

Jim H


moderated Re: Update login expiration on site visit #suggestion

 

It's not a big deal to me, but I have really always disliked Facebook's policy. It seems like they never log you out (although you're saying it's three months), and frankly it's always made me nervous.
--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


moderated Re: Update login expiration on site visit #suggestion

Bruce Bowman
 

On Wed, Nov 7, 2018 at 03:35 PM, Mark Fletcher wrote:
I did some tests with Facebook. They apparently expire their login cookie after 3 months. I would be fine extending our expiration to that as well. Anyone have an objection?
Mark -- It seems to me that no one has been very clear about defining what the problem is. 

  • Users are becoming disoriented whenever the logon cookie expires.
Extending the cookie to expire at 90 days or (30 days or inactivity) only delays the inevitable. Even setting the cookie to NEVER expire doesn't really help. As soon as these subscribers delete cookies on their own, or attempt to open the site with another browser/device, they will become disoriented all over again.

The only way to "fix" this is with some clear indication that the subscriber is not logged in. Personally, I feel that a collapsed left-side menu and the "login" button at top right is adequate. Others seem to disagree. Perhaps a red banner or simply a different-colored menu bar/login button at the top of the page could serve to capture the attention of the inattentive.

Regards,
Bruce


moderated Re: Update login expiration on site visit #suggestion

 

Hi All,

Caveat: I know enough about computer security to know that I don't know much about computer security.

I think the general reason that sites use expiring cookies (ie log you out after N days) is to prevent attacks where a cookie is stolen and then is used to impersonate the user. With HTTPS, the chance of cookies being stolen is pretty low these days.

I agree that being 'silently logged out' can present a confusing situation. I can add another cookie that never expires that indicates that you've been logged in. That way, I will know when your cookie has expired. The question is, what should I do in that situation? Should I take you to the login screen with a notice that you've been automatically logged out? Or should I just show a banner on whatever page you're visiting? If I do that, should I only show the banner on the first page you visit after your login cookie expires, or something else?

I did some tests with Facebook. They apparently expire their login cookie after 3 months. I would be fine extending our expiration to that as well. Anyone have an objection?

Thanks,
Mark


moderated Re: Update login expiration on site visit #suggestion

Jeremy H
 

On Mon, Nov 5, 2018 at 09:19 PM, Shal Farley wrote:
Bob,
 
What should be done to assuage those who freak out when they can't siimply access groups.io but are sent to a page clearly informing them about what they must do and with all choices visible on the page?
 
You're missing the other case, the case where they are not taken to the login page. That's the case that motivated my suggestion.
 
Shal
Getting back to the original issue, the root of the problem is that, after 30 days of just going in to a page and doing whatever, a user is presented with essentially the same page (with only an inconspicuous change that I would suggest few people notice) but where you can't do whatever, in other words - from the user perspective - it's broken. (In a sense the '30 day' feature is it's own enemy - if people always had to logon, they'd be used to doing so, and so it wouldn't be a real problem).

If handling cookies differently to solve this is going to fall into the 'undesirable' category, the alternative is to make the page more obviously different - something probably most simply done by some sort of banner or popup, saying you need to login for full functionality (with appropriate butttons).

Possibly modifying the standard groups.io banner to be different colours for logged in or not is the way to go.

Jeremy


moderated Re: Group Setting to Enable From Address via groups.io #suggestion

Panagiotis Georgopoulos <panagiotis.georgopoulos@...>
 

I would certainly agree with that as I am facing bouncing problems with my corporate mailing service and I, and other colleagues, don't receive any messages to groups.io that we sent.  


moderated Marking members with Advanced Preferences for email delivery #suggestion

Frances
 

The list of members in Membership, Admin doesn't give me full information. Under Delivery, it shows Single for those who receive every post by email as well as those who receive only first posts in a thread plus following. They have the same status - Single.

It would be useful if there was a flag - even an asterisk or AP - for members who have chosen Advanced Preferences.

Frances


moderated Re: Update login expiration on site visit #suggestion

Chris Jones
 

On Tue, Nov 6, 2018 at 10:11 PM, Shal Farley wrote:
Otherwise the perp has time to change the password.
I've never had occasion to change my Groups.io password, but on other sites where I have changed my password the process involved entering the existing password first, presumeably as an assurance that it is me doing the change and not someone else. A quick check on my account points towards Groups.io not requiring any such security measure, so a "device" in the wrong hands could all too easily be used to change someone else's password. On the face of this this is something of a vulnerability.

I have not used 2FA, but I am now beginning to think it might be a good idea.

Chris


moderated Re: Update login expiration on site visit #suggestion

 

Toby,


You mean the two-factor authentication that would never be invoked because the auto renewing cookie would prevent the password prompt from ever displaying????

The expired cookie doesn't control two-factor authentication. It uses a non-expiring cookie to know whether you need to present a second form of authentication in addition to the password.

But you have a point. Two factor protects against stolen passwords and stolen cookies, but not against access to the member's device. So I shouldn't have mentioned it for "this kind" of intrusion. The only thing that would protect against access to the member's device would be very prompt logout (minutes of inactivity). Otherwise the perp has time to change the password.

Shal


moderated Re: Update login expiration on site visit #suggestion

Toby Kraft
 

Shal,
You mean the two-factor authentication that would never be invoked because the auto renewing cookie would prevent the password prompt from ever displaying????

That's exactly why the cookie expires. So that at some point in time the user proves he/she is who he/she says they are, by entering a password or via the 2 factor auth.  The time that Mark has implemented is 30 days which is generous and not onerous.

I agree it is not a big risk but I think we're beating a dead horse here and should let this discussion fade away....

Toby


moderated Re: Update login expiration on site visit #suggestion

 

Toby,

Circumventing the 30 day re-authentication requirement (which is what
the auto-renew cookie change would allow) would reduce the site
security and, in my opinion, would be ill-advised.
I don't believe it would have a substantive effect on site security.

Once the supposed intruder is in they can change the member's password (and email address), rendering the take-over permanent regardless of any pending cookie expiration.

Groups.io already offers a defense against this kind of intrusion: two-factor authentication.

Shal


moderated Re: Update login expiration on site visit #suggestion

Toby Kraft
 

Yet another thread that should be put to bed with no changes to the site....

The groups.io Terms of Service, Cookie Policy states (emphasis added):
Essential Cookies

These cookies are strictly necessary to provide you with services available through our Site and to secure our Site:

Domain Cookie Name Expiration Description
groups.io groupsio 30 days Authentication
groups.io flash 30 days Flash messages
groups.io cookieconsent_status 365 days For cookie consent
Circumventing the 30 day re-authentication requirement (which is what the auto-renew cookie change would allow) would reduce the site security and, in my opinion, would be ill-advised.
We're talking only 12 logins a year.  And the auto-renew wouldn't help infrequent users as they would not have been on recently enough to refresh the expiration anyway.  
I do support changes to provide a better user experience when links from an email are clicked.  Adding a term to the URLs in the email could accomplish that (page logic could be something like - URL says this came from a subscriber email but the authentication cookie is missing so let's should display an appropriate message perhaps "Please login to view this message in your group.").  Improving the communication to users when this happens would aid the inexperienced users.
Toby


moderated Re: Update login expiration on site visit #suggestion

Jim Higgins
 

Received from Jim Fisher at 11/5/2018 08:05 PM UTC:

The normal way for a cookie to be used for login purposes is to simply set it when a person logs in and subsequently check for its existence whenever they visit a page requiring a login.
That's not quite how LOGIN cookies are handled. You can't just check for EXISTENCE of the cookie because they aren't all the same. You must also check the specific cookie CONTENT against the subscriber database so that the specific user is authenticated and the areas he may visit and privileges he has are known before granting access. It's not enough to say a cookie EXISTS so it's OK to give the person privileges in whatever area of the site he happened to land on. You have to authenticate the cookie contents.

The cookie is simply deleted when they log out or when it expires (in the latter case by the browser). No record is maintained anywhere of why it was deleted or even if it ever existed.
Yes... in the case of a deletion by the browser. Not necessarily in the case of an explicit log-out. In that latter case some sites may want to replace the log-in credentials stored in the cookie with something else. The point being that what MIGHT be put in that cookie isn't as important as understanding that deletion isn't the only option.

To do anything more than that standard process would involve Mark in a whole lot of work using permanent special purpose cookies, if it's possible at all.
Having some experience in this area, unless the implementation of lasting log-in cookies is made as complicated and with as many interacting options as hashtags are, it should be almost trivial to implement. If the cookie authenticates, update the cookie's expiration date. It's as easy as that.

Jim H

10841 - 10860 of 29648