Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 03-12-2008, 12:41 PM
SteveCoppin SteveCoppin is offline
 
Join Date: Feb 2008
Posts: 24
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Single sign on for administrators and moderators?

Is there any way to bypass the adminCP/modCP login pages if a user is already logged in? I've had a flick through the mods and forums and can't find anything..
Reply With Quote
  #2  
Old 03-12-2008, 12:52 PM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I hope not, that would be a serious security risk.
Reply With Quote
  #3  
Old 03-12-2008, 01:02 PM
SteveCoppin SteveCoppin is offline
 
Join Date: Feb 2008
Posts: 24
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Can you expand on that please Marco?

A user has already supplied their credentials already to log in, and they're also a moderator. Why shouldn't they be one click away from seeing their moderator control panel?

I'm not disagreeing, something tells me it's a risk too, but I can't put my finger on why when they have already authenticated themselves.
Reply With Quote
  #4  
Old 03-12-2008, 01:23 PM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

One of the reasons would be that a regular login would allow the "Remember Me" to be ticked. Imagine a staff member, maybe on holiday, using a public computer to check the forum and forget to logout. The next visitor would have all Mod/Admin options open without login.
Reply With Quote
  #5  
Old 03-12-2008, 01:29 PM
SteveCoppin SteveCoppin is offline
 
Join Date: Feb 2008
Posts: 24
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Point taken, but is there not just as much risk of the browser remembering the credentials? I could do without the remember me feature. If I were to strip that, could it be possible?

--------------- Added [DATE]1205332301[/DATE] at [TIME]1205332301[/TIME] ---------------

Plus from here on in, if you don't mind, let's only refer to the modcp. If a moderator does act as above, the worst that can happen to my knowledge is that their individual forum is corrupted.

--------------- Added [DATE]1205332414[/DATE] at [TIME]1205332414[/TIME] ---------------

And I should also, also add that this instance is behind a company firewall. So hopefully, there would be an element of trust involved if someone were to stumble across a machine in the above state.

--------------- Added [DATE]1205405412[/DATE] at [TIME]1205405412[/TIME] ---------------

Does anyone else have any thoughts on why we shouldn't have SSO between the main forum and the modcp if we're behind a firewall?
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 11:54 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.08493 seconds
  • Memory Usage 2,195KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (5)post_thanks_box
  • (5)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (5)post_thanks_postbit_info
  • (5)postbit
  • (5)postbit_onlinestatus
  • (5)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete