Author |
Topic |
|
devshb
Senior Member
United Kingdom
1904 Posts |
Posted - August 24 2007 : 05:49:58
|
I was just wondering if anyone would want to use an addon that'd allow you to stay permanently "logged in" to admin? ie using cookies to automatically log you back into admin when the page loads if you have a cookie in place for admin, and logout from admin would clear the cookie. As long as you're not using a public pc then I don't really see any issues with that security-wise.
We're doing a similar thing on a site that we're about to release in a week or so, and while doing that I thought that vpasp admin could use pretty much the same logic as the site we're working on. For that other site, the fact that you can leave the window/tab open for days on end without the sessions needing to be there (either on the database or on the server) has made the system generally much easier to use and doesn't make you panic as much (ie it's a much more relaxing site to use because you're not forced into keeping it active).
Anyone got any thoughts on that kind of stuff?
Simon Barnaby Developer [email protected] www.BigYellowZone.com Web Design, Online Marketing and VPASP addons |
|
carfin
VP-CART Expert
United Kingdom
948 Posts |
Posted - August 24 2007 : 06:36:14
|
Hi Simon,
Even for people who are not using a computer with public access I think that being permanently connected to your admin site is not a good idea. I have always been very security conscious and have often been told that permanent open internet connections can be a risk even if we all have the most up to date firewalls and anti-virus software installed on the local and host machines. I don't mind logging in to our admin pages many times during the day. It only takes a couple of seconds and I think we all try to do things too fast these days (or maybe I just think that because I'm getting older )
Anyway that's my halfpenny's worth.
Carrol www.deanston-electrical.co.uk |
|
|
devshb
Senior Member
United Kingdom
1904 Posts |
Posted - August 24 2007 : 07:53:01
|
yep; with my developer's hat on, I'd agree and say that it's best to have a timeout, and that if a timeout isn't in place then having warned the merchant of security aspects then as a developer I'm not responsible if they choose not to use one and then get hacked.
but, with my merchant hat on I'd say that it's just too annoying to lose the context of where you are (and anything that you've just typed in) purely because you haven't pressed a button for the last 20 minutes.
both sides are true/valid, and it's a tricky decision.
whether or not a timeout is relevant/advised probably depends on a combination of lots of things, including the physical setup/location of where the admin users are, how awkward it is to login again, how annoying/time-wasting it is to lose context/content of what was being done at the time of the timeout forcing a login redirect, and the nature of the system/business.
from what I can remember, timeouts are pretty much just a web invention, and were never in place before for non-web-based internal/admin systems apart from on critical systems like banks etc.
in my old job (working for insurers in an internal IT department), we never used timeouts because we needed to have about 10 different systems running/open on our pc's to be able to do our job, and having all that lot timing out whenever you're not active was just a non-starter. so, instead we just had explicit logouts that we used when we went for lunch or finished for the day, and people kept an eye out for anyone who was trying to sit down at a desk that wasn't theirs. security-wise it wasn't perfect, but in a practical sense it was really the only way that we could work.
another alternative is to just use a screen saver pwd as your timeout aspect, and then have all your actual admin systems stay logged in forever
Another alternative is to have a timeout, but that when you login back in again the system remembers what you were doing at the time of the timeout (ie so you don't lose context/content)
I work from home and nobody else shares my pc, so as far as I'm concerned I'd rather that nothing timed out on me ever.
Outlook doesn't time-out, neither does msn/yahoo/skype/ftp etc, and they're potentially more dangerous than something like a vpasp admin account; I don't see why any system should use timeouts to be honest, apart from something like online banking. If a user leaves themselves logged in then they've only got themselves to blame if someone else then comes along and uses the same pc. It's a bit like leaving the house without locking your door.
Anyway; I'm sure the subject will generate some debate, and that's always a healthy thing!
Simon Barnaby Developer [email protected] www.BigYellowZone.com Web Design, Online Marketing and VPASP addons |
Edited by - devshb on August 24 2007 08:43:06 |
|
|
elammers
VP-CART Super User
USA
256 Posts |
Posted - August 29 2007 : 09:54:14
|
I would be interested in this as would many of my clients. How often do you get distracted by a phone call while in the admin and when you return, click save or something and you get that annoying "unauthorized user" message, UGH!
Please, add it to the BYZ catalog.
Regards, Eric in Maine |
|
|
devshb
Senior Member
United Kingdom
1904 Posts |
Posted - August 29 2007 : 17:06:20
|
excellent; I'm glad I'm not the only one who gets annoyed by it (it's not just a vpasp thing; it's all over the place on the web and it drives me nuts)
I'll definitely put it in the pending pile then and try and get it out there asap. Even if it doesn't sell many copies it'll still be worth it from my point of view even if it's only so that our own admin area doesn't keep timing out on me every time I try to update a product.
Anyone else got any thoughts on this?
Simon Barnaby Developer [email protected] www.BigYellowZone.com Web Design, Online Marketing and VPASP addons |
|
|
Lori Titus
VP-CART New User
144 Posts |
Posted - September 17 2007 : 15:07:56
|
As the data entry gal, I like the idea of no timeouts. My timeout seems to be set at 2 minutes, not 20 - I need to figure out where to change that. Was frustrating just now, when I got kicked off 3 times in a row while trying to make changes to a content page!
More importantly, though, forget about hacks. My laptop was stolen while on a business trip, and I did not have ready access to go and change passwords. If I had a permanent login, they could have grabbed whatever they wanted off the site.....(If they were that smart! They probably traded the laptop for drugs. But you get the point.)
The Internet's #1 supplier of honey and beeswax. |
|
|
devshb
Senior Member
United Kingdom
1904 Posts |
Posted - September 18 2007 : 04:22:28
|
ah; yes; the stolen laptop/pc is a good point; the logic that we're using for the no-timeout on our other system (the non-vpasp one) is that when it does an auto-login-on-load-if-no-session, it'll check the password in the database against the password in the cookie (ie the cookie should hold the id *and* the pwd), so if your laptop/pc did get stolen and your cookie was still active on it, then you could/would/should (hopefully before the thief works it out) change your pwd (via another pc obviously), and then the cookie on the stolen pc will effectively be invalid/unused.
on this other system, it does destroy the cookie when you explicitly logout, so there is still that option too if you don't want to keep the cookie.
very good point though; any more points like that then do let us know.
Simon Barnaby Developer [email protected] www.BigYellowZone.com Web Design, Online Marketing and VPASP addons |
Edited by - devshb on September 18 2007 04:23:25 |
|
|
seeker1
VP-CART New User
Australia
114 Posts |
Posted - September 25 2007 : 23:03:31
|
We are releasing a new VP-ASP enhancement as a productivity aid to merchants. It will have these new facilities.
1. Once merchant has successfully logged on, the session timeout will be ignored and they can walk away from screen and come back and still be logged on as administrator.
2. Future admin sessions will not require a logon unless the administrator has logged off in a previous session.
3. Merchant can go directly to admin page without the need to logon and use the navigation.
Security Features include: 4. Merchant can set a timeout period when the admin session is permanently logged off.
5. Changing admin password will disable any existing auto logon (if laptap is stolen for example)
We are looking for a few beta testers to comment on the design and suitability.
Howard Kadetz [email protected] www.hkprog.com |
|
|
FCS-Webmaster
VP-CART New User
Canada
120 Posts |
Posted - May 21 2008 : 13:40:33
|
I'm having the problem with simply shopping, constantly adding products to the cart (within 60 seconds of each other) then the products disappearing from the cart. I'm getting emails from my customers about this so I'm sure this problem is costing money. |
|
|
FCS-Webmaster
VP-CART New User
Canada
120 Posts |
Posted - June 25 2008 : 10:12:21
|
I have got another 3 emails this week about customers having items in their cart then having the cart just go empty on them. Does anyone know if this has something to do about whether or not you have a compact privacy policy or is there something programmatically wrong? |
|
|
support
Administrator
4679 Posts |
Posted - June 25 2008 : 10:16:21
|
Hi there
You need to ensure that the xshopid setting and xssl setting match except the xssl has an extra "s" in the domain.
That way it always ensures that when customers switch from normal to SSL mode no sessions are dropped.
This is the biggest cause of dropped carts.
The other is the defualt time out setting for IIS is 5 minutes. You may nbeed to ask your hsot to extend this in IIS to 15 or 20 minutes
Hope this helps.
Thanks Cam
VP-ASP Support |
|
|
SDCPieter
VP-CART New User
United Arab Emirates
57 Posts |
Posted - July 03 2008 : 09:48:14
|
Where in IIS do you set this?
- |
|
|
FCS-Webmaster
VP-CART New User
Canada
120 Posts |
Posted - July 29 2008 : 09:56:05
|
I have less complaints about customer carts going missing, but I'm still having the problem. 2 Complaints from this weekend alone. One had to place 2 orders because after several attempts they couldn't get 3 items in the same shopping cart. The other tried to put 5 items in the cart and even used the save cart option and still had problems.
I talked to my hosting company and they informed me that they have their servers IIS timeout setting set to 20 minutes. |
|
|
SDCPieter
VP-CART New User
United Arab Emirates
57 Posts |
Posted - July 30 2008 : 01:34:32
|
quote: Originally posted by FCS-Webmaster
I have less complaints about customer carts going missing, but I'm still having the problem. 2 Complaints from this weekend alone. One had to place 2 orders because after several attempts they couldn't get 3 items in the same shopping cart. The other tried to put 5 items in the cart and even used the save cart option and still had problems.
I talked to my hosting company and they informed me that they have their servers IIS timeout setting set to 20 minutes.
I suspect the timeout settings referred to in these posts are Session timeouts on classic ASP applications and has nothing to do with IIS or where to set it (at least, off the bat that I can think of)
To set the session timeout in your ASP pages to something higher than 20 minutes (which is the default) use Session.Timeout
You can set it for a maximum of 24 hours. I would recommend perhaps average 3 hours (as I have noticed users on average have between 10-90 minute shopping "sprees", as most browse from an office enviroment, it happens that they get interupted with work and only come back later)
Anyway, post if this helped you.
I think shop$db.asp is the right place to set such a timeout because it gets included in almost every single file (if not all) in VPASP
- |
|
|
FCS-Webmaster
VP-CART New User
Canada
120 Posts |
Posted - July 31 2008 : 12:54:54
|
Thanks SDCPieter for the advice.
I tried it out and ran into some problems in testing.
In doing my testing (on both with the session.timeout and without) the cart lost products a total of 9 times. I'm amazed I'm getting any orders coming in at all!
Here is the first small test with the session.timeout set to 40 minutes added to to shop$db.asp
================================================================ Test with session.timeout set to 40 minutes inside shop$db.asp ================================================================
10:27 start time - added paintball vest 10:29 - added winch to cart 10:31 - added dental pick and dental mirror to cart 10:33 - added USB 2.0 Expansion Card by A-Byte® to cart 10:37 - increased quantity of winch to 2 - winch, dental pick, dental mirror and usb card in cart 10:38 - went to audio/video section - speaker wire - added Ultralink® Challenger Series 12 Gauge In Wall Speaker Cable to cart - CART ONLY CONTAINED SPEAKER CABLE 10:39 - did search and old cart with old products (winch, dental pick, dental mirror and usb card) appeared without the speaker wire 10:43 - went into audio video category page and ONLY SPEAKER WIRE WAS LISTED IN CART 10:46 - performed search and OLD CART (WINCH, DENTAL PICK, DENTAL MIRROR AND USB CARD) APPEARED 10:47 - removed session.timeout from shop$db.asp
10:47 - cleared carts, restarted browser
================================================ New Test with shop$db.asp reset to old version ================================================
10:51 - added winch to cart 10:52 - added large mash t-shirt to cart 11:01 - Went to backpack page - NO SIGN OF PRODUCTS IN MINI CART 11:02 - added luminum Accessory Carabiners -- 7mm - only item in cart is luminum Accessory Carabiners -- 7mm. - no sign of mash t-shirt or winch in cart 11:04 - performed search for paintball 11:05 - clicked on Extreme Rage® Xray version 2.0 Paintball Goggles 11:06 - added Extreme Rage® Xray version 2.0 Paintball Goggles to cart - WINCH, MASH T-SHIRT AND PAINTBALL GOGGLES IN CART - NO SIGN OF CARABINER IN CART 11:07 - clicked on camping gear section - mini bar only shows carabiner in cart 11:08 - performed search for clock - WINCH, MASH T-SHIRT AND PAINTBALL GOGGLES SHOWN AS IN CART 11:09 - clicked on Aluminum Video Surveillance Warning Signs page - added Aluminum Video Surveillance Warning Signs to cart 11:13 - clicked on lab tool category - Winch, MASH T-shirt, paintball goggles and warning signs in cart - no sign of carabiner in cart 11:15 - Clicked on magnet sub category - clicked on Ceramic Disc Magnets 11:16 - added Ceramic Disc Magnets to cart - Winch, MASH T-shirt, paintball goggles, warning signs and magnet in cart - no sign of carabiner in cart 11:17 - clicked on rainwear section - Winch, MASH T-shirt, paintball goggles, warning signs and magnet in cart - no sign of carabiner in cart 11:18 - performed search for waterproof paper - added Waterproof Notebooks to cart - Winch, MASH T-shirt, paintball goggles, warning signs, magnet and Waterproof Notebooks in cart 11:21 - changed winch quantity to 3 - Winch, MASH T-shirt, paintball goggles, warning signs magnet and Waterproof Notebooks in cart 11:24 - clicked on insect protection - added bug bomb - large to cart - Winch, MASH T-shirt, paintball goggles, warning signs magnet, Waterproof Notebooks and bug bombs in cart 11:28 - performed search for padlocks 11:30 - clicked on Laminated steel padlocks 11:31 - added laminated steel padlocks to cart - Winch, MASH T-shirt, paintball goggles, warning signs magnet, Waterproof Notebooks, bug bombs and laminated steel padlocks in cart 11:37 - Clicked on Airsoft and paintball section - ONLY CARABINERS SHOW UP IN CART 11:38 - click on Airsoft Guns and Accessories sub category - only carabiners show up in cart 11:39 - click on Firepower® Airsoft® Sticky Targets - add Firepower® Airsoft® Sticky Targets to cart - carabiners and Firepower® Airsoft® Sticky Targets in cart 11:41 - performed search for baton - WINCH, MASH T-SHIRT, PAINTBALL GOGGLES, WARNING SIGNS MAGNET, WATERPROOF NOTEBOOKS, BUG BOMBS AND LAMINATED STEEL PADLOCKS IN CART - click on Telescopic Security Baton - 21 inch Solid Steel with Sheath 11:42 - added Telescopic Security Baton - 21 inch Solid Steel with Sheath to cart - Winch, MASH T-shirt, paintball goggles, warning signs, magnet, Waterproof Notebooks, bug bombs, laminated steel padlocks and baton in cart 11:46 - removed Ceramic Disc Magnets from cart - Winch, MASH T-shirt, paintball goggles, warning signs, Waterproof Notebooks, bug bombs, laminated steel padlocks and baton in cart - clicked on fishing & hunting section 11:47 - clicked on camouflage face paints - No change to Winch, MASH T-shirt, paintball goggles, warning signs, Waterproof Notebooks, bug bombs, laminated steel padlocks and baton in cart 11:48 - clicked on the product "Camouflage Face Paints" (with mirror) 11:50 - added Camouflage Face Paints - Winch, MASH T-shirt, paintball goggles, warning signs, Waterproof Notebooks, bug bombs, laminated steel padlocks, baton and Camouflage Face Paints in cart 11:55 - performed search for calipers - No change to Winch, MASH T-shirt, paintball goggles, warning signs, Waterproof Notebooks, bug bombs, laminated steel padlocks, baton and Camouflage Face Paints in cart 11:58 - clicked on 6 inch digital calipers - added quantity 2 digital calipers to cart - Winch, MASH T-shirt, paintball goggles, warning signs, Waterproof Notebooks, bug bombs, laminated steel padlocks, baton, Camouflage Face Paints and digital calipers in cart 12:03 - performed search for security cameras - No change to Winch, MASH T-shirt, paintball goggles, warning signs, Waterproof Notebooks, bug bombs, laminated steel padlocks, baton, Camouflage Face Paints and digital calipers in cart 12:06 - clicked on Hidden Cameras - Screw 12:07 - added Hidden Cameras - Screw to cart - Winch, MASH T-shirt, paintball goggles, warning signs, Waterproof Notebooks, bug bombs, laminated steel padlocks, baton, Camouflage Face Paints, digital calipers and Hidden Cameras - Screw in cart 12:10 - removed Laminated Steel Padlocks, Extreme Rage® Xray version 2.0 Paintball Goggles, Aluminum Video Surveillance Warning Signs and Speedway® 4 Ton Cable Puller/Hand Winch - CART NOW COMPLETLY EMPTY (DESPITE REMOVING ONLY 4 OF THE 10 PRODUCTS) 12:12 - performed search for tape 12:14 - clicked on duct tape - only duct tape in cart - clicked on car & marine audio 12:16 - clicked on car audio amplifiers sub category - NO ITEMS SEEN IN CART 12:17 - clicked on PB136GX - Pyramid® 240 Watt Royal Blue Amplifiers 12:18 - added PB136GX - Pyramid® 240 Watt Royal Blue Amplifiers to cart - only PB136GX - Pyramid® 240 Watt Royal Blue Amplifiers in cart (no sign of the duct tape or other products 12:21 - performed search for hat - clicked on Misty Mountain® Aussie Style Bush Hats 12:22 - added Misty Mountain® Aussie Style Bush Hats tan-XL to cart - car amplifier and bush hat in cart
I'm not sure what else to do. It appears to be quite random problems. |
|
|
support
Administrator
4679 Posts |
Posted - July 31 2008 : 19:58:34
|
Did you check the xshopid setting in the shop$config.asp file?
If you have and this has not fixed the problem I would suggest posting a ticket in our helpdesk and having our support team look into this for you.
Thanks Cam
VP-ASP SUpport |
|
|
|
Topic |
|