Welcome, Guest ( Customer Panel | Login )




 All Forums
 VPCart Forum
 Add-ons for VP-ASP
 Getting rid of Admin timeouts
 New Topic  Reply to Topic
 Printer Friendly
Next Page
Author Previous Topic Topic Next Topic
Page: of 2

devshb
Senior Member

United Kingdom
1904 Posts

Posted - August 24 2007 :  05:49:58  Show Profile  Visit devshb's Homepage  Reply with Quote
I was just wondering if anyone would want to use an addon that'd allow you to stay permanently "logged in" to admin?
ie using cookies to automatically log you back into admin when the page loads if you have a cookie in place for admin, and logout from admin would clear the cookie.
As long as you're not using a public pc then I don't really see any issues with that security-wise.

We're doing a similar thing on a site that we're about to release in a week or so, and while doing that I thought that vpasp admin could use pretty much the same logic as the site we're working on. For that other site, the fact that you can leave the window/tab open for days on end without the sessions needing to be there (either on the database or on the server) has made the system generally much easier to use and doesn't make you panic as much (ie it's a much more relaxing site to use because you're not forced into keeping it active).

Anyone got any thoughts on that kind of stuff?

Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons

carfin
VP-CART Expert

United Kingdom
948 Posts

Posted - August 24 2007 :  06:36:14  Show Profile  Reply with Quote
Hi Simon,

Even for people who are not using a computer with public access I think that being permanently connected to your admin site is not a good idea. I have always been very security conscious and have often been told that permanent open internet connections can be a risk even if we all have the most up to date firewalls and anti-virus software installed on the local and host machines. I don't mind logging in to our admin pages many times during the day. It only takes a couple of seconds and I think we all try to do things too fast these days (or maybe I just think that because I'm getting older )

Anyway that's my halfpenny's worth.

Carrol
www.deanston-electrical.co.uk
Go to Top of Page

devshb
Senior Member

United Kingdom
1904 Posts

Posted - August 24 2007 :  07:53:01  Show Profile  Visit devshb's Homepage  Reply with Quote
yep; with my developer's hat on, I'd agree and say that it's best to have a timeout, and that if a timeout isn't in place then having warned the merchant of security aspects then as a developer I'm not responsible if they choose not to use one and then get hacked.

but, with my merchant hat on I'd say that it's just too annoying to lose the context of where you are (and anything that you've just typed in) purely because you haven't pressed a button for the last 20 minutes.

both sides are true/valid, and it's a tricky decision.

whether or not a timeout is relevant/advised probably depends on a combination of lots of things, including the physical setup/location of where the admin users are, how awkward it is to login again, how annoying/time-wasting it is to lose context/content of what was being done at the time of the timeout forcing a login redirect, and the nature of the system/business.

from what I can remember, timeouts are pretty much just a web invention, and were never in place before for non-web-based internal/admin systems apart from on critical systems like banks etc.

in my old job (working for insurers in an internal IT department), we never used timeouts because we needed to have about 10 different systems running/open on our pc's to be able to do our job, and having all that lot timing out whenever you're not active was just a non-starter. so, instead we just had explicit logouts that we used when we went for lunch or finished for the day, and people kept an eye out for anyone who was trying to sit down at a desk that wasn't theirs. security-wise it wasn't perfect, but in a practical sense it was really the only way that we could work.

another alternative is to just use a screen saver pwd as your timeout aspect, and then have all your actual admin systems stay logged in forever

Another alternative is to have a timeout, but that when you login back in again the system remembers what you were doing at the time of the timeout (ie so you don't lose context/content)

I work from home and nobody else shares my pc, so as far as I'm concerned I'd rather that nothing timed out on me ever.

Outlook doesn't time-out, neither does msn/yahoo/skype/ftp etc, and they're potentially more dangerous than something like a vpasp admin account; I don't see why any system should use timeouts to be honest, apart from something like online banking. If a user leaves themselves logged in then they've only got themselves to blame if someone else then comes along and uses the same pc. It's a bit like leaving the house without locking your door.

Anyway; I'm sure the subject will generate some debate, and that's always a healthy thing!

Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons

Edited by - devshb on August 24 2007 08:43:06
Go to Top of Page

elammers
VP-CART Super User

USA
256 Posts

Posted - August 29 2007 :  09:54:14  Show Profile  Visit elammers's Homepage  Reply with Quote
I would be interested in this as would many of my clients. How often do you get distracted by a phone call while in the admin and when you return, click save or something and you get that annoying "unauthorized user" message, UGH!

Please, add it to the BYZ catalog.

Regards,
Eric in Maine
Go to Top of Page

devshb
Senior Member

United Kingdom
1904 Posts

Posted - August 29 2007 :  17:06:20  Show Profile  Visit devshb's Homepage  Reply with Quote
excellent; I'm glad I'm not the only one who gets annoyed by it (it's not just a vpasp thing; it's all over the place on the web and it drives me nuts)

I'll definitely put it in the pending pile then and try and get it out there asap. Even if it doesn't sell many copies it'll still be worth it from my point of view even if it's only so that our own admin area doesn't keep timing out on me every time I try to update a product.

Anyone else got any thoughts on this?

Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons
Go to Top of Page

Lori Titus
VP-CART New User

144 Posts

Posted - September 17 2007 :  15:07:56  Show Profile  Visit Lori Titus's Homepage  Reply with Quote
As the data entry gal, I like the idea of no timeouts. My timeout seems to be set at 2 minutes, not 20 - I need to figure out where to change that. Was frustrating just now, when I got kicked off 3 times in a row while trying to make changes to a content page!

More importantly, though, forget about hacks. My laptop was stolen while on a business trip, and I did not have ready access to go and change passwords. If I had a permanent login, they could have grabbed whatever they wanted off the site.....(If they were that smart! They probably traded the laptop for drugs. But you get the point.)

The Internet's #1 supplier of honey and beeswax.
Go to Top of Page

devshb
Senior Member

United Kingdom
1904 Posts

Posted - September 18 2007 :  04:22:28  Show Profile  Visit devshb's Homepage  Reply with Quote
ah; yes; the stolen laptop/pc is a good point; the logic that we're using for the no-timeout on our other system (the non-vpasp one) is that when it does an auto-login-on-load-if-no-session, it'll check the password in the database against the password in the cookie (ie the cookie should hold the id *and* the pwd), so if your laptop/pc did get stolen and your cookie was still active on it, then you could/would/should (hopefully before the thief works it out) change your pwd (via another pc obviously), and then the cookie on the stolen pc will effectively be invalid/unused.

on this other system, it does destroy the cookie when you explicitly logout, so there is still that option too if you don't want to keep the cookie.

very good point though; any more points like that then do let us know.

Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons

Edited by - devshb on September 18 2007 04:23:25
Go to Top of Page

seeker1
VP-CART New User

Australia
114 Posts

Posted - September 25 2007 :  23:03:31  Show Profile  Visit seeker1's Homepage  Reply with Quote
We are releasing a new VP-ASP enhancement as a productivity aid to merchants. It will have these new facilities.

1. Once merchant has successfully logged on, the session timeout will be ignored and they can walk away from screen and come back and still be logged on as administrator.

2. Future admin sessions will not require a logon unless the administrator has logged off in a previous session.

3. Merchant can go directly to admin page without the need to logon and use the navigation.

Security Features include:
4. Merchant can set a timeout period when the admin session is permanently logged off.

5. Changing admin password will disable any existing auto logon (if laptap is stolen for example)


We are looking for a few beta testers to comment on the design and suitability.


Howard Kadetz
[email protected]
www.hkprog.com
Go to Top of Page

FCS-Webmaster
VP-CART New User

Canada
120 Posts

Posted - May 21 2008 :  13:40:33  Show Profile  Visit FCS-Webmaster's Homepage  Reply with Quote
I'm having the problem with simply shopping, constantly adding products to the cart (within 60 seconds of each other) then the products disappearing from the cart. I'm getting emails from my customers about this so I'm sure this problem is costing money.
Go to Top of Page

FCS-Webmaster
VP-CART New User

Canada
120 Posts

Posted - June 25 2008 :  10:12:21  Show Profile  Visit FCS-Webmaster's Homepage  Reply with Quote
I have got another 3 emails this week about customers having items in their cart then having the cart just go empty on them. Does anyone know if this has something to do about whether or not you have a compact privacy policy or is there something programmatically wrong?
Go to Top of Page

support
Administrator

4679 Posts

Posted - June 25 2008 :  10:16:21  Show Profile  Visit support's Homepage  Reply with Quote
Hi there

You need to ensure that the xshopid setting and xssl setting match except the xssl has an extra "s" in the domain.

That way it always ensures that when customers switch from normal to SSL mode no sessions are dropped.

This is the biggest cause of dropped carts.

The other is the defualt time out setting for IIS is 5 minutes. You may nbeed to ask your hsot to extend this in IIS to 15 or 20 minutes

Hope this helps.

Thanks
Cam

VP-ASP Support
Go to Top of Page

SDCPieter
VP-CART New User

United Arab Emirates
57 Posts

Posted - July 03 2008 :  09:48:14  Show Profile  Reply with Quote
Where in IIS do you set this?

-
Go to Top of Page

FCS-Webmaster
VP-CART New User

Canada
120 Posts

Posted - July 29 2008 :  09:56:05  Show Profile  Visit FCS-Webmaster's Homepage  Reply with Quote
I have less complaints about customer carts going missing, but I'm still having the problem. 2 Complaints from this weekend alone. One had to place 2 orders because after several attempts they couldn't get 3 items in the same shopping cart. The other tried to put 5 items in the cart and even used the save cart option and still had problems.

I talked to my hosting company and they informed me that they have their servers IIS timeout setting set to 20 minutes.
Go to Top of Page

SDCPieter
VP-CART New User

United Arab Emirates
57 Posts

Posted - July 30 2008 :  01:34:32  Show Profile  Reply with Quote
quote:
Originally posted by FCS-Webmaster

I have less complaints about customer carts going missing, but I'm still having the problem. 2 Complaints from this weekend alone. One had to place 2 orders because after several attempts they couldn't get 3 items in the same shopping cart. The other tried to put 5 items in the cart and even used the save cart option and still had problems.

I talked to my hosting company and they informed me that they have their servers IIS timeout setting set to 20 minutes.



I suspect the timeout settings referred to in these posts are Session timeouts on classic ASP applications and has nothing to do with IIS or where to set it (at least, off the bat that I can think of)

To set the session timeout in your ASP pages to something higher than 20 minutes (which is the default) use Session.Timeout

You can set it for a maximum of 24 hours. I would recommend perhaps average 3 hours (as I have noticed users on average have between 10-90 minute shopping "sprees", as most browse from an office enviroment, it happens that they get interupted with work and only come back later)

Anyway, post if this helped you.

I think shop$db.asp is the right place to set such a timeout because it gets included in almost every single file (if not all) in VPASP

-
Go to Top of Page

FCS-Webmaster
VP-CART New User

Canada
120 Posts

Posted - July 31 2008 :  12:54:54  Show Profile  Visit FCS-Webmaster's Homepage  Reply with Quote
Thanks SDCPieter for the advice.

I tried it out and ran into some problems in testing.

In doing my testing (on both with the session.timeout and without) the cart lost products a total of 9 times. I'm amazed I'm getting any orders coming in at all!

Here is the first small test with the session.timeout set to 40 minutes added to to shop$db.asp

================================================================
Test with session.timeout set to 40 minutes inside shop$db.asp
================================================================

10:27 start time
- added paintball vest
10:29
- added winch to cart
10:31
- added dental pick and dental mirror to cart
10:33
- added USB 2.0 Expansion Card by A-Byte® to cart
10:37
- increased quantity of winch to 2
- winch, dental pick, dental mirror and usb card in cart
10:38
- went to audio/video section
- speaker wire
- added Ultralink® Challenger Series 12 Gauge In Wall Speaker Cable to cart
- CART ONLY CONTAINED SPEAKER CABLE
10:39
- did search and old cart with old products (winch, dental pick, dental mirror and usb card) appeared without the speaker wire
10:43
- went into audio video category page and ONLY SPEAKER WIRE WAS LISTED IN CART
10:46
- performed search and OLD CART (WINCH, DENTAL PICK, DENTAL MIRROR AND USB CARD) APPEARED
10:47
- removed session.timeout from shop$db.asp

10:47
- cleared carts, restarted browser

================================================
New Test with shop$db.asp reset to old version
================================================

10:51
- added winch to cart
10:52
- added large mash t-shirt to cart
11:01
- Went to backpack page
- NO SIGN OF PRODUCTS IN MINI CART
11:02
- added luminum Accessory Carabiners -- 7mm
- only item in cart is luminum Accessory Carabiners -- 7mm.
- no sign of mash t-shirt or winch in cart
11:04
- performed search for paintball
11:05
- clicked on Extreme Rage® Xray version 2.0 Paintball Goggles
11:06
- added Extreme Rage® Xray version 2.0 Paintball Goggles to cart
- WINCH, MASH T-SHIRT AND PAINTBALL GOGGLES IN CART
- NO SIGN OF CARABINER IN CART
11:07
- clicked on camping gear section
- mini bar only shows carabiner in cart
11:08
- performed search for clock
- WINCH, MASH T-SHIRT AND PAINTBALL GOGGLES SHOWN AS IN CART
11:09
- clicked on Aluminum Video Surveillance Warning Signs page
- added Aluminum Video Surveillance Warning Signs to cart
11:13
- clicked on lab tool category
- Winch, MASH T-shirt, paintball goggles and warning signs in cart
- no sign of carabiner in cart
11:15
- Clicked on magnet sub category
- clicked on Ceramic Disc Magnets
11:16
- added Ceramic Disc Magnets to cart
- Winch, MASH T-shirt, paintball goggles, warning signs and magnet in cart
- no sign of carabiner in cart
11:17
- clicked on rainwear section
- Winch, MASH T-shirt, paintball goggles, warning signs and magnet in cart
- no sign of carabiner in cart
11:18
- performed search for waterproof paper
- added Waterproof Notebooks to cart
- Winch, MASH T-shirt, paintball goggles, warning signs, magnet and Waterproof Notebooks in cart
11:21
- changed winch quantity to 3
- Winch, MASH T-shirt, paintball goggles, warning signs magnet and Waterproof Notebooks in cart
11:24
- clicked on insect protection
- added bug bomb - large to cart
- Winch, MASH T-shirt, paintball goggles, warning signs magnet, Waterproof Notebooks and bug bombs in cart
11:28
- performed search for padlocks
11:30
- clicked on Laminated steel padlocks
11:31
- added laminated steel padlocks to cart
- Winch, MASH T-shirt, paintball goggles, warning signs magnet, Waterproof Notebooks, bug bombs and laminated steel padlocks in cart
11:37
- Clicked on Airsoft and paintball section
- ONLY CARABINERS SHOW UP IN CART
11:38
- click on Airsoft Guns and Accessories sub category
- only carabiners show up in cart
11:39
- click on Firepower® Airsoft® Sticky Targets
- add Firepower® Airsoft® Sticky Targets to cart
- carabiners and Firepower® Airsoft® Sticky Targets in cart
11:41
- performed search for baton
- WINCH, MASH T-SHIRT, PAINTBALL GOGGLES, WARNING SIGNS MAGNET, WATERPROOF NOTEBOOKS, BUG BOMBS AND LAMINATED STEEL PADLOCKS IN CART
- click on Telescopic Security Baton - 21 inch Solid Steel with Sheath
11:42
- added Telescopic Security Baton - 21 inch Solid Steel with Sheath to cart
- Winch, MASH T-shirt, paintball goggles, warning signs, magnet, Waterproof Notebooks, bug bombs, laminated steel padlocks and baton in cart
11:46
- removed Ceramic Disc Magnets from cart
- Winch, MASH T-shirt, paintball goggles, warning signs, Waterproof Notebooks, bug bombs, laminated steel padlocks and baton in cart
- clicked on fishing & hunting section
11:47
- clicked on camouflage face paints
- No change to Winch, MASH T-shirt, paintball goggles, warning signs, Waterproof Notebooks, bug bombs, laminated steel padlocks and baton in cart
11:48
- clicked on the product "Camouflage Face Paints" (with mirror)
11:50
- added Camouflage Face Paints
- Winch, MASH T-shirt, paintball goggles, warning signs, Waterproof Notebooks, bug bombs, laminated steel padlocks, baton and Camouflage Face Paints in cart
11:55
- performed search for calipers
- No change to Winch, MASH T-shirt, paintball goggles, warning signs, Waterproof Notebooks, bug bombs, laminated steel padlocks, baton and Camouflage Face Paints in cart
11:58
- clicked on 6 inch digital calipers
- added quantity 2 digital calipers to cart
- Winch, MASH T-shirt, paintball goggles, warning signs, Waterproof Notebooks, bug bombs, laminated steel padlocks, baton, Camouflage Face Paints and digital calipers in cart
12:03
- performed search for security cameras
- No change to Winch, MASH T-shirt, paintball goggles, warning signs, Waterproof Notebooks, bug bombs, laminated steel padlocks, baton, Camouflage Face Paints and digital calipers in cart
12:06
- clicked on Hidden Cameras - Screw
12:07
- added Hidden Cameras - Screw to cart
- Winch, MASH T-shirt, paintball goggles, warning signs, Waterproof Notebooks, bug bombs, laminated steel padlocks, baton, Camouflage Face Paints, digital calipers and Hidden Cameras - Screw in cart
12:10
- removed Laminated Steel Padlocks, Extreme Rage® Xray version 2.0 Paintball Goggles, Aluminum Video Surveillance Warning Signs and Speedway® 4 Ton Cable Puller/Hand Winch
- CART NOW COMPLETLY EMPTY (DESPITE REMOVING ONLY 4 OF THE 10 PRODUCTS)
12:12
- performed search for tape
12:14
- clicked on duct tape
- only duct tape in cart
- clicked on car & marine audio
12:16
- clicked on car audio amplifiers sub category
- NO ITEMS SEEN IN CART
12:17
- clicked on PB136GX - Pyramid® 240 Watt Royal Blue Amplifiers
12:18
- added PB136GX - Pyramid® 240 Watt Royal Blue Amplifiers to cart
- only PB136GX - Pyramid® 240 Watt Royal Blue Amplifiers in cart (no sign of the duct tape or other products
12:21
- performed search for hat
- clicked on Misty Mountain® Aussie Style Bush Hats
12:22
- added Misty Mountain® Aussie Style Bush Hats tan-XL to cart
- car amplifier and bush hat in cart


I'm not sure what else to do. It appears to be quite random problems.
Go to Top of Page

support
Administrator

4679 Posts

Posted - July 31 2008 :  19:58:34  Show Profile  Visit support's Homepage  Reply with Quote
Did you check the xshopid setting in the shop$config.asp file?

If you have and this has not fixed the problem I would suggest posting a ticket in our helpdesk and having our support team look into this for you.

Thanks
Cam

VP-ASP SUpport
Go to Top of Page
Page: of 2
Previous Topic Topic Next Topic  
Next Page
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000
0 Item(s)
$0.00