Question Guests can view private forums!

Hello
I have a private forum with just about 12 members who are all 'registered' members with access level controls specifically set up for their accounts. I selected what appears to be all the correct options in the Kunena security settings in the configuration to prevent guests seeing the forum. Yet sometimes when I login I can see in the 'Who's Online' panel several 'Guests Online'. For me the forum is unusable if guests can see private content.
Would anyone have any ideas where I can look to resolve this?
I have attached a screen shot of the Who's Online panel below..

I am not sure this is a security issue at all. It appears to be more about how Kunena registers statistics for forum usage.

Within the last hour I did a test from 3 separate PCs using 3 different browsers on each machine. I stayed logged in on one PC and on the other machines attempted to jump directly to the forum by typing the URL in the browser. I was immediately asked for login details. Before doing this I refreshed the browser where I was already logged in and a Guest was then declared in the 'Who's Online' panel. Each time I attempted to reload the forum URL without logging in another Guest appeared to be online.

Could someone confirm this is about how Kunena gathers statistics on visitors. If so that is fine. I can see how that would be good for marketing; it may also however undermine private user's confidence in Kunena.

Kunena does not "gather" statistics like you suggest. The Who Is Online function is not 100% reliable - we understand that and that's why we don't use it here on this website. It is better to disable this feature completely. Please search the forum of "who is online" in the subject.

sozzled wrote: Kunena does not "gather" statistics like you suggest. The Who Is Online function is not 100% reliable - we understand that and that's why we don't use it here on this website. It is better to disable this feature completely. Please search the forum of "who is online" in the subject.

Sorry no implication intended about Kunena gathering data or accumulating information on unsuspecting users; though I can see how I communicated that. What I was suggesting instead is that there is not necessarily a security issue, that is an unauthorized guest actually seeing private posts, because of the Guests online information represented in the 'Who is Online' panel. If there are for example 4 guests mentioned on the panel that does not mean they can see into the forum which in fact is private.

I will search the forum of "who is online" in the subject.

Cheers

I have a similar issue with statistics -guest access is prohibited but my stats show over 50 guests accessing the forum This sounds high for just bots

Looking on this support forum the numbers currently show 31 Members and 20775 Guests Online.

Now I know Kunena is popular but this sounds a little high

Dave

Yes. The "statistics" do seem unrealistically and absurdly high, don't they? To repeat a famous saying of the 20th century, there are "lies, damned lies and statistics". I never bother myself with believing statistics (particularly in connection with an internet-based disucussion form); however, I understand that many people in the world-wide community are extremely concerned about such matters.

The term "guests" (in the Kunena statistics) is misleading especially in comparing the number of guests vs. the number of members. It would therefore assist to understand what the term "guests" really means and where the information comes from.

The number of members (who are online) is probably correct. When you login to a Joomla website, you create one record in the session table and all activity after that is related to that single session record. The count of the number of members online is the count of the number of session records of logged-in users. It's not really a count of the number of people who are actually doing anything; it's only a count of the number of session records that have been created. Session records are destroyed when a user logs out or if the session time limit expires. So, it's possible to login, view one or two pages and then exit the browser (without logging-out) but the session record is still there and the statistics shows you as being logged-in.

The count of guests is different. If someone or something (e.g. a bot) accesses a page, a Joomla session is established for that page view. This means that if there's a bot spidering a site, several hundred (or potentially several thousand) page views are created and, because of the way that Joomla is designed, each page view constitutes as separate Joomla session. Basically, this is an issue of the way that Joomla is designed.

So what we're trying to say here is that the number of guests is not the number of unique people and it's not, necessarily, the number of unique page hits, either. The number of guests is not even a number relating to people. The number of guests is a number of session records. Session records cannot be destroyed by "logging-out" (because you didn't login to begin with); they can only be destroyed after the expiration of the session time limit defined in your site configuration. The longer the session time, the greater the number of session records and, correspondingly, the higher the number of "guests" viewing the forum.

How to fix it? Hmmm ... that's a good question.

Kunena uses Joomla session information to display these counts. The debate about the accuracy of the information has been ongoing at this site for the past 4 years. In that time we have had dozens of different topics on the question of statistical reliability. I tend to leave such debates to those who are fascinated with statistics.