Question E-mail Subscription Link & Spoof Guest Users

Hello all,

I have several of my users who check the 'remember me' box when logging into the website. If they click the link in a subscription e-mail generated from Kunena it takes them into the forum but the forum then displayes the Access Denied, "You do not have permissions to access this page." error message. If they hit the refresh button, the thread loads fine, but always goes back to the first page. Any thoughts?

Other users are fine as when they click the link in the e-mail it prompts them to login, and when they do it takes them to the last post correctly.

Also, I have another issue whereby in my statistics section I am showing several guest users even though all permissions in Joomla and Kunena are set to 'Registered'. Whilst I don't doubt that guests are unable to access my forum, it is disconcerting for my users who think guests are being allowed access. Any thoughts?


---

Database collation check: The collation of your table fields are correct

Joomla! SEF: Enabled | Joomla! SEF rewrite: Enabled | FTP layer: Disabled |

This message contains confidential information

htaccess: Exists | PHP environment: Max execution time: 60 seconds | Max execution memory: 128M | Max file upload: 100M

Kunena menu details:

Warning: Spoiler!

ID	Name	Menutype	Link	Path
582	Forum	kunenamenu	view=home&defaultmenu=583	forum
583	Index	kunenamenu	view=category&layout=list&catid=0	forum/index
584	Recent Topics	kunenamenu	view=topics&mode=replies	forum/recent
585	New Topic	kunenamenu	view=topic&layout=create	forum/newtopic
586	No Replies	kunenamenu	view=topics&mode=noreplies	forum/noreplies
587	My Topics	kunenamenu	view=topics&layout=user&mode=default	forum/mylatest
589	Help	kunenamenu	view=misc	forum/help
590	Search	kunenamenu	view=search	forum/search
588	Profile	kunenamenu	view=user	forum/profile
591	Forum	mainmenu	Itemid=582	kunena-2013-01-01

Joomla default template details : beez5 | author: Angie Radtke | version: 2.5.0 | creationdate: Unknown

Kunena default template details : Blue Eagle 2.0 | author: Kunena Team | version: 3.0.0 | creationdate: 2013-05-15

Kunena version detailed: Kunena 3.0.0 | 2013-05-15 [ Wanga ]
| Kunena detailed configuration:

Warning: Spoiler!

Kunena config settings:
board_offline	0
enablerss	0
threads_per_page	20
messages_per_page	10
messages_per_page_search	15
showhistory	1
historylimit	6
shownew	1
disemoticons	0
template	blue_eagle
showannouncement	0
avataroncat	1
catimagepath	category_images/
showchildcaticon	1
rtewidth	450
rteheight	300
enableforumjump	0
reportmsg	0
username	0
askemail	0
showemail	1
showuserstats	1
showkarma	0
useredit	1
useredittime	0
useredittimegrace	600
editmarkup	0
allowsubscriptions	1
subscriptionschecked	1
allowfavorites	0
maxsubject	50
maxsig	300
regonly	1
pubwrite	0
floodprotection	0
mailmod	0
mailadmin	0
captcha	0
mailfull	1
allowavatarupload	1
allowavatargallery	1
avatarquality	65
avatarsize	500
imageheight	800
imagewidth	800
imagesize	500000
filetypes	zip,txt,doc,gz,tgz,pdf
filesize	500000
showranking	1
rankimages	1
userlist_rows	30
userlist_online	1
userlist_avatar	1
userlist_name	1
userlist_posts	1
userlist_karma	0
userlist_email	0
userlist_joindate	1
userlist_lastvisitdate	1
userlist_userhits	1
latestcategory
showstats	0
showwhoisonline	1
showgenstats	1
showpopuserstats	0
popusercount	5
showpopsubjectstats	0
popsubjectcount	5
usernamechange	0
showspoilertag	1
showvideotag	1
showebaytag	1
trimlongurls	1
trimlongurlsfront	40
trimlongurlsback	20
autoembedyoutube	1
autoembedebay	1
ebaylanguagecode	en-gb
sessiontimeout	900
highlightcode	0
rss_type	topic
rss_timelimit	month
rss_limit	100
rss_included_categories
rss_excluded_categories
rss_specification	rss2.0
rss_allow_html	1
rss_author_format	name
rss_author_in_title	1
rss_word_count	0
rss_old_titles	1
rss_cache	900
defaultpage	categories
default_sort	asc
sef	1
showimgforguest	0
showfileforguest	0
pollnboptions	10
pollallowvoteone	1
pollenabled	1
poppollscount	5
showpoppollstats	1
polltimebtvotes	00:15:00
pollnbvotesbyuser	100
pollresultsuserslist	1
maxpersotext	50
ordering_system	replyid
post_dateformat	ago
post_dateformat_hover	datetime
hide_ip	1
imagetypes	jpg,jpeg,gif,png
checkmimetypes	1
imagemimetypes	image/jpeg,image/jpg,image/gif,image/png
imagequality	60
thumbheight	32
thumbwidth	32
hideuserprofileinfo	put_empty
boxghostmessage	0
userdeletetmessage	0
latestcategory_in	1
topicicons	1
debug	0
catsautosubscribed	0
showbannedreason	0
version_check	1
showthankyou	1
showpopthankyoustats	1
popthankscount	5
mod_see_deleted	0
bbcode_img_secure	text
listcat_show_moderators	0
lightbox	1
show_list_time	720
show_session_type	0
show_session_starttime	0
userlist_allowed	1
userlist_count_users	1
enable_threaded_layouts	0
category_subscriptions	post
topic_subscriptions	first
pubprofile	0
thankyou_max	10
email_recipient_count	0
email_recipient_privacy	bcc
captcha_post_limit	0
keywords	0
userkeywords	0
image_upload	registered
file_upload	registered
topic_layout	flat
time_to_create_page	1
show_imgfiles_manage_profile	1
hold_newusers_posts	0
hold_guest_posts	0
attachment_limit	8
pickup_category	0
article_display	intro
send_emails	1
fallback_english	0
cache	0
cache_time	60
iptracking	0
rss_feedburner_url
autolink	1
access_component	0
userlist_usertype	0
sefutf8	0
enablepdf	0
jmambot	0
annmodid	62
changename	0
userlist_username	1
rules_infb	1
help_infb	1
onlineusers	1

| Kunena integration settings:

Warning: Spoiler!

Kunena - AlphaUserPoints Disabled
Kunena - Community Builder Disabled
Kunena - Gravatar Disabled
Kunena - JomSocial Disabled
Kunena - Joomla Enabled: access=1 login=1
Kunena - Kunena Enabled: avatar=1 profile=1
Kunena - UddeIM Disabled

| Joomla! detailed language files installed:

Warning: Spoiler!

Joomla! languages installed:
en-GB	English (United Kingdom)

Third-party components: UddeIM 3.0

Third-party SEF components: None

Plugins: None

Modules: Kunena Latest 3.0.0

Can we try to break down these issues into smaller, more manageable parts.

Let's look first at the question about the Remember Me checkbox. As far as I know, this checkbox exists for those people who use a web browser and do not have some kind of "remember what form fields I used last time I visited this website" feature. On submitting the form, the Remember Me checkbox causes Kunena to write a cookie on the user's PC and the cookie is used to populate the form fields (at least, that's my understanding of what it's used for and maybe I'm wrong).

But checking the Remember Me checkbox does not automatically login the user to the site ... and I think that's where the difference lies in understanding what this issue is all about. Just because the Username and Password fields are filled in with the details of the account that was used the last time the person accessed your website from that particular PC - remember that cookies only exist on the PC where you accessed a website from - this does not mean that a user is logged-in simply by visiting a web page. The user still has to press the Login button.

Further, the ability to "remember" the contents of form fields depends on the platform and the browser that you used. When I access the Kunena website from my iPad, the form fields are never populated with the information that I used between when I last accessed the site and when I turned off my iPad. Safari for iPad does not seem to have any "store cookies" or "store form field" information (at least, not that I have been able to discover).

So can we first eliminate the factors that I have described above?

Thanks for that information.

The 'Remember Me' function in Joomla, on my website at least, definately keeps the user logged in until they log out on that particular device. You are right it uses a Cookie to do this.

This is how my members use the function and they report that even if they don't visit the website for a week or more they are still logged in when they return?

I have tested it myself and can easily re-create the issue by checking the 'Remember Me' box - I can go directly to any link on the website that's only accessible to registered users and it works fine, but if the first page I go to is a Kunena page I get the access denied error I mention above. This only applies to external links opening up the website, if you are already on the website and use the menu etc to access the forum it all works fine.

Any help appreciated thanks!

ozzie1989 wrote: The 'Remember Me' function in Joomla, on my website at least, definItely keeps the user logged in until they log out on that particular device. You are right it uses a Cookie to do this.

I do not think that's how Joomla works at all. Perhaps if you asked the Joomla forum for this information, and post the considered reply from one of the members of the Joomla development team here, there might be a dissenting view.

A user remains logged-in for as long as the session cookie is "alive" when the session cookie expires the user is logged-out. The expiry time for a user's Joomla session is defined by the value (in minutes) of

Joomla Global Configuration » Server » Session Settings » Session Lifetime

Kunena also has a session setting (a value in seconds), defined by

Kunena Forum » Configuration » General » Basic Settings » Session Lifetime

When people have problems with users being "logged-out" unexpectedly, we have discussed the suggested arrangement where you should define these two values the same. That is, if you have a Joomla Session Lifetime of 15 minutes (which is the default) then you should, likewise, set the Kunena Session Lifetime to 1200 seconds (which is not the default). The Kunena Session Lifetime is important for

... access rights recalculation, whoisonline display and NEW indicator. Once a session expires beyond that timeout, access rights and the NEW indicator are reset.

As far as the possibility that a user can login, close a web browser page and revisit the site a week later and expect to pick up from where they left off before, that's not only unusual, I have never heard of such a possibility occurring. This, to me, would pose a risk to security by allowing anyone to use someone else's PC and do all manner of things without the former user being aware of them.

this is great information. Thanks ozzie1989

sozzled wrote: As far as the possibility that a user can login, close a web browser page and revisit the site a week later and expect to pick up from where they left off before, that's not only unusual, I have never heard of such a possibility occurring. This, to me, would pose a risk to security by allowing anyone to use someone else's PC and do all manner of things without the former user being aware of them.

This is a feature on most websites, the biggest one I can think of is Google. If I check the 'remember me' box when loggin into Goole, when I go back on my PC later that day, the day after or even a week after I can still access all my Google freatures (e-mail, drive etc.) without being prompted for a login.

After all, I am the only one who uses my PC and I have a password on it so why not?

Before I take this any further I will speak to the Joomla guys to confirm if this feature is working correctly on my site and I'll check the session timers (although I don't actually have an issue with users being logged out of either Joomla or Kunena, as Kunena even displays their name when it denies them access).