password incorrect errors

MajikImaje · February 14, 2011, 08:37:45 PM

I am faced with the same problem sort of. I run a new install; eveyrthing is fine. I log in as admin - everything is fine. Now to access the admin section, I have to log in again.. this always fails I get this message : Session verification failed. Please try logging out and back in again, and then try again. I can't even log out. I can't log in ? I destroy the files and upload a new copy and create a new data base.. This happens every time with a new install. It doesn'tmatter if I am installing V2 or 1.12

I can't get in to change or do anything. Session verification failed. Please try logging out and back in again, and then try again.

Cal O'Shaw · February 14, 2011, 08:42:33 PM

What MODs do you have? Do you have the Forum Firewall MOD installed? We had to pull the firewall MOD because we got the same problem. Delete your forum cookie and you should be able to get in.

Cal

MajikImaje · February 14, 2011, 09:31:53 PM

Excuse me for sounding totally stupid DOH ? where do I go to delete the forum cookie.

Bigguy · February 14, 2011, 09:46:31 PM

In your browsers options. It's different in IE and FF or whatever you are using.

MajikImaje · February 14, 2011, 09:48:41 PM

THANKS FOR THE INFO: I will report back shortly!!! (fingers crossed) I hope I can resolve this issue. Again - thanks for taking the time to respond

Bigguy · February 14, 2011, 09:49:50 PM

Also you may want to change the name of your forums cookie. You can do that in the admin panel under server settings I do believe.

Cal O'Shaw · February 14, 2011, 10:00:12 PM

@PLAYBOY, but I do not want the names shown to guests. Especially if that gives attackers a way to break in.

@laetabi, that's fine for you, but did you roll that in at the start, or after you had a couple of thousand members? What kind of time did you have to spend educating your members to the change? Did you lose members from the change?

I don't see having the ability to DECIDE to hide membernames from guests as a big technical problem. The decision logic is extremely simple: If Guest, show XXX else show membername

Could we please get some indication from SMF Support that they are even READING this topic? Maybe give some sign it's being addressed? And if not SMF Support, some SMF Wizard who might take pity on us 1.1.x sites and write something we can use to plug this hole?

Cal

Bigguy · February 14, 2011, 10:04:18 PM

SMF support will be reading this you can be assured of that.

Cal O'Shaw · February 14, 2011, 10:06:23 PM

Thanks, Bigguy!

Just knowing that helps quite a bit out here in the trenches!

Cal

Bigguy · February 14, 2011, 10:07:46 PM

We are all here in the trenches. Sometimes things might seem a bit slow but there is a lot going on. Someone from the Support team or one of the other teams should be around soon.

MajikImaje · February 14, 2011, 10:09:41 PM

Ok BigGuy: I was able to access the board; finally; BUT I can't make a post; it says session timed out. I can access admin (good). but I cannot change anything. AND..I still can't log out ??

MajikImaje · February 14, 2011, 10:13:25 PM

I tried to change my password that got me in there. but it will not accept the changes

Session verification failed. Please try logging out and back in again, and then try again.
can't log out!

Bigguy · February 14, 2011, 10:15:42 PM

Do you have sessions on in the admin panel. Have you tried turning them off.

You'll probably get a session timeout error when doing that but they should still turn off. I do not know if that will solve the problem or not but it's worth a shot.

Cal O'Shaw · February 14, 2011, 10:18:59 PM

Majik, if you have another browser that you have NOT used to log into your forum, log on using that. It should break it open. That's how we got through when it happened to us (in our case, turned out to be the Forum Firewall MOD; after we uninstalled it we were able to log in properly).

Cal

MajikImaje · February 14, 2011, 10:39:28 PM

I am in - making changes - I turned off caching - I am using safari !!!

catfished · February 15, 2011, 12:45:18 AM

Quote from: MajikImaje on February 14, 2011, 08:37:45 PM
I am faced with the same problem sort of. I run a new install; eveyrthing is fine. I log in as admin - everything is fine. Now to access the admin section, I have to log in again.. this always fails I get this message : Session verification failed. Please try logging out and back in again, and then try again. I can't even log out. I can't log in ? I destroy the files and upload a new copy and create a new data base.. This happens every time with a new install. It doesn'tmatter if I am installing V2 or 1.12

I can't get in to change or do anything. Session verification failed. Please try logging out and back in again, and then try again.

You have started a completely different topic starting with this post. While I sympathize with your problems, perhaps a moderator could create a new topic starting with this thread and including all the relevant posts below.

This would leave the original topic's posts in order so we can get our problem solved. Thanks in advance to any mod who does this.
Edit 2/15/11 10:40 am: I guess no one gives a s***!

willerby · February 15, 2011, 02:38:58 AM

Quote@laetabi, that's fine for you, but did you roll that in at the start, or after you had a couple of thousand members? What kind of time did you have to spend educating your members to the change? Did you lose members from the change?

Good questions but actually it was no hassle for 3,000 active members on a 2+ year old site.

I put a post up 24 hours in advance announcing the change, put a news item that guests could see and then launched the email log-in mod.

One or two members had not updated their email addresses to new ones and one or two had forgotten which email address they had originally registered with but they dropped the forum admin email address a note and were sorted quickly.

It really isn't a big issue although, like you, I thought it might be. The forum is as active as ever and if I've lost one or two that would be nothing compared to how many I would have lost if this bot had kept logging people out or worse, had damaged members faith in the forum security.

Personally, I think its the way to go. Denying IP addresses will go on forever as this thing seems to have infected genuine users and is probably continuing to do so at an increasing rate.

The suggestion that it is now affecting facebook makes upgrading to the latest fix and installing antispam software and increased security on your forum a must do. Email log-in makes sense as its part of the security measures you can take.

Personally, I think you can, and should, sell that to members. Its their personal info that you are trying to protect.

Cal O'Shaw · February 15, 2011, 02:46:26 AM

I'm discussing with the site owner and already started looking at how to implement it if I get concurrence. At the same time I'm contacting the accounts that are being used for the attack and changing their login id so the bot hits "invalid username". And as more and more sites use email addresses as userids it won't seem that different. Probably tell the users to log in via email address for a few days and then install the MOD.

Still would like to hide membernames from guests, even if they won't be usable for log in attacks...

Cal

PLAYBOY · February 15, 2011, 03:09:52 AM

cb|Emailogin mod took care of the situation for now. I actually liked it a lot. I mean i would probably use it even before this problem.

butchs · February 15, 2011, 05:25:53 AM

Quote from: Cal O'Shaw on February 14, 2011, 08:42:33 PM
What MODs do you have? Do you have the Forum Firewall MOD installed?

Forum Firewall has nothing to do with sessions. In RC1x it uses it's own disk cache. Try accepting the browser cookies for your site when you log in as admin.

News:

password incorrect errors