Posted on: 02/23/03 08:51am
By: etegration
I don't know this is a bug with IP Plot or Geeklog or my broadband connection itself. My site is @ http://www.itcow.com[*1] whenever i logged in as Admin and click on a few admin links like going to add a static page, then create a poll etc This only happens when i uses aSingnet[*2] Broadband connection (ADSL connection) here in Singapore. While using aMaxonline[*3] connection (Cable connection), it has no such problems.
I have IP Plot installed and it shows that each Admin account is with a different IP address with a difference of just 1, as in 202.166.126.229, 202.166.126.230, 202.166.126.231, 202.166.126.232 and so on...also please seehttp://www.itcow.com/temp/ma.gif[*4] for a screenshot.
I don't know if there is any security flaw around, with this problem. Anyone can enlighten me?
Multiple Admin
Posted on: 02/23/03 12:11pm
By: isol8
sounds like a proxy issue, not really a bug or a security issue
Multiple Admin
Posted on: 02/23/03 02:48pm
By: Anonymous (Anonymous)
I think it's some sort of bug. He shouldn't be showing up eight times with the same login.
Multiple Admin
Posted on: 02/23/03 02:54pm
By: Dirk
I agree with isol8 - this looks like a proxy issue or something like that.
What's probably happening is that the original poster is assigned a new IP every time he clicks on a link on his site. So Geeklog will start a new session for this supposedly "new" visitor (identified as the Admin by the cookies). The old sessions are now useless and will stay around until they expire.
Since noone can pick up those "dangling" sessions it shouldn't pose a security problem either.
bye, Dirk
Multiple Admin
Posted on: 02/23/03 03:26pm
By: Anonymous (Anonymous)
That may be the cause, but it's still a software bug. The block shouldn't be showing multiple log ins for the same alias. In his particular case, I agree it's probably not a security problem. However, if someone obtained another person's password, he could easily log in and pose as that person at the exact same time because there doesn't seem to be any checking for this.
Multiple Admin
Posted on: 02/23/03 04:14pm
By: Dirk
Well, if someone gets hold of your Admin password, then you're lost, obviously. Blocking someone when he tries to log in with a stolen password while the real Admin is still online won't really help here - he can always come back later.
Actually, it's not a good idea to block a second log-in attempt from another IP. Consider being disconnected by your ISP and trying to log into the site again (usually from a different IP) - now you have two legitimate(!) sessions from two different IPs. You certainly don't want to wait until the old session expires.
All in all, this is nothing more than a cosmetic issue.
bye, Dirk