Discourse default or a setting? Login Security

discourse
login

#1

This may be a Discourse thing and therefore not fixable - but even in an incognito window/tab if you login, and then log out, then want to login again with a different address it just logs you back in as the previous person!

That means any sort of public computer is not safe to use - which might not be a big deal, but security wise it’s a huge flaw.

I even tried opening up a completely separate incognito window - the only way that works is if you have no incognito windows/tabs open anywhere, which is just frustrating as I use incognito for most things on computers that aren’t mine (eg. my work computer).

I have 2 logins cuz the 'Forge was originally bought under a different one and if I need to add users or similar I have to login using the old one.

Chrome Version 69.0.3497.100 (64-bit) running on a Win 10 desktop (though I doubt that matters)


#2

Discourse does not save any session info on their servers. It’s all done with cookies on the client (user) side.

If the login dialog is being pre-populated, the most likely candidate is your browser settings. Incognito mode in Chrome will continue to pull saved credentials associated with your google account (this is different than your browsing history). You may view and delete any credentials by opening Chrome to chrome://settings/ and opening the Passwords section. You may also want to review your settings “Sync” (directly above the Password section). It’s also a good idea to review your privacy settings at chrome://settings/privacy

Standard disclaimer: I’m not a GF employee. However, I administer a totally unrelated Discourse site as part of my day job. Hope this helps.


#3

Cool. I’ll check into that tomorrow. I’m hesitant cuz it’s not a problem I’m having on any other site, but I remain hopeful!


#4

Nope. Sadly it looks like Discourse stores the PWs in cookies - and if you turn off cookies entirely you cannot login at all (you end up at the attached image) and if you set them to delete upon leaving you have to once again close every instance of Chrome before they’ll delete.

Definitely security issue. Also interesting since per: https://meta.discourse.org/t/login-support-for-browser-password-managers/4738 the co-founder “Chrome incognito mode no logins are saved, intentionally.” - but that was back in 2013…


#5

usually a session ID is stored and not actual passwords for security reasons. You can check in chrome pretty easily by going to chrome://settings/siteData and looking for your password.


#6

Nice and all, but it works out to be the same thing as far as application security goes


#7

This is how browsers work. You have to shut down every instance before it considers the browser closed.


#8

Yeah, which is why full login info shouldn’t be saved in the session ID…hence the security issue


#9

This is pretty off topic for a glowforge forum. so I’m pretty much going to drop it on the public forum after this. I’m not a security expert but feel free to wait for glowforge to respond on this thread or follow up via direct message.

My session and yours I suspect is stored as a unique string in a cookie “owned” by community.glowforge.com named _forum_session the browser should only provide this back to comunity.glowforge.com as that website and no other websites “own” that cookie. Should you take the contents of my cookie and replace your cookie with them you might be set to impersonate me. It might take more cookies. I can see 3. None of my login credentials seem to be in there.

This is how most of the internet works including facebook, amazon, twitter etc. This is also why you shouldn’t log into sites on a public computer. In theory your session ID is supposed to be long enough and random enough that blind guessing won’t let you take someone else’s easily. It looks to only be a 20bytes hex encoded to 40 text characters. This is insufficient to store my login or password in an easily recognizable form. There will be in a database available to the websites information tying these cookies to my identity as they have established it.

Incognito windows should not maintain these cookies once closed or have access to your cookies from a non-incognito window and otherwise. The main screen of chrome’s incognito window should tell you the behavior you can expect. If it’s not what you are seeing this may be a reason not to trust incognito mode in chrome or potentially a bug in chrome. Incognito mode should also not be running extensions such as password managers and privacy tools.