login should always redirect to the microfocus login

**Feathers_McGraw** · 27-Dec-2015, 05:22

Hi,

On other linux forums that use vbulletin ( http://www.kubuntuforums.net ) I bookmark the control panel ( https://forums.opensuse.org/usercp.php ) to quickly see if any of the threads I am subscribed to have changed.

The problem I'm having is that I quite often get logged out of this forum, and the login form shown on the control panel page when I'm logged out doesn't work for me.

If I click the login link at the top of the page, I get taken to the microfocus login, which works fine.

Does the login page on usercp work for anyone else?

Is there a way to show the microfocus login instead of the one on the control panel, or redirect users who are not logged in to that page instead?

Thanks

**hcvv** · 28-Dec-2015, 02:25

I understand what you mean (I can recreate the siruation), but taking the time of the year into account, it could be that it takes some time for technical staff here to answer you.

In the mean time, I take the liberty to suggest something for the underlying problem: the frequuent logout.

Due to the way login on these forums function, killing your last window/tab on the forums in your browser will log you out. Thus, as you are looking at the forums more often per day, it might be usefull to leave at least one page of the forums open in yout browser (maybe minimised). Personaly I use the main page for it, but in your case, the page you mention in your post should be OK. Just reloading it when you want to look at it's most recent version should work then without a new login needed.

**nrickert** · 28-Dec-2015, 06:26

Originally Posted by hcvv

Due to the way login on these forums function, killing your last window/tab on the forums in your browser will log you out.

That's not my experience.

When I use firefox for the forums, after a visit I close that tab. When I come back an hour or three later, I am still logged in (usually). But after half a day, I find myself logged out. And even if I keep a tab open to the forums all the time, I am logged out after around half a day.

If I heavily use the forum, that does extend the time that I am logged in. But I don't have a good handle on what counts as "heavily used".

If I close the browser entirely, that logs me out because all session cookies are deleted.

More recently, I have been using konqueror. I also run "akregator" which shares cookies with konqueror. So I have been keeping a tab open to the forums in "akregator". Again, it doesn't help. Typically, after around half a day, I find myself logged out (in both akregator and konqueror).

**hcvv** · 28-Dec-2015, 06:52

Hm, It is the eternal "what happens when ...."

In any case, I am mostly loged out, even with a window open, around 17.00 MET each day. I assume that is done centraly. It could be that it is also happening at 5.00 MET (but then I am asleep) and that could explain your "half day" experience.

I use Akregator also, but no login is needed for that. Like everybody not loged in, it can "see" new threads in all the forums. Except those specialy for staff, but I assume that is not applicable to you.

When I close the Bvrowser totaly, the session cookies are lost and thus you are loged out. As you explained above.

But I realy have the idea that closing the last forums window also logs out, but I admit that II can not explian that because session cookies might still be there? I will take more care looking into this, it might enlighten me.

In all it is a bit bewildering and everybody probably settles down with a habit that fits him/her best.

The OP's remark that the forums software links to an unusable (because not used internaly) login page on many places except when clicking on the "login" top-right is valid IMO.

**nrickert** · 28-Dec-2015, 07:04

Originally Posted by hcvv

I use Akregator also, but no login is needed for that. Like everybody not loged in, it can "see" new threads in all the forums. Except those specialy for staff, but I assume that is not applicable to you.

If you login with konqueror, you will find that you are also logged in with akregator. Or vice versa. That's because konqueror, akregator (and rekonq) share cookies including the login cookies. And you have to close all three to have session cookies deleted. One of them remaining open seems to be enough for the session cookies to be retained.

Yes, I agree that the OP seems to have a valid point.

**hendersj** · 28-Dec-2015, 09:14

On Sun, 27 Dec 2015 12:26:01 +0000, Feathers McGraw wrote:

> Does the login page on usercp work for anyone else?

It shouldn't, if it's not the Microfocus login.

We use an SSO solution across all openSUSE project sites, and the
integration with vBulletin isn't as clean as we would like it.

On the plus side - because passwords aren't stored in the vBulletin
database at all, when there's an exploit against vBulletin passwords, our
forums are not affected.

But that does mean that there are some points where vBulletin will not
properly redirect to the correct login page. Integrating more tightly
would mean custom code, which would prevent us from applying software
updates to the forums in a timely manner.

Jim
--
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

**Feathers_McGraw** · 02-Jan-2016, 13:38

Thanks everyone for your replies.

Would it be possible to use a rewrite in Apache to work around this for the control panel specifically? There's nothing useful you can do on the control panel if you're not logged in, so anyone who isn't logged in on that page surely wants to go to the microfocus login. Also, a solution in the virtualhost config wouldn't prevent you from installing updates to vBulletin itself.

A while back I was experimenting with my Drupal site and mod_rewrite, and I managed to rewrite users to HTTP unless they were requesting the login page, or they already had a secure session cookie (I was using a self-signed certificate at the time and didn't want the HTTPS stuff indexed, but wanted to use the site on HTTPS myself - that's another story though).

Anyway, this was the config:

Code:

# rewrite HTTPS to HTTP unless request is to login page (/user/login) or secure session cookie is present
# works in FF and Rekonq on Linux, AOSP browser but not FF for Android.
RewriteCond %{HTTP_COOKIE} !^.*SSESS612cb529d2dfaadfff38b8731a3a4c8a.*$ [NC]
RewriteCond %{THE_REQUEST}      !user [NC]
RewriteRule ^/(.*)          http://www.example.com/$1 [R=302,L]

So in theory I can't see a reason why we couldn't rewrite based on whether a secure cookie is present and the request is to /usercp.php. Then again, I'm sure this forum is a lot more complicated than my site!

(I also noticed that I didn't finish the thread title for some reason, could someone edit it to "login should always redirect to the microfocus login" please? Thanks.)

**deano_ferrari** · 02-Jan-2016, 17:21

(I also noticed that I didn't finish the thread title for some reason, could someone edit it to "login should always redirect to the microfocus login" please? Thanks.)

I just checked. The full title is there in the main thread title - just truncated in the replies for some reason.

**hendersj** · 02-Jan-2016, 20:28

On Sat, 02 Jan 2016 20:46:01 +0000, Feathers McGraw wrote:

> Would it be possible to use a rewrite in Apache to work around this for
> the control panel specifically?

With the setup in use, it's probably not as straightforward as that, but
I've raised the issue with the technical admin for him to look and see
what might be able to be done.

Jim

--
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C