Security Issue...

56Kruiser56Kruiser Registered Users Posts: 116 Major grins
edited November 7, 2011 in SmugMug Support
I just set up two galleries (both can be reached from my Galleries menu), which have passwords. I logged out, but it doesn't ask for a password when I click on them, and it takes me in.

On the Legends Drive one, it worked when I first set it up.

On the Grandchildren one, when I set up the password, I also changed the theme. But as noted above, I can go to it w/o password...and the changed theme did not stick.

Not sure if this is related to the small outages tonight, or something on my site.

Any thoughts appreciated.

Comments

  • AndyAndy Registered Users Posts: 50,016 Major grins
    edited November 6, 2011
    Please fully clear your SmugMug cookies or try from a 2nd browser, we love Firefox, Chrome, and Safari. If you go to those galleries when fully logged out as a visitor, the security works, promise deal.gif
  • AllenAllen Registered Users Posts: 10,008 Major grins
    edited November 7, 2011
    Any gallery you enter a password for will be available without the password for a short period. It is saved in a cookie.
    Al - Just a volunteer here having fun
    My Website index | My Blog
  • 56Kruiser56Kruiser Registered Users Posts: 116 Major grins
    edited November 7, 2011
    Allen wrote: »
    Any gallery you enter a password for will be available without the password for a short period. It is saved in a cookie.

    That is not the issue. As I said above, it DID work on the first one and stopped. And today, after overnight, it still is not working. So something wiped that out.

    That being said, I will go into them and set the passwords again, and give it a while, and see what happens. I'll post back the results.
  • 56Kruiser56Kruiser Registered Users Posts: 116 Major grins
    edited November 7, 2011
    Just went in and checked and the passwords are still there.

    You said it is a cookie. Could it be that is saved on my computer, and even though I am not logged in, it lets me in?

    I'm not sure that is security that can be relied on.
  • AllenAllen Registered Users Posts: 10,008 Major grins
    edited November 7, 2011
    56Kruiser wrote: »
    Just went in and checked and the passwords are still there.

    You said it is a cookie. Could it be that is saved on my computer, and even though I am not logged in, it lets me in?

    I'm not sure that is security that can be relied on.
    It is saved for that browser as a cookie. Some people have their browser set to remove private
    data every time the browser is closed. Logged in you do not have to enter the PW, logged out
    you do. So all your visitors can, once the PW is entered for one gallery, browse all the galleries
    with the same PW without having to reenter it as long as they don't clear their cookies.
    Al - Just a volunteer here having fun
    My Website index | My Blog
  • 56Kruiser56Kruiser Registered Users Posts: 116 Major grins
    edited November 7, 2011
    Andy wrote: »
    Please fully clear your SmugMug cookies or try from a 2nd browser, we love Firefox, Chrome, and Safari. If you go to those galleries when fully logged out as a visitor, the security works, promise deal.gif

    Just had my wife try to login from a different computer. It worked.

    I don't consider this really an issue as I think about it, but it sounds like if a person logs into an account on another computer, that leaves that computer as capabable of bypassing security, because of saving cookies. Is that a correct assessment?
  • AllenAllen Registered Users Posts: 10,008 Major grins
    edited November 7, 2011
    56Kruiser wrote: »
    Just had my wife try to login from a different computer. It worked.

    I don't consider this really an issue as I think about it, but it sounds like if a person logs into an account on another computer, that leaves that computer as capabable of bypassing security, because of saving cookies. Is that a correct assessment?
    Anywhere you log in needs a log out or anyone having access on that computer with that browser
    is logged in. Log ins are also saved in a cookie.
    Al - Just a volunteer here having fun
    My Website index | My Blog
  • 56Kruiser56Kruiser Registered Users Posts: 116 Major grins
    edited November 7, 2011
    Allen wrote: »
    Anywhere you log in needs a log out or anyone having access on that computer with that browser ...

    Sorry...that confuses me a little. It sounds like you are saying if I logout, it will clear the cookie. Is that correct?

    IF so, that is the problem I was concerned about when I opened the thread. I logged out after setting security, but the security didn't work. So I understood the answer was the cookie was the problem.

    So, if that's the case then the quote above is inaccurate...a logout won't help. Otherwise, the cookie being there is not the answer to why security didn't work for me on the computer I was on. (Sounds like one of those crazy confusing riddles :D)

    Just wanting to be sure it is clear and that I understand correctly.

    As always, thanks for the great and quick support.
  • AllenAllen Registered Users Posts: 10,008 Major grins
    edited November 7, 2011
    Logging out clears the log in cookie for that browser. If not logged in and you enter the PW, that
    is a different cookie and stays active for a number of days or until cookie is removed.
    Al - Just a volunteer here having fun
    My Website index | My Blog
  • 56Kruiser56Kruiser Registered Users Posts: 116 Major grins
    edited November 7, 2011
    Allen wrote: »
    Logging out clears the log in cookie for that browser. If not logged in and you enter the PW, that
    is a different cookie and stays active for a number of days or until cookie is removed.

    Thanks! That helps.
Sign In or Register to comment.