Guest password fears

peestandinguppeestandingup Registered Users Posts: 489 Major grins
edited March 24, 2006 in SmugMug Support
I was just tracking some hits to my site using StatCounter. I noticed that someone was nosing around in some of my private galleries. There arent any links to these galleries anywhere on my site or anywhere else. Now, I have given a guest password to 2 people so far so they could upload some pics to my site. After they were done, I changed the guest password to some random gibberish, like Andy told me to do.

So, my question is, can those 2 people who used my guest password still have access if they never logged out?? I also cant rely on those people who I give a guest password to do the right thing & check the "im using a public computer, done keep me logged in" box.

Please let me know if I can do some sort of reset on my site or something to clear everyone out who never actually logged out, because frankly, this kinda scares me a little. Thanks.

Comments

  • DodgeV83DodgeV83 Registered Users Posts: 379 Major grins
    edited March 23, 2006
    Have you done any tests to see if someone logs in with the guest password, then you change the guest password, if they will stay logged in?
  • DavidTODavidTO Registered Users, Retired Mod Posts: 19,160 Major grins
    edited March 23, 2006
    Just change the guest password.
    Moderator Emeritus
    Dgrin FAQ | Me | Workshops
  • AndyAndy Registered Users Posts: 50,016 Major grins
    edited March 23, 2006
    The Guest Password won't work after you change it, Kerry.

    Andy
    Andy

    PortfolioWorkshopsFacebookTwitter
  • asdasd Registered Users Posts: 115 Major grins
    edited March 23, 2006
    I think what Kerry's asking is if changing the guest password will remove access from guest users who've logged in but not logged out. Sure, it'll keep them from logging in, but it won't log them out. I just tested this right now (logged in as guest in IE, myself in Firefox, changed guest PW in Firefox and was able to continue clicking around and changing things in IE since I hadn't logged out as guest there).

    My guess is that guests would stay logged in until the appropriate cookie expires (I dunno which one it is or when it expires), regardless of how many times you change the password.

    It'd be nice if changing the guest password could automatically expire/log out any guests currently logged in.

    edit for correctness: Thanks to Andy for elaborating below--the guest login cookie automatically expires when the browser is closed, so they're essentially logged out then. 11doh.gif
  • DodgeV83DodgeV83 Registered Users Posts: 379 Major grins
    edited March 23, 2006
    My guess is they won't change this. Its been my impression that they want the Guest Password feature to stay the way it is...so you only give it to people you trust. Giving out your Guest password too much might cost them a sale if someone chooses to piggyback your site instead of paying the $35 or whatever it is a year for their own site.
  • peestandinguppeestandingup Registered Users Posts: 489 Major grins
    edited March 24, 2006
    asd wrote:
    I think what Kerry's asking is if changing the guest password will remove access from guest users who've logged in but not logged out. Sure, it'll keep them from logging in, but it won't log them out. I just tested this right now (logged in as guest in IE, myself in Firefox, changed guest PW in Firefox and was able to continue clicking around and changing things in IE since I hadn't logged out as guest there).

    My guess is that guests would stay logged in until the appropriate cookie expires (I dunno which one it is or when it expires), regardless of how many times you change the password.

    It'd be nice if changing the guest password could automatically expire/log out any guests currently logged in.
    Thank you. Yes, that was exactly what I was asking. I thought my question was pretty clear, but oh well. This IS NOT good news, but thank you for testing. I couldnt add a guest password because of the Joker domain name errors today, so I was unable to test myself as the domain name & guest password fields are both on the same page.

    I must say, I find this to be an extreme lack of security on Smugmug's part. Why cant you guys just set up the guest passwords to automatically log out when the person closes their browser?? I cant see any reason why a guest should stay logged in after they end their browser session. So, what does this mean?? That theoritically, those 2 people I gave a guest password to can stay logged in forever until they actually hit the logout button??? Sorry, but that is total BS.

    Look, I know its been brought up like a million times here, but the guest password system needs to be re-worked asap! It gives people WAAAY too much access. I just wanna be able for others to occasionally upload pics to my site, not give them access to the whole damn thing. (Yes, I know its not total access, but its still too much.) Also, I (we) cant count on the people we set up guest passwords for to always do the right thing & click that "dont keep me logged in" box or to hit the logout button when their done. Its not that I dont trust the people I gave it to, I just dont like the idea that they can see all my private galleries, can nose around in the settings, edit captions, see html, etc. I dont have anything to hide, its just a creepy feeling.

    So, here is the deal. Is there any way possible that me or you guys at Smugmug can do some sort of reset on my site to kick those 2 people I gave the guest passwords to off?? After that, im never using this feature again until you guys get your act together & fix this, because say what you want, it IS a security risk & I dont dig on those. Sorry, im just a little angry about all this. If I had known, I would have NEVER used the guest password feature in the first place.

    I would like a straight, solid answer to this. Thanks allot...Kerry
  • AndyAndy Registered Users Posts: 50,016 Major grins
    edited March 24, 2006
    peestandingup wrote:

    I would like a straight, solid answer to this. Thanks allot...Kerry

    OK - here's your straight, solid answer:

    Kerry, think of the Guest password as an "assistant's password." Be very careful whom you give it to. The cookie has an expiry, and so if you change the pw, the old one will not be valid. We leave it sessioned, so that if a valid guest closes and reopens, they are still logged in (just like you are, as account owner).

    Security risk you say? OK - then don't give out guest access. I'm sorry, but the feature is a tough one - some folks need to have the upload and arrange access etc, but we also need to balance out the business risk of essentially enabling someone to set up mini-smugmugs with one account.

    Kerry - you said that "it's been brought up a zillion times" but then you also said "if I had known...." so it sounds to me like you understand what the feature does and how it acts... if I'm wrong, fire your questions back and I'll be happy to address them.

    I hope this helps.
    Andy

    PortfolioWorkshopsFacebookTwitter
  • peestandinguppeestandingup Registered Users Posts: 489 Major grins
    edited March 24, 2006
    Thanks Andy for the straight talk. When I said "I know its been brought up like a million times here", I meant I knew that many people have been asking to be able to choose exactly what the guest can do/see. Hence me saying that it needs to be re-worked. And, sure its easy to simply say "dont like it, then dont use it", which is true, but thats kinda harsh & could be said about anything really.

    I do for the most part understand how the guest password works, but I honestly never thought that the user could stay logged in after I changed the password, and even after they close their browser after the fact. That just seems like a no-brainer to me, so I never thought to ask, but I should have. I dont think most people are aware of that fact, but maybe im wrong.


    So, how long 'till the cookies expire & these people who never logged off no longer have access to my site?? Thanks...Kerry
  • AndyAndy Registered Users Posts: 50,016 Major grins
    edited March 24, 2006
    peestandingup wrote:
    I honestly never thought that the user could stay logged in after I changed the password, and even after they close their browser after the fact.

    But they cant - if you find otherwise - let us know? Thanks .
    Andy

    PortfolioWorkshopsFacebookTwitter
  • peestandinguppeestandingup Registered Users Posts: 489 Major grins
    edited March 24, 2006
    Andy wrote:
    But they cant - if you find otherwise - let us know? Thanks .
    Really?? Im going by what asd said in a couple posts up. I cant set up a guest password right now to test it because of the Joker domain name error. Since both those fields are on the same page, it wont let me right now or I would.

    So, just to be sure. Lets say I give someone my guest password so they can upload some pics. When they log in, they do not check the "im using a public computer, dont keep me logged in" box. The person logs in, uploads the photos & then just closes their browser without logging out. After that, I change the guest password to something else. When the person who uploaded the photos opens their browser back up & goes to my page, are they still logged in???

    I thought asd said he/she tested this & it was still logged in, even after they closed their browser & changed the password.
  • AndyAndy Registered Users Posts: 50,016 Major grins
    edited March 24, 2006
    peestandingup wrote:
    Really?? Im going by what asd said in a couple posts up. I cant set up a guest password right now to test it because of the Joker domain name error. Since both those fields are on the same page, it wont let me right now or I would.

    of course you can :D delete your host name from your control panel (temporarily) and do the password test.
    Andy

    PortfolioWorkshopsFacebookTwitter
  • peestandinguppeestandingup Registered Users Posts: 489 Major grins
    edited March 24, 2006
    Andy wrote:
    of course you can :D delete your host name from your control panel (temporarily) and do the password test.
    Im afraid if I delete it, it wont let me add it back & things will get a screwed up, because right now it says "That hostname doesn't appear to be valid. It doesn't resolve to a hostname."

    Are you sure I can do that, Andy??
  • AndyAndy Registered Users Posts: 50,016 Major grins
    edited March 24, 2006
    peestandingup wrote:
    Im afraid if I delete it, it wont let me add it back & things will get a screwed up, because right now it says "That hostname doesn't appear to be valid. It doesn't resolve to a hostname."

    Are you sure I can do that, Andy??

    Yes, remember I told you earlier that the reason it's not resolving is due to the joker problems. Your website can't be hit now anyhow ...
    Andy

    PortfolioWorkshopsFacebookTwitter
  • peestandinguppeestandingup Registered Users Posts: 489 Major grins
    edited March 24, 2006
    Andy wrote:
    Your website can't be hit now anyhow ...
    Actually, it can. Thats whats got me confused. For the most part, everyone who has tried to access my site today via my custom hostname has gotten through. I also just checked it on another computer & it went right through. Yet, the Smugmug custom hostname (professional) area gives me that error message. Thats why I was hesitant to delete it. Hmmm headscratch.gif
  • AndyAndy Registered Users Posts: 50,016 Major grins
    edited March 24, 2006
    peestandingup wrote:
    Actually, it can. Thats whats got me confused. For the most part, everyone who has tried to access my site today via my custom hostname has gotten through. I also just checked it on another computer & it went right through. Yet, the Smugmug custom hostname (professional) area gives me that error message. Thats why I was hesitant to delete it. Hmmm headscratch.gif

    Kerry, west coast calif and I can't ping your site www.kerryryanbailey.com
    Andy

    PortfolioWorkshopsFacebookTwitter
  • peestandinguppeestandingup Registered Users Posts: 489 Major grins
    edited March 24, 2006
    Andy wrote:
    Kerry, west coast calif and I can't ping your site www.kerryryanbailey.com
    This is some weird stuff indeed. Im looking over my trackers & see that numerous people today & even late tonight have been browsing my site using the custom domain name in the USA. So, it only seems to be affecting certain spots at certain times. Strange.

    Did you ever get a response from Joker? I know someone earlier said they had something up on their main site about an outage. But, it would still be good if they responded. Im thinking about just moving my hostname to another service. I know outages happen, but the lack of a response from them makes me reconsider.

    What do you think??
  • AndyAndy Registered Users Posts: 50,016 Major grins
    edited March 24, 2006
    peestandingup wrote:
    What do you think??

    They had a DDOS attack, and responded with an email saying that they were working on the issue. It's not inconceivable that some parts of the internet can't reach your site via joker.com.
    Andy

    PortfolioWorkshopsFacebookTwitter
  • peestandinguppeestandingup Registered Users Posts: 489 Major grins
    edited March 24, 2006
    Thats cool, as long as they are working on it.

    But, back to topic. As far as testing the guest password myself, I will wait until this Joker thing gets resolved just to be safe. I would hate to delete my hostname & be unable to change it back for days, 'cause like I said, allot of people are hitting me just fine now, and some are better than none. But as soon as it gets fixed, I will do the test myself & we will continue the topic. Thanks for chatting, Andy!

    But, in the meantime, if anyone out there who isnt using a custom hostname from Joker can feel free to do the test & report back. To be continued...Kerry
  • asdasd Registered Users Posts: 115 Major grins
    edited March 24, 2006
    Argh! Kerry, Andy, my bad for not getting the whole picture on this. Andy's totally right - if you change the guest password while a guest is logged in, they will essentially be logged out when they close their browser--the next time they open their browser and come to your page they won't be logged in or have their guest access.

    My bad for not playing around with the feature thoroughly before posting. 11doh.gif

    --Andrew, learned something today, before 9 AM even..
  • AndyAndy Registered Users Posts: 50,016 Major grins
    edited March 24, 2006
    asd wrote:
    Argh! Kerry, Andy, my bad for not getting the whole picture on this. Andy's totally right - if you change the guest password while a guest is logged in, they will essentially be logged out when they close their browser--the next time they open their browser and come to your page they won't be logged in or have their guest access.

    My bad for not playing around with the feature thoroughly before posting. 11doh.gif

    --Andrew, learned something today, before 9 AM even..

    thumb.gif

    So I'll grant that it's not a feature that's easy to gr0k at first, we really need to be careful about how it's used, so intentionally it has lots of power.

    Maybe we should call it "assistant's password" or some such?
    Andy

    PortfolioWorkshopsFacebookTwitter
  • peestandinguppeestandingup Registered Users Posts: 489 Major grins
    edited March 24, 2006
    asd wrote:
    Argh! Kerry, Andy, my bad for not getting the whole picture on this. Andy's totally right - if you change the guest password while a guest is logged in, they will essentially be logged out when they close their browser--the next time they open their browser and come to your page they won't be logged in or have their guest access.

    My bad for not playing around with the feature thoroughly before posting. 11doh.gif

    --Andrew, learned something today, before 9 AM even..
    That sure is good to know. Thanks so much for checking. I was also finally able to confirm this today, as the Joker domain thing seems to be working now & I was able to add a guest password. Yippeee!

    That was really the only part that concerned me & why I made a little fuss about it, so sorry for any misunderstandings. From the other posts, I honestly thought the guests would still be logged in, even after the password was changed.

    I still think the main user (us) should have more control over that feature & be able to choose what the guests can see/do. After all, us smugmugers are control freaks. :D

    Cheers...Kerry
  • cabbeycabbey Registered Users Posts: 1,053 Major grins
    edited March 24, 2006
    Andy wrote:
    Maybe we should call it "assistant's password" or some such?

    That actually sounds like a really good idea. Small UI change to get a better idea of the message across.
    SmugMug Sorcerer - Engineering Team Champion for Commerce, Finance, Security, and Data Support
    http://wall-art.smugmug.com/
  • AndyAndy Registered Users Posts: 50,016 Major grins
    edited March 24, 2006
    peestandingup wrote:
    That sure is good to know.

    Kerry, I *promise* you, I wouldn't steer you wrong naughty.gif
    Andy

    PortfolioWorkshopsFacebookTwitter
Sign In or Register to comment.