Website login behaviour - A question for the moderators

[Fishmanoz]

After being logged in continuously for at least a couple of weeks, just found myself out again.

[Fishmanoz]

And still doing it 3 days later. Even logged me out in the middle of a session once, first time this has happened to me.

[Fishmanoz]

At last, extended login returns.

[Fishmanoz]

And today, logged out again. I wonder how long this time.

[96RAF]

It seems if Hornby reboots their server for whatever reason (update, periodic restart, weekly rewards flush, etc it dumps everyone, else I have found I can be logged in on several devices for days.

[Brew Man]

That seems to make perfect sense to me.

[RB51]

Ha - that’s a new one. Having gone days not being logged out I have just been asked to accept cookies. Still without being logged out. R-

[Fishmanoz]

So it’s now been logging me out each time I leave for over a week.

[96RAF]

I find it hit and miss, sometimes it logs me out each time I put the iPad down, sometimes only when I change platforms. Irritating because previously I could be logged in for weeks on several platforms when in use.

[Fishmanoz]

It’s now 23 Aug and only just leaving me logged in after nearly 4 weeks not.

[Fishmanoz]

And now after a further 2 weeks, I’m logged out again.

[Augustus Caesar]

I've not replied to this thread prior but as many ideas and reasons for the automatic logging out of members over time, however long or short that may be, has been ongoing I thought it may help to offer a perfectly good hypothesis for this type of thing going on. I do NOT say it IS the reason for these occurrences but it could easily be. Very easily.

Let me offer up some explanation to at least give you an idea of what MIGHT be happening and is more likely than most offered up already, with all due respect.

The code that this forum and website are written in, and at this point it doesn't matter which, could be at a level that different browsers and versions of browsers may have some difficulty understanding the syntax or commands the code is written in. Each browser has an interpreter written into it which translates any downloaded code into the formatting you see on screen. This is true for older languages but not for server side languages like PHP for example where it is decoded by the server where the site lies and is brought to the browser already translated. This makes the site appear to load faster.

So, with all the different versions of browser out there one member's version of Chrome, IE, Edge, Firefox, Safari, Opera or whatever will not load or use the code in the same way as another member's browser version. Thus this renders comparisons pretty useless in effect.

A routine timed to automatically log out users may be interpreted perfectly correctly in Firefox but not Opera... why? Different browser engines. Safari is an Aplle broswer, Chrome is Google and Firefox is Mozilla. The most compliant browsers for web authoring are Mozilla based browsers because they implement web authoring standards far more quickly than anyone else. MS lag behind as usual, which is why IE always broke - and is now no more. To keep incompatible code working in other browsers the author has to write a hack to make, IE for example, work more or less like Firefox would out of the box.While this can be done most of the time it is not always possible so this should be considered.

One other thing to consider, although probably not happening to everyone at the same time or close to each other, is when your router/modem is reset your IP address will change. So a simple page change on the site will instantly drop your cookie or session variable within the code and log you out. How do you check that? Simple...

Go to the following site:

https://whatismyipaddress.com/

Note your IP address (this is your public or Internet IP) and if you are logged out again just go back and check to see if that IP has changed. If it has then the router or your ISP has issued you with a new dynamic IP address. If you, like me, have a static IP from your ISP then this IP will never change. 99% of all public have dynamic IP's.

Hope this offers a little more insight and maybe food for thought.

[Fishmanoz]

So AC, are you suggesting the possibility that the site logs me out when my IP address changes and leaves me logged in while it remains the same?

This seems strange given it goes through periods of weeks when it leaves me logged in, then weeks where I am logged after an hour or two.

Meanwhile, my router stays on for months and rarely plays up or needs to be re-booted.

I have checked my IP address though and will monitor it.

[LTSR_NSE]

The other possibility is cookie corruption, resulting in the pattern you observe:

• cookie is healthy - logon details are stored successfully

• cookie corrupts - logon details are not able to be stored

• corrupt cookie is stored on computer until it expires (time/date set by website)

• cookie expires & is replaced with a healthy one (cycle restarts)

Since the corruption occurrence is random & the expiration time/date can be set to anything (days/weeks/months/years...) that would explain the apparent irregularity in timings (due to varying proximity to expiration).

Plus if Hornby use something in the ‘standard’ 30-90 day expiration range (or less if others, without issues, observe the need to re-enter details once every few weeks?) then that could explain why your ‘cycles’ are repeating fairly frequently!

[Fishmanoz]

Thanks LT, will have a play.

[Augustus Caesar]

Hi Fishy

Apologies for not reading your post sooner and getting back to you.

The router suggestion is only one of many issues that can cause this effect but is seldom thought about or even mentioned. Hence my little inclusion here.

As per your first paragraph I answer yes. The effect is not hugely common but it does happen and is why it is often sprouted by some in help forums other than this where the advisor says turn your router off for around 30 seconds and restart it. This clears the temporary cache inside the router and, as stated, different browsers pass temporary data in different ways and it is easily corrupted. It is also the case that your dynamic IP address will almost certainly change to a different one which is allocated to your ISP via a pool of addresses and yours will be one of a certain pool allocated.

Upon a reset of your IP you may find an IP close to that of your previous IP or one way different from a second pool. You nor your ISP has any control over the pools given to them.

My router rarely gets rebooted except when I alter internal settings as it is an industrial type router and not one given by your ISP. Apart from that it rarely gets a reboot although over the years I have had to do a reboot around 3 or 4 times. So you see how rare it is but it can and does happen.

[Fishmanoz]

Thanks AC.

[Fishmanoz]

Didn’t ever follow up from LT or AC and it’s now taken until yesterday for me to remain logged in again.

[Bulleidboy]

Not a thread I normally read, but I use Chrome and I have been logged-in for weeks - in fact I never log out. As has been suggested it must be different browsers reacting in different ways.

[Augustus Caesar]

Unfortuantely Chrome is just as bad as the others for this effect. Edge has bugs which kick in now and again and you have to effect changes in the settings to allow you to stay logged in, don't clear cache settings etc. by turning these settings to what you would not want then turning them back on or whatever. These bugs are well known and talked about across the web.

Edge doesn't actually use cookies to save your passwords etc. within the cookie. It uses something called 'local data encryption' which is more secure.

**Edge stores passwords encrypted on disk using AES and the encryption key is saved in the operating system storage area. This is the technique local data encryption. Although not all of the browser's data is encrypted, sensitive data such as passwords, credit card numbers, and cookies are encrypted when they are saved.

The Edge password manager encrypts passwords so they can only be accessed when a user is logged on to the operating system. Even if an attacker has admin rights, or offline access, and can get to the locally stored data, the system is designed to prevent the attacker from getting the plain text passwords of a user who isn't logged in.

One thing you should be aware of here is that this forum may or may not even be using cookies. There is an alternative for designers to utilise and I have mentioned them previously. These are session variables. Now, a site can use either or both. I only ever use session variables. Generally speaking a session variable is usually only available while the browser is open to a set of specific windows or data areas where that variable is required to store data for the site visitor. That data can be traversed across the site as the visitor accesses different pages but is usally well organised. Once that area is vacated the session variable dies and is never used again. Well, the variable is but the data is lost where the variable is declared as empty or NULL.

These are not stored in any way by a browser and are purely server side technologies meaning they stay with the website if you will.

Cookies are always stored client side (your computer) and are available while the cookie data is set for it to remain so. They can be killed when a user leaves a site, after a short term or even a long time after. They sit on the user's drives and can be used several times until they are killed. This is done by the site author or done manually by the user when that user deletes cache, browser data or cookies etc. from their computer.

Just in case some don't get the fact there are two types of cookies... first party cookies are those generated by the site and its author/s and are usually genuine and harmless. Third party cookies are generated by those who generally advertise their goods on a site and which could offer some other goodies where you are asked 'why not try this'? kind of stuff. These can contain some harmful stuff but not viruses etc. as the files are far too small. You should turn off third party cookie options in your browsers but leave first party ones switched on as these will contain your saved passwords etc.

I supply this extra information purely as an interest only objective and some may find it useful.

[Fishmanoz]

I remained logged in until Monday night, now out again.

[Fishmanoz]

Well, I’ve been getting logged out after leaving for a short time for 3 months now. But this morning I’m still in and hopefully stay that way until the new platform hits next week.

After that, who knows?

[96RAF]

I have been logged into both iPad and PC for weeks until I cleared the cache and had to login again. The login screen does look a bit sharper on the new platform and hopefully will be stable. Given the ability to change your email address next week they cannot be using that as the key field for accounts as they do now, so something may be different in the login process.