Trouble logging in.

[SG in CR]

I've been trying to log in occasionally for the last couple weeks and it was always first giving me the "Welcome SG in CR" page as usual, but then when the main page popped up it said "(You're NOT logged in)". I tried messaging somebody over the Orchid Board FB account which I'm guessing is abandoned. And I sent a message over the contact us page here as well. Never got any response.
I asked for a new password, and same thing happened. On a hunch I tried clicking the "remember me" box on the log in pop up and now I can remain logged in again.
I normally don't like for my computer to store my passwords. So I'd rather switch back to having to log in manually. Anyone have any idea why the site will kick me back out right after I log in?

[Roberta]

I don't have answers... Others have had similar problems. A couple of years back I had issues when I used the https:// version of the address (which is the default) Since I switched to specifying http://www.orchidboard.com I haven't had any grief. My other suggestion would be to try a different browser. I suspect that some browser update messed things up. Good luck!

[estación seca]

I suspect login information is kept in a cookie. That means the browser needs to accept cookies at least for the session. If the browser is set never to keep cookies you would probably not be able to log in successfully. I have my browser set to accept cookies for the session, but not keep them after closing. I need to log in every time I open a new browser window. I think the "Remember Me" setting creates the permanent cookie.

After logging in, so long as you keep that browser window open you should be able to return to Orchid Board.

Note the login is HTTP and not HTTPS. That means passwords are sent over the Internet unencrypted, in easily readable fashion. Nobody should use the OB password for anything else, especially anything financially important.

[MCD]

Quote:

Originally Posted by estación seca

Note the login is HTTP and not HTTPS. That means passwords are sent over the Internet unencrypted, in easily readable fashion. Nobody should use the OB password for anything else, especially anything financially important.

Just to clarify, the login page can be http or https, depending on what link was followed to get to the page that has a login dialog, and possibly on settings, for instance whether the browser forces the use of https.

Also, I would note that even with plain http, the password, while not encrypted, is not sent as clear text, but as an MD5 hash. Which is not too hard to crack these days if the password is short/weak, so the point about being careful definitely stands.

[estación seca]

Have you looked into OrchidBoard's antique software? My browser warns me login is not secure and the password is easily visible.

[MCD]

Quote:

Originally Posted by estación seca

Have you looked into OrchidBoard's antique software? My browser warns me login is not secure and the password is easily visible.

I don't have access to the software; I have however looked at a network packet trace of an attempt to login to orchidboard over plain http, using a bogus name that doesn't exist ("toto") and password "mypassword".

In the http form POST request we see the following variables being sent (along with a few others):

vb_login_username = "toto"
vb_login_password = ""
vb_login_md5password = "34819d7beeabb9260a5c854bc85b3e44"

So we can see that the clear text username is sent, but not the clear text password. We can verify that the md5 of the password is correct:

$ echo -n mypassword | md5sum
34819d7beeabb9260a5c854bc85b3e44 -

But regardless, it's still a very bad idea to login to anything using insecure http.

[SG in CR]

Thanks for the replies. I think the cookie thing might be what happened. I deleted a bunch of temporary files associated with my browser and I'm guessing that something to do with OB got deleted and for some reason or another it didn't create a new file when I logged back in.
I'm just gonna use the auto-generated password that OB sent me and use the remember me feature. If someone where to hack my OB account it wouldn't be a big deal.