can mods login to your account and spy on you ??

[Banned: domain newbie]

I'm on two occasions cached my self logged-in , when i was logged out

the last one is just a minutes ago

somebody spies on me ??

[draggar]

What do you mean by seeing youself logged in?

The "who is online" is usually time based. If you log out, you still might see yourself in the "who is online" for a while (I don't know how long but some of my forums it's over 30 minutes).

If you have DNF up on more than one PC (I know I'm still logged on at home), if you log off one of them you'll still be logged onto the other (I could log off here @ work and still see myself logged in).

Did you log out, clear your cache, then when you went back to DNF you were still logged in? (This would be an issue with your cookies / cache cleaning - I'd run a malware check if this is the case).

As far as I know, moderators cannot log in as other members here but if someone has your password then they could. If its not too secure or you haven't changed it in a while, I'd advise you to change it (to something completely different) and see if it continues to happen (also log out and back in w/ the new password on any PC you use to check out DNF).

[Banned: domain newbie]

hm, okay, maybe it's cache, so mods can't login to your acc, yea?

[draggar]

Unless you give one of them (well, any member) your password (which would be a violation of many rules and would get both members banned).

Run some good malware checks - SpyBot Search & Destroy, Ad-Aware etc..

Also, the "who's online" features aren't always 100% accurate. I've been on and not seen myself but on other forums I've seen myself online even though I'm logged out.

[denny007]

I think even Root on this server can not log into your account because passwords are stored encrypted (?)

[Banned: domain newbie]

Quote:

Originally Posted by draggar

Run some good malware checks - SpyBot Search & Destroy, Ad-Aware etc..

cool, thanks, running a boat now- already found some diseases -

"memedia.advantage"

[south]

Anyone with direct access or shell access to any server can see anything they want, if they want to bad enough.. Just have to go look at the sql db and view the data directly. I seriously doubt mods have that kind of access though..

[Banned: domain newbie]

here:

http://www.vbulletin.org/forum/showthread.php?t=177947

[breez]

Quote:

here:

http://www.vbulletin.org/forum/showthread.php?t=177947

That's only for administrators though, not for mods. It comes in handy when you're starting a forum and want to create posts under multiple usernames to make the forum look busier.

[denny007]

Quote:

Anyone with direct access or shell access to any server can see anything they want, if they want to bad enough.. Just have to go look at the sql db and view the data directly. I seriously doubt mods have that kind of access though..

Well they can see ENCRYPTED data if application is programmed correctly.

[south]

Quote:

Originally Posted by denny007

Well they can see ENCRYPTED data if application is programmed correctly.

Perhaps. But again, if they have *direct* access to the server, they also have access to the hash. Or why bother when you could simply clone the database & application, put it on another server & just reset the users password then go in as them. The important things here are direct access, and how badly someone wants to see something.

Also, think of the server load to encrypt/decrypt *everything* all the time. Most developers just encrypt the passwords.

[hina]

AFAIK the passwords are hashed -- not encrypted.

[harleyx]

HTTP is not a persistent connection - it only knows the CLIENT is still connecting to the SERVER when the CLIENT makes a new request.

The CLIENT sends a request to the SERVER for information (usually a webpage), the SERVER processes the request and replies to the CLIENT, sending whatever is the relevant response (usually a webpage).

That is the end of the communication, and they do not communicate again until another request is sent by the CLIENT. Clicking a hyperlink is the most common type of request on the web.

Thus, the only option the SERVER has for figuring out when a CLIENT has left is to assume that the CLIENT has left the system after a certain amount of time has passed with no new request received. This is generally referred to as a "time to live".

Forums (and most membership systems for HTTP) operate on SESSIONS, which store information about your user account on the server, and are stored on your local computer as a cookie (text file) with a SESSION ID that is your ticket back into your SESSION on the SERVER (your account, basically), without LOGGING IN everytime you want to access a page.

So if the "time to live" variable is set to 30 minutes, you will appear in the "logged in users" displays for 30 minutes after your last request on that website.

The only exception to this is if you specifically LOGOUT. With this request, you are specifically telling the server to close your session as you are finished using the system.

Just to add a note about passwords

Passwords are mostly encrypted using what's called a one-way hash - the SHA1 algorithm more recently, earlier the MD5 (wikipedia for more on that). These hashes will produce everytime the same hash of a given password. The one-way is a means by which they are practically impossible (really really really ridiculously tough) to un-hash. So, even if an administrator looks at the database all they see are a bunch of password hashes (ab23jfak3f39fksixiw03, something to that effect). When you submit your password to a user system, it will hash your password and compare it to the hash in the database.

That's not to say an evil administrator couldn't store your unencrypted password somewhere, if they wanted to. However, unless they're hoping you use the same password at every site so they can login elsewhere, it's pointless as they can view everything that gets posted to the site by direct server access anyhow.

Moderators and other users on the other hand, wouldn't have any way to access this information unless the administrator specifically gave them access.

So in short, use different strong passwords for every separate place on the web that's important to you (Paypal, Banking, Registrars, etcetera).


Hope that helps

[Banned: domain newbie]

Quote:

Originally Posted by harleyx

The only exception to this is if you specifically LOGOUT. With this request, you are specifically telling the server to close your session as you are finished using the system.

Hope that helps

yea, i actually specifically loggin out and it would say- all cookies are cleared

so i would think there are spies, but heck, they wont find anything there anyways

i don't mind admins doing that for whatever reasons, but don't want any mods being able to do that

[Johnn]

You guys are always famous of being off topics.

The answer is no - Mods can't do that - End of the story.

Thanks,
John