Session purge

This will contain important announcements about ZAFur as well as the site rules. Check in here from time to time to keep up to speed.
Post Reply
User avatar
Valerion
Alpha Wolf
Posts: 2803
Joined: Fri Apr 11, 2008 8:50 pm
Gender: Male
Sexual preference: Gay
Species: Werewolf
Region: Gauteng
Location: ::1
Contact:

Session purge

#1

Post by Valerion »

Cloudflare has reached out to me to inform us of a recently-discovered issue, detailed here, for the technically inclined. They also let me know that a search through search engines have not shown any issues with the domains I am hosting with them, including this one, so no need to worry. I consider any risks this pose to the forum minimal.

However, due to my own paranoia, I have invalidated all stored sessions, in case one got compromised, and are used to log into the forum. If this doesn't work for you, you can also manually log out and back in to obtain a new session. Also, I have changed my own password for the forum, and suggest you do the same. In any case, even in the absence of security issues, it is good practice to regularly change your passwords.
Leeward
Recalcitrant Ruminant
Posts: 7036
Joined: Wed Mar 19, 2014 10:23 pm

Re: Session purge

#2

Post by Leeward »

A global forced password reset that may have achieved something, but a session purge fixes absolutely nothing that has to do with what went wrong with CloudFlare.

https://www.forbes.com/sites/thomasbrew ... 52b63a3ca3
User avatar
Valerion
Alpha Wolf
Posts: 2803
Joined: Fri Apr 11, 2008 8:50 pm
Gender: Male
Sexual preference: Gay
Species: Werewolf
Region: Gauteng
Location: ::1
Contact:

Re: Session purge

#3

Post by Valerion »

Leeward wrote:A global forced password reset that may have achieved something, but a session purge fixes absolutely nothing that has to do with what went wrong with CloudFlare.

https://www.forbes.com/sites/thomasbrew ... 52b63a3ca3
A global forced password change will cause havoc with the user community, as there are enough login issues as it is now. In our case a session purge may actually be useful. The forum have sessions with a long validity, and the vulnerable period period only covers Sept - early February. If you did not use your password during this period, then the only compromised authentication information could possibly be your session ID (which is now dead). Also, inactive users (since September) are not at risk, and doing a forced password change may very well lock them out of their accounts.

I did consider a forced password change, but instead opted (for the moment) for the notice instead.

That said, I stil strongly recommend that everyone do change their passwords, sooner rather than later. Do not take a risk.
Post Reply