I'd like to share what I could find out about the SID (session ID) when useing
A - the official forums URL: http://www.purebasic.fr/
B - the old URL: http://forums.purebasic.com/
Test A + B visiting PB-forums without existing cookie.
==================================
TEST A - using http://www.purebasic.fr/english/
- no cookies
- visiting one forum, a PB-cookie is created
-- and all links on the page will contain a SID
-- but refreshing the page (or visiting one of the links) the SIDs are removed from all links
(same behaviour on the other forums)
-> there's one cookie with 3 entries for each forum
-> on arrival you'll get a SID
-> on login you'll get a new SID
-> on logout you'll get a new SID
Note: after login there's no SID in any link nor Browser-URL, EXCEPT your logout-link.
You can share any copied forum-link as none contains your SID.
You can follow any forum-link you'll find in postings regardless if it contains an 'old-sidded' or a new address.
=======================================
TEST B - using http://forums.purebasic.com/english/
- no cookies
- visiting one forum, NO cookie is created [never]
-- BUT all links contain a SID
-- following one of the links the Browser-URL gets the SID added, all pagelinks contain the same SID
-- But refreshing the first visited page, that doesn't have a SID in the Browser-URL, will apply a new SID for all links
(same behaviour on the other forums)
--------------------------------------
*** after LogIn: ***
- (note: the login-link already contains a SID!)
- still no cookie created
- with login you get a new SID on all links and also added to the Browser-URL
- all links contain: forums.purebasic.com...yourValid AccountSID
Now that brings 2 Big Issues:
1st: whenever you copy&paste a forum's link your validSID is part of it and you'll share it publicly.
2nd: if you meet on such a kind of link with a different SID in it and follow it, you'll be logged out on the target page
BUT really you are still logged in under the prior validSID you've gotten first.
In case you still have an open tab with that login-SID you can go on and use it.
In case you don't, your account stays open and everyone knowing your validSID has access to your account.
This SID stays valid for how long ???
- a year according to the cookie-info from the official-pb-url-login?
- or only one week, as I had heard speculating on the german forum?
What about a further re-login when you've lost the tab with the validSID?
- NO chance - it doesn't help - your account is now opened twice under two different validSIDs!
- Loging out from one of those SIDs - the other one will still stay active and valid.
My conclusion:
- better use the official PB-forums-address
- don't follow 'old-sidded' links in case you're logged in via the old-address
- if you can, please don't share those kinds of 'old-sidded' links for your own security and those of others or their confusion about being logged out without obvious reason, while really they are not.
Remaining question:
- How long will a SID stay valid if one doesn't logout from it?
- What's the max-amount of parallel opened logins into the same account?
Please share further informations which should be considered or known that I missed under this small testing.
Greetings ~ Vera
