[isf-wifidog] Possible problem with Laika

Mina Naguib webmaster at topfx.com
Dim 6 Mar 22:27:22 EST 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I don't think anything complicated is necessary, just some hacking of
hidden variables and html.

When the user is re-directed to login at:
http://auth.ilesansfil.org/login/

They supply some variables including "url", "ip", "mac", node_id et cetera

If they decide to click on "create a new account" they get re-directed to:
https://auth.ilesansfil.org/signup.php

The problem there is that all the variables are lost, so they need to be
remembered somehow, either through hidden variables in the html sent by
signup.php, or through server-side sessions.

Next comes the part after they sign-up.  Instead of "server.php"
spitting out the "you have 15 minutes" message, I think it should assign
them a session token (as if they logged-in) and re-direct them back to
their wifidog:

Location: http://IP:PORT/wifidog/auth?token=FOO

This will lead to them being properly allowed by wifidog.

The neat part is that when wifidog validates that token and the auth
server tells it it's status is AUTH_VALIDATION, wifidog will re-direct
the user to http://auth.ilesansfil.org/gw_message.php?message=activate -
which already tells them they have 15 minutes

I think the above (simple?) solution would address this problem once and
for-all, and make user signup and first access a more natural experience.

Philippe April wrote:
| The behavior of "after sign-up you have to visit any webpage, then you
| get the login page and you just login again", is incredibly sad but
| necessary. It's explained in the message that nobody reads :-|
|
| It's a really problematic UI issue.
|
| I'll try to hack something in. We "might" need an additional column in
| the DB, we'll see. I'll do it on my own auth server, so then you can
| point to it and "experience" :)
|
| On 6-Mar-05, at 9:47 PM, Mina Naguib wrote:
|
|>> -----BEGIN PGP SIGNED MESSAGE-----
|>> Hash: SHA1
|>>
|>>
|>> I just did a similar test too.
|>>
|>> Unless I missed something, here is how it went:
|>>
|>> 1. Entered my homepage's URL in the address box
|>> 2. WiFiDog captured it, re-directed me to auth server
|>> 3. In there I clicked "create new account"
|>> 4. Took me to a page where I got to select a new username/password/email
|>> - - clicked "next"
|>> 5. Took me to a page that said I now have 15 minutes to check my email
|>> to validate my account
|>>
|>> IMO this is misleading. At step 3 and onwards I was strictly dealing
|>> with the auth server.  It never forwarded me to my local wifidog to
|>> actually move me to the "Validating" stage.
|>>
|>> After step 5 I thought everything should work, but nothing worked (I was
|>> still anonymous)
|>>
|>> I tried to POP/IMAP my mail but it failed.
|>>
|>> I had to visit a web site again, which got again re-forwarded to the
|>> login screen.  Only when I entered my new username and password did
|>> wifidog get notified I'm now "validating" and open some more ports and
|>> web access.
|
|
|>> Like you've said, we perfected something technically so well that we may
|>> have lost a bit of perspective on the user experience (especially a part
|>> most of us rarely do anymore).
|>>
|>> In my opinion the message shown in step #5 above is highly misleading
|>> and I can think of 2 things to address that:
|>>
|>> 1. The message should read "Your account is created. You now need to log
|>> in with it >>here<<.  After you log in you must check your email within
|>> 15 minutes"
|>>
|>> or I'd prefer:
|>>
|>> 2. Upon account creation, the auth server should automatically re-direct
|>> the user back to their wifidog as if they successfully logged-in with
|>> their new username+password.  Wifidog will then make them "validating"
|>> and can then re-direct them to a screen that says "You now have 15
|>> minutes to do check your email etc.."
|>>
|>> Philippe April wrote:
|>> | I just tested the chain, it works well but I have comments:
|>> |
|>> | 1. Port 22 outgoing is blocked so I couldn't do my regular SSH port
|>> | forwarding to check my mail. Perhaps we should accept this for the
|>> | validation period?
|>> |
|>> | 2. I just realized, if I did like a lot of people and double-click on
|>> | links instead of single-clicks, well I'd probably get an error message
|>> | at the login page. Therefore, I would not get the "you get 15
|>> minutes of
|>> | access, please go ahead, thank you" but "Access denied" or something
|>> | like that, because the token would already have been used.
|>> |
|>> | I think we should do something about that. Perhaps we could
|>> detect... If
|>> | the token has been used already, but it's only been a few seconds
only,
|>> | spit out the same message because "it's been double-clicked".
|>> |
|>> | Input? Input? I say we open port 22 and do something for double-clicks
|>> | like I mentionned.
|>> |
|>> | If you want, read the following too, I'm just thinking loud:
|>> |
|>> | It's funny how... We do something pretty challenging technically,
|>> and it
|>> | works so well at this moment, we're so glad about stability, it's our
|>> | baby. But still, the issues we have are issues related to user
|>> interface
|>> | and double-clicking links! Issues we just wouldn't think about because
|>> | we don't do it...
|>> |
|>> | Perhaps we should be a bit closer to the users. How about just taking
|>> | time to walk into a frequently visited cafe to ask the users "now, how
|>> | was signing-up and all? painful?"
|>> |
|>> | I've heard twice now that the link that says "Sign-up, it's free!"
|>> | highlighted in green.. is not clear! To me, it's perfectly clear!
|>> | </done>
|>> |
|>> | On 6-Mar-05, at 9:20 PM, Philippe April wrote:
|>> |
|>> |>> -----BEGIN PGP SIGNED MESSAGE-----
|>> |>> Hash: SHA1
|>> |>>
|>> |>> Intéressant.
|>> |>>
|>> |>> I think we need to create a little document to test the whole chain.
|>> |>> Basically take time to create a new account and follow the whole
|>> |>> chain, including the case where the user doesn't validate his
account
|>> |>> and gets 'locked'.
|>> |>>
|>> |>> That should be done both when we have a new version of wifidog out,
|>> |>> AND new auth server changes.
|>> |>>
|>> |>> Let me do a test right now, I'll let you know if everything goes
|>> well.
|>> |>>
|>> |>> On 6-Mar-05, at 8:33 PM, Daniel Drouet wrote:
|>> |>>
|>> |>>> I was at Laika today and one of their staff (who happens to be
a big
|>> |>>> fan of ISF) told me that people often try to set up new accounts,
|>> but
|>> |>>> are unable to go anywhere during their 15 min period of grace. So
|>> far
|>> |>>> he gives them Laika's username/password, so that they can log
in and
|>> |>>> check their email. After that, they can log in and use their newly
|>> |>>> validated acct without a hitch. Unfortunately, I didn't have a
|>> laptop
|>> |>>> with me, so I couldn't try to replicate the bug.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCK8oaeS99pGMif6wRAlZ1AKDUNsJRwkGcRRxKo2ul2ZDVqgJvKACg+0N2
dKWNpSOkpoaiijXsJSli+DI=
=dl9P
-----END PGP SIGNATURE-----

Plus d'informations sur la liste de diffusion WiFiDog