[isf-wifidog] Possible problem with Laika

Dim 6 Mar 22:55:38 EST 2005

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It's not complicated but still a little hack.

Session cookie, or passing variables in URL.

Now, let's imagine a scenario where the user gets forwarded to the 
login page (with the gw_address and all in the URL), clicks 'here' to 
create an account.

I can either pass the address + port through that URL (GET), or put it 
in a session cookie.

If the user doesn't have cookies enabled, it won't work (ok, I think 
it's required anyway for the whole thing to work).

If the user signs-up at ilesansfil.org.

He can be at a hotspot, or not.

If he's not, then he should be given a 'We're sending you a validation 
email, please validate then go to any ISF hotspot, thank you.

If he is but went though ilesansfil.org (the user is smart, he saw 
www.ilesansfil.org as the SSID, so thought it'd be good to go there), 
we should detect that he's from the IP x, therefore this hotspot.

Only thing (DB change), we'd need to store the gw_port in the BD with 
the address (we do that already). It should be pushed by WiFiDog, 
perhaps in the ping_thread.c.

I think I'd go for session cookie to pass the variables since I tend to 
try to avoid parameters passed in GET method, it's not very pretty.

What do you think?

On 6-Mar-05, at 10:27 PM, Mina Naguib wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> I don't think anything complicated is necessary, just some hacking of
> hidden variables and html.
>
> When the user is re-directed to login at:
> http://auth.ilesansfil.org/login/
>
> They supply some variables including "url", "ip", "mac", node_id et 
> cetera
>
> If they decide to click on "create a new account" they get re-directed 
> to:
> https://auth.ilesansfil.org/signup.php
>
> The problem there is that all the variables are lost, so they need to 
> be
> remembered somehow, either through hidden variables in the html sent by
> signup.php, or through server-side sessions.
>
> Next comes the part after they sign-up.  Instead of "server.php"
> spitting out the "you have 15 minutes" message, I think it should 
> assign
> them a session token (as if they logged-in) and re-direct them back to
> their wifidog:
>
> Location: http://IP:PORT/wifidog/auth?token=FOO
>
> This will lead to them being properly allowed by wifidog.
>
> The neat part is that when wifidog validates that token and the auth
> server tells it it's status is AUTH_VALIDATION, wifidog will re-direct
> the user to http://auth.ilesansfil.org/gw_message.php?message=activate 
> -
> which already tells them they have 15 minutes
>
> I think the above (simple?) solution would address this problem once 
> and
> for-all, and make user signup and first access a more natural 
> experience.
>
> Philippe April wrote:
> | The behavior of "after sign-up you have to visit any webpage, then 
> you
> | get the login page and you just login again", is incredibly sad but
> | necessary. It's explained in the message that nobody reads :-|
> |
> | It's a really problematic UI issue.
> |
> | I'll try to hack something in. We "might" need an additional column 
> in
> | the DB, we'll see. I'll do it on my own auth server, so then you can
> | point to it and "experience" :)
> |
> | On 6-Mar-05, at 9:47 PM, Mina Naguib wrote:
> |
> |>> -----BEGIN PGP SIGNED MESSAGE-----
> |>> Hash: SHA1
> |>>
> |>>
> |>> I just did a similar test too.
> |>>
> |>> Unless I missed something, here is how it went:
> |>>
> |>> 1. Entered my homepage's URL in the address box
> |>> 2. WiFiDog captured it, re-directed me to auth server
> |>> 3. In there I clicked "create new account"
> |>> 4. Took me to a page where I got to select a new 
> username/password/email
> |>> - - clicked "next"
> |>> 5. Took me to a page that said I now have 15 minutes to check my 
> email
> |>> to validate my account
> |>>
> |>> IMO this is misleading. At step 3 and onwards I was strictly 
> dealing
> |>> with the auth server.  It never forwarded me to my local wifidog to
> |>> actually move me to the "Validating" stage.
> |>>
> |>> After step 5 I thought everything should work, but nothing worked 
> (I was
> |>> still anonymous)
> |>>
> |>> I tried to POP/IMAP my mail but it failed.
> |>>
> |>> I had to visit a web site again, which got again re-forwarded to 
> the
> |>> login screen.  Only when I entered my new username and password did
> |>> wifidog get notified I'm now "validating" and open some more ports 
> and
> |>> web access.
> |
> |
> |>> Like you've said, we perfected something technically so well that 
> we may
> |>> have lost a bit of perspective on the user experience (especially 
> a part
> |>> most of us rarely do anymore).
> |>>
> |>> In my opinion the message shown in step #5 above is highly 
> misleading
> |>> and I can think of 2 things to address that:
> |>>
> |>> 1. The message should read "Your account is created. You now need 
> to log
> |>> in with it >>here<<.  After you log in you must check your email 
> within
> |>> 15 minutes"
> |>>
> |>> or I'd prefer:
> |>>
> |>> 2. Upon account creation, the auth server should automatically 
> re-direct
> |>> the user back to their wifidog as if they successfully logged-in 
> with
> |>> their new username+password.  Wifidog will then make them 
> "validating"
> |>> and can then re-direct them to a screen that says "You now have 15
> |>> minutes to do check your email etc.."
> |>>
> |>> Philippe April wrote:
> |>> | I just tested the chain, it works well but I have comments:
> |>> |
> |>> | 1. Port 22 outgoing is blocked so I couldn't do my regular SSH 
> port
> |>> | forwarding to check my mail. Perhaps we should accept this for 
> the
> |>> | validation period?
> |>> |
> |>> | 2. I just realized, if I did like a lot of people and 
> double-click on
> |>> | links instead of single-clicks, well I'd probably get an error 
> message
> |>> | at the login page. Therefore, I would not get the "you get 15
> |>> minutes of
> |>> | access, please go ahead, thank you" but "Access denied" or 
> something
> |>> | like that, because the token would already have been used.
> |>> |
> |>> | I think we should do something about that. Perhaps we could
> |>> detect... If
> |>> | the token has been used already, but it's only been a few seconds
> only,
> |>> | spit out the same message because "it's been double-clicked".
> |>> |
> |>> | Input? Input? I say we open port 22 and do something for 
> double-clicks
> |>> | like I mentionned.
> |>> |
> |>> | If you want, read the following too, I'm just thinking loud:
> |>> |
> |>> | It's funny how... We do something pretty challenging technically,
> |>> and it
> |>> | works so well at this moment, we're so glad about stability, 
> it's our
> |>> | baby. But still, the issues we have are issues related to user
> |>> interface
> |>> | and double-clicking links! Issues we just wouldn't think about 
> because
> |>> | we don't do it...
> |>> |
> |>> | Perhaps we should be a bit closer to the users. How about just 
> taking
> |>> | time to walk into a frequently visited cafe to ask the users 
> "now, how
> |>> | was signing-up and all? painful?"
> |>> |
> |>> | I've heard twice now that the link that says "Sign-up, it's 
> free!"
> |>> | highlighted in green.. is not clear! To me, it's perfectly clear!
> |>> | </done>
> |>> |
> |>> | On 6-Mar-05, at 9:20 PM, Philippe April wrote:
> |>> |
> |>> |>> -----BEGIN PGP SIGNED MESSAGE-----
> |>> |>> Hash: SHA1
> |>> |>>
> |>> |>> Intéressant.
> |>> |>>
> |>> |>> I think we need to create a little document to test the whole 
> chain.
> |>> |>> Basically take time to create a new account and follow the 
> whole
> |>> |>> chain, including the case where the user doesn't validate his
> account
> |>> |>> and gets 'locked'.
> |>> |>>
> |>> |>> That should be done both when we have a new version of wifidog 
> out,
> |>> |>> AND new auth server changes.
> |>> |>>
> |>> |>> Let me do a test right now, I'll let you know if everything 
> goes
> |>> well.
> |>> |>>
> |>> |>> On 6-Mar-05, at 8:33 PM, Daniel Drouet wrote:
> |>> |>>
> |>> |>>> I was at Laika today and one of their staff (who happens to be
> a big
> |>> |>>> fan of ISF) told me that people often try to set up new 
> accounts,
> |>> but
> |>> |>>> are unable to go anywhere during their 15 min period of 
> grace. So
> |>> far
> |>> |>>> he gives them Laika's username/password, so that they can log
> in and
> |>> |>>> check their email. After that, they can log in and use their 
> newly
> |>> |>>> validated acct without a hitch. Unfortunately, I didn't have a
> |>> laptop
> |>> |>>> with me, so I couldn't try to replicate the bug.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFCK8oaeS99pGMif6wRAlZ1AKDUNsJRwkGcRRxKo2ul2ZDVqgJvKACg+0N2
> dKWNpSOkpoaiijXsJSli+DI=
> =dl9P
> -----END PGP SIGNATURE-----
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>
>
Philippe April
GnuPG: http://key.philippeapril.com/
Skype ID: mousetrap
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFCK9C7Oq+Ep5Xn/aARAizSAJ90R6c+JqBBqG45ewxfzXFhAdtWFwCfY28M
/a+2rsPRaIKjqtFeGNX6xGM=
=gAU6
-----END PGP SIGNATURE-----