Open ID, Facebook Connect, Twitter Connect, etc.
Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums
Forum Description: Support forum for Web Wiz Forums application.
URL: https://forums.webwiz.net/forum_posts.asp?TID=27971
Printed Date: 02 April 2026 at 4:42am
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com
Topic: Open ID, Facebook Connect, Twitter Connect, etc.
Posted By: wistex
Subject: Open ID, Facebook Connect, Twitter Connect, etc.
Date Posted: 24 October 2009 at 5:45am
|
Are there any plans for support for ID services like Open ID, Facebook Connect, Twitter Connect. etc. either natively or as a mod?
|
Replies:
Posted By: MortiOli
Date Posted: 24 October 2009 at 2:18pm
Posted By: WebWiz-Bruce
Date Posted: 26 October 2009 at 11:53am
There are not any plans at the present time as it would be very difficult to implement securely.
-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting
|
Posted By: wistex
Date Posted: 17 December 2009 at 7:09pm
We are thinking about implementing it ourselves and we see some of the
pitfalls ourselves. We have a little different scenario since we have
fully integrated the Web Wiz Forums login and security into the rest of
the website (i.e. logging into the forums, logs you into the entire
site). The Facebook, Google Friend Connect, or Twitter login would not
be solely for the forums, but would be useful in cases of commenting on blog posts & articles on the website, which are not in the forum.
Since there are a variety of services, I will simply call them "Connect" which can refer to Facebook Connect, Google Friend Connect, etc.
As far as we can tell, we have these options:
- Connect as Optional Enhancement Only: Treat Facebook Connect, Google Friend Connect, Twitter Connect as things you can add onto your Forum/Site account, and then use the social media data & API's from each source to enhance the user's experience (i.e. being able to share things easier, or being able to see which forum users are also your friends on Facebook or followers on Twitter, for example.
- Connect Used as Alternative for Entering Password / Require E-mail: When a new user wants to use Connect to login, it asks them to either create a forum account, or associate their Connect account with an existing forum account. They have to fill in required fields such as username and e-mail address, but do not have to specific a password. In the future, logging in with the Connect button logs them in instantly. The forum account operates as normal, and users can even request their forum password to be sent to their registered e-mail address if they later chose to login the old fashioned way. If the Connect service provides their e-mail address to us, then their account is automatically verified.
- Connect Used as Alternative for Entering Password / Do Not Require E-mail: In this scenario, we do not require a user to provide his e-mail address, but all e-mail dependent features would be disabled for the account if they do not provide it (i.e. no subscriptions).
- Connect as Alternate Login Outside Forum / Option 1 or 2 for Forums: In this scenario, the forums have one security model, and some areas outside the forums (such as commenting on blog posts or articles) have a different security model. So users could use Connect to instantly login and post a comment outside the forums, but if they want to use the forums or more sensitive features of the site, they must specify a Forum Username and Verified E-mail Address to post.
Each method above poses its own issues and advantages/disadvantages.
Here are some known examples:
- Meetup.com is a good example of a site that uses Facebook Connect as an optional enhancement (Option1 above).
- I've seen one other forum software that has a third party addon that implements option #3 for Facebook Connect, requiring a user to specify a forum username, but not a password or e-mail address. (Bruce, I'll PM you the link if you want it.)
One question that immediately comes to mind, is: Would option #3 work with Web Wiz Forums or does the forum software assume there is a valid e-mail address entered for a user?
-------------
http://www.wistex.com" rel="nofollow - WisTex Solutions
http://www.caribbeanchoice.com/forums" rel="nofollow - CaribbeanChoice Forums
|
Posted By: WebWiz-Bruce
Date Posted: 18 December 2009 at 10:33am
I like the sounds of option 2 or 3.
Web Wiz Forums does not require an email address. The only time an email address is required is if you have email activation enabled, which is recommend.
However, you could still use Web Wiz Forums with email activation enabled for those registering direct through the forum while at the same time using 'connect' without an email requirement.
Web Wiz Forums detects if a member has an email address in their profile, if not then the email options are not available to that member. This should make option 3 much easier to implement.
-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting
|
Posted By: wistex
Date Posted: 18 December 2009 at 11:44am
I think that would be the best route, where people who register without
Connect would have to verify their e-mail address, and people who
register with Connect do not since we are using Facebook, Google or
twitter as a "trusted identity provider" and we typically do not have
their e-mail address. If a user who initially registered with Connect
ever wants to add their e-mail address, the forum would go through the
procedure of verifying it (just like it was an e-mail change).
Both Connect and non-Connect users would be able to manage their forum
account like normal, change their profiles, add or change their e-mail address, even being able to request a password (assuming
they bothered to add an e-mail to their account).
Implementation:
How this would be implemented would be pretty easy and could actually
be just a page not connected to the forum at all (other than calling
the forum's common include to access its variables). [Although it
would be nice if it was integrated into the forum registration process
itself.]
When creating an account, a user would be given the option to register
normally or use one of the available Connect services. If they select
a Connect Service, they go to a page where they can login using
Connect. Once logged in with Connect, it redirects to a page to see if
this Connect user has ever logged in before with that account (by checking for a record stored in a table in the
database).
-
If they have not, then:
- It asks them if they have an existing account, and asks them to login to associate their Connect account with their forum account*, otherwise:
- It directs them to a page where they must enter required information, such as a forum username. If using option 3, that is actually all we would need. (We could optionally ask for an e-mail, but we would have to let them know that they have to verify it if they do, like a regular non-Connect user.) Optionally ask for other profile fields to be filled in at the same time.
- When the page is submitted, it would create a user in the forum database with or without an e-mail address, and set the user to verified if they did not provide an e-mail address. (For security, I think all e-mail changes should always be verified, unless the Connect provider gives us a verified e-mail address we can insert into the system.) It also would record in a separate table** the Connect ID and the Forum user ID, linking the two (or three or four, allowing them to connect more than one Connect account).
- It redirects them back to the page where they came from.
- If they have logged in before, then it simply logs them in and sets them logged into the forum, and redirects them back to the appropriate page (preferably the same page they came from when they initially clicked register).
So this is something that could actually be made without touching any of the forum code at all, although it would require the Connect Register page to directly modify the forum's database.
Some Notes:
*Users should be told that if they have an existing account, they should login FIRST, and then associate their Connect ID with their existing account. Otherwise a second forum account would be created when they login with Connect.
**Using a separate table allows Connect information to be stored separately, so it does not interfere with the forum database. (Important if this is a mod, and not included in Web Wiz Forums). It also allows you to associate multiple Connect/identity providers to one account. That way you can do mashups with Facebook, Twitter and Google Friend Connect data all on one account, for example.
-------------
http://www.wistex.com" rel="nofollow - WisTex Solutions
http://www.caribbeanchoice.com/forums" rel="nofollow - CaribbeanChoice Forums
|
Posted By: WebWiz-Bruce
Date Posted: 18 December 2009 at 12:17pm
This sounds very good.
By the way if email activation is enabled then whenever a member changes their email they need to verify their new email address, so this should make it even simpler to implement it in the way you want.
-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting
|
Posted By: wistex
Date Posted: 18 December 2009 at 1:42pm
Also just noticed that I should be able to use the API to add users instead of creating a database record directly.
http://demo.webwizforums.com/HttpAPI.asp
-------------
http://www.wistex.com" rel="nofollow - WisTex Solutions
http://www.caribbeanchoice.com/forums" rel="nofollow - CaribbeanChoice Forums
|
Posted By: WebWiz-Bruce
Date Posted: 18 December 2009 at 2:03pm
Yes you would be able to use the API to create new members, or update existing members.
-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting
|
Posted By: Nightrocker
Date Posted: 20 December 2009 at 9:08am
+1
The success of facebook and all the options FB gives have desserved forums and blogs. I think that linking Facebook logins with our forums will represent an interesting option to (re)attract members.
So Bruce please, try to implement it, in the most secure way of course, but think about it
|
Posted By: wistex
Date Posted: 21 December 2009 at 1:12pm
|
I am not sure what the statistics are for forums, but I know that many websites report a 15% to 30% increase in registrations by including Facebook Connect and other similar services like Google Friend Connect and Twitter Connect.
Which makes sense, since a user just has to click a button to register at the new site, and if they are already logged into Facebook or Google (for example), they don't even need to reenter their username and password. Registering or logging into a site with a click of a button is much more attractive than filling out a form, checking your e-mail, clicking on a link, finding the page you wanted to comment on, etc.
-------------
http://www.wistex.com" rel="nofollow - WisTex Solutions
http://www.caribbeanchoice.com/forums" rel="nofollow - CaribbeanChoice Forums
|
Posted By: billd3
Date Posted: 21 December 2009 at 3:43pm
the part that scares me and the reason we'd never use linking like that is that too many accounts on the other sites have been spoofed or just plain hacked. And I'm not talking about "newspaper stories" and rumors, I'm talking I know real people right here in this building that have had their account info stolen right off facebook and their account hacked into.
In fact we ban the "social networking" sites at work due to the security issues - and the fact they can't secure such sites very well apparently... (blocked via AD policies and firewall)
-------------
BillD
http://theamcpages.com
http://theamcforum.com
|
Posted By: wistex
Date Posted: 21 December 2009 at 4:52pm
I can understand your concern, but there are several things that do reduce the risk.
For your typical situations where the cracker is hacking to steal information or spam ads or malware:
- If they hack into their Facebook account, they will probably be more interested in that than our forums. In fact, unless they have done some research on the individual (as opposed to cracking as many accounts as they can to spam Facebook), they would not even know that they are a member of our forums.
- Part of the reason why you ask for a forum username when they sign up is so that they look exactly like other forum users to the outside world. Once a user creates an account, there is no visible way to see they logged in with Facebook Connect, or if they logged directly into the site.
- Why would they want to hack into their forum account to spam, when they could simply sign up with their own free account and spam? They might think they are covering their tracks, but we have their IP address no matter what login they use. It is easier for them to create a throwaway e-mail address and create a new account than to hack into Facebook so they can login to our forums.
- The forums do not really contain any sensitive data anyway, so why break in for that purpose? More juicy information like contact information is in Facebook, not our forums.
For situations where the attack is directed at one individual specifically for defaming or harassing them:
- The hacker probably did his research and would be able to get into the forums as well anyway, because even if we did not allow Facebook Connect (or others), most users use the same password anyway. So once they hacked Facebook, the would login to the forums with the same credentials. In this type of situation, Facebook Connect is just as vulnerable as not having it, since the hacker is just as likely to login as that user.
- Of course, this is assuming that the hacker knows that "John Doe" on Facebook is username "Guerrilla" on the forums. Unless they know them well enough to know their aliases on the forums, they may not even know their mark is active on our forums.
You are right there are issues, but I think you have the same exposure to problems (spam, etc.) whether you implement Facebook Connect or not for the typical member.
The only ones I would be concerned about are Administrators and Moderators. But that can be readily remedied by forcing Administrators and Moderators to enter their forum password, even if they are logged in with Facebook Connect, similar to how you have to reenter your forum password to get into the Admin area, even though you are already logged into the forums.
Or simply not allow Admins or Moderators to login with Facebook Connect (or others) and force them to login with their forum username and password. They can still associate their Facebook Account with their forum account (for the ability to make mashups with the data), but remove the ability for them to login with Facebook Connect.
So, while it is true that it opens up an additional vector of attack, unless it is a personal attack, there actually are easier ways to bypass forum security, especially for spamming purposes.
-------------
http://www.wistex.com" rel="nofollow - WisTex Solutions
http://www.caribbeanchoice.com/forums" rel="nofollow - CaribbeanChoice Forums
|
|