[Steven]

Ok that's strange because the script only uses two methods to check if you are banned:

1. It checks to see if your IP Address matches with any of the bans in the database table 'banned'.
   
2. It checks to see if you have a browser cookie called 'Commentics-Ban'.
   

If one or both of the two methods detects a ban then it will display the message that you have previously been banned.

The function which does this is cmtx_check_if_banned(), in comments/includes/functions/processor.php, line 1164.

PHP Code:

<?php 

function cmtx_check_if_banned() { //check if user is banned



    global $mysql_table_prefix, $ip_address; //globalise variables



    $ban_found = false; //initialise flag as false

    

    if (mysql_num_rows(mysql_query("SELECT * FROM `".$mysql_table_prefix."banned` WHERE ip_address = '$ip_address'"))) { //if user's IP address is found in 'banned' database table

        $ban_found = true; //set flag as true

    }

    

    if (isset($_COOKIE['Commentics-Ban']) && $_COOKIE['Commentics-Ban'] == "Banned") { //if a banning-cookie is found

        $ban_found = true; //set flag as true

    }

    

    if ($ban_found) { //if a ban was found

        die(CMTX_BAN_MESSAGE_BANNED_PREVIOUSLY); //end scripting and output message to user explaining they were previously banned

    }

    

} //end of check-if-banned function 

[Norbs]

Hi Steven

checks to see if your IP Address matches with any of the bans in the database table 'banned'

Understood. But what about if the "Check Referrer" is deactivated?

checks to see if you have a browser cookie called 'Commentics-Ban'

Understood, too.
OK "Ban Cookie Length:" is set to last one (1) day

Let's say I was banned. I then deleted the ban in the admin section under "Manage Bans". I checked the database and "yes" there is no record. I clear my browser cache. I entirely "quite" my browser (possible in Mac). I then re-open the same browser and go the the page, try to post again and get still the ban notice?

OK, I wait that one day (I remember the Cookie life-span of one day) yet - after one day, I still get the same notice... !

I am lost.

Now I just uninstalled the software and started all over with a clean install, this time with everything turned off, even the "Stop Repeat Voting:" is de-activated. Let's see how things go now.

BTW ... I realize that the "Stop Repeat Voting:" is connected with the commenting, too. That means, one cannot comment again.

I think it would be better to restrict it to the "voting" only. A time restriction (which could be set/changed in the admin section) before a new "comment" can be placed, could be more appropriate and effective?

Cheereoh
Norbert

---

OK, I admit the defeat...
Clean install. Everything is turned "off" and with my attempt to post a second time ... I still get my "sorry you have been previously banned" notice!
I give up. Don't know what I did wrong to deserve this ;-)

[Steven]

Hi,

If the "Check Referrer" setting is deactivated then it will still check to see if your IP Address is in the database table "banned". It won't remove or ignore any previous bans for "Incorrect referrer".

If a ban cookie is set on your computer and the length is 30 days, then changing the "Ban Cookie Length" setting to 1 day won't make any difference to that cookie. It doesn't change the existing cookie, but only future ones.

If there are no bans in the database table "banned" and you have cleared your browser cookies then the ban has been removed. You said that you cleared your browser cache, which is different to your browser cookies. Make sure that you are deleting the cookies and not the cache.

The "Stop Repeat Voting" feature only disables the rating field. You can comment again, but you cannot select a rating again.

[Norbs]

Hi Steven

I cleared "everything that is just possible to clear" It's an easy process on a Mac and you can easy define what you want to clear ... I wiped "everything" ...

Forgive me, please, but now I just took the slash-hammer approach and deleted the function that would check for the "Referrer" ... I have no problems with getting banned anymore.

So definitely, I'd say it's a problem with the referrer check and nothing to do with the cookie!

I just leave this function erased. It's better having no referrer check than having upset clients call be because they're getting banned for doing nothing wrong.

OK. I have to be fair and say, I haven't tested it online yet. This is only a local issue by so far and having said this - I'd like to claim there is something wrong in the system with realizing a local environment.

Remember, I said the system is changing the path to the pages automatically back from http://localhost:8888/mysite to http://localhost/mysite ... well guess what? With my latest "new" install it changed the entire system setting to the weirdest thing I'd ever seen ... http://http://localhost/mysite//comments... I had never seen this before. So maybe there is something wrong with all the system settings or having it run properly in a local environment. Least for my case, using iMac and MAMP

Cheereoh

[Norbs]

Hi Steven ...
by now you must hate my guts

After deleting this PHP chunk that would check for the referrer, everything was working just fine. Hurray, I started dancing until ... I deactivated the "question" (not the captcha) tried to place another post and to my very surprise ... "Sorry, you just got banned. This may ... (rest you know).

Call me insane, but now I don't understand the world around me anymore. I really don't dare to put it online, I'm really scared what happens next. I really love it but I don't know why.

Is there anything I can do to just delete this entire referrer checking, whatever I need to delete, just let me know. This is driving me up the walls ... Hope you don't mind my dry sense of humor.

[Steven]

Ok, the script always checks whether the data that has been submitted matches with what was expected. So if you add or remove a form field after the form has loaded and before its submission then you will be banned for 'mismatching data'. This is one of the reasons why the checklist recommends to utilize the admin detection feature as then you wouldn't get banned while modifying the form fields during the testing of the script. Once the script is online to the public then it's unlikely that you will add or remove a form field so everything will be fine. If you think of it from the script's point of view, it asked for an important security question and it wasn't submitted.

[Steven]

Normally disabling the 'referrer check' in Settings -> Security will remove the feature. I don't know why this hasn't worked in this case. Maybe you edited part of the code somehow by mistake when you were customizing the script?

To completely remove the feature from the code, you can open comments/includes/app/processor.php and delete the section at lines 59 to 72.

Also, I develop the script on localhost so it's odd that you are having a problem with it, however I use Windows and WAMP so this could be the difference.

[Steven]

If you click on the "Get help for this page" link at the top right of the Manage -> Bans page then you can see the explanations for the bans.

[Norbs]

Hi Steven...

First of all, I need to say "Thank You" for your patience with my ignorance! i really appreciate this very much! OK.

1)
"admin detection feature" - set it up at the beginning and haven't touched it since. Is this right?
Enabled = yes
Method = both
Cockie = no (unchecked)
now the IP address I have in there is weird /* ::1 */ (iMac/MAMP)

2)
"Maybe you edited part of the code somehow by mistake" No, all i did is styling the CSS and adding some different/new class="" ... I did, however ..
After
<div class="height_between_fields"></div>
Add
<div style="clear: left;"></div>
in the form. This solved the "country, rating and reply" field moving to the right, step by step (seen my screen-shot?) I guess this would have happened because these fields are not indicated as "input" fields and since I have other CSS on the same page, classes may have interfered and causing these 3 commentics fields moving to the right. This is but not a serious script change and should not cause any problem, right? (correct me please if I am mistaken here).

3)
Steven, for one reason I love your script so much is the fact that you have taken great care of "security" ... LOVE IT. For the same reason, however, I seem to get paranoid with all thee bans happening. Why I am getting banned as administrator... maybe my settings aren't correct. Please help me out and correct me accordingly.

No - I really like to keep your security cause I DO agree they are necessary and you put a lot into ... others don't even bother!

Thanks so much!

[Steven]

If the admin detection method is set to "both" then the IP Address field will need to be correct and the admin cookie needs to be added. As you are using localhost, your IP Address is probably '127.0.0.1'. Also if it says 'Add Cookie' below it then select it and click Update. Otherwise if it says 'Del Cookie' then it means that the admin cookie is okay. You will know when you are detected because the form buttons will be green. You can click on the 'Get help for this page' link for more information.

The 'clear:left' code is fine. It shouldn't cause any problems.

Yes security is one of the main aims of Commentics and it always will be. It can be difficult and even frustrating at times to set up the script so that it passes all of the security checks but once that is done it is worth it because you don't have to worry about your website.