From bffd28ec31f8d11058af884926d50108cab4204c Mon Sep 17 00:00:00 2001 From: Josh Harmon Date: Fri, 23 Oct 2015 18:31:00 -0700 Subject: [PATCH] (WIP #77) Remove outdated information, give more details, improve style faq/logout: Grammar UPDATE Login Problems and Cookies links faq/login: ADD Header title caps ADD examples table from cookies.md development/standards: Closing tags not allowed development/cookies: ADD more cookies May be incomplete or inaccurate in played, needs review development/contribute: ADD Oxford comma, ADD/UPDATE GitHub issue tags admin/sec/recovery: UPDATE tools, EXPLAIN purpose of each admin/sec/protection: ADD Auth Basic directions incl., REFACTOR Admin Accounts section (wall of text, hard to read), REMOVE unnecessary words in Protect inc Directory, ADD comma in Disallow HTML in Posts, highlight query, RENAME Keep Plugins to a Minimum -> Minimize Installed Plugins (continues progressive-verb-first standard), admin/sec/2fa: REMOVE unneeded dash from T-F-A (Two-Factor is an adj.), UPDATE App Store image URLs (wrong lang buttons displaying), ADD Troubleshooting section with mention of 30-second window. Files summary: modified: 1.8/administration/security/2fa.md modified: 1.8/administration/security/protection.md modified: 1.8/administration/security/recovery.md modified: 1.8/development/contribute.md modified: 1.8/development/cookies.md modified: 1.8/development/standards.md modified: 1.8/faq/login.md modified: 1.8/faq/logout.md Signed-off-by: Josh Harmon --- 1.8/administration/security/2fa.md | 14 ++- 1.8/administration/security/protection.md | 105 ++++++++++++++++++++-- 1.8/administration/security/recovery.md | 12 ++- 1.8/development/contribute.md | 31 +++++-- 1.8/development/cookies.md | 76 ++++++++++++---- 1.8/development/standards.md | 4 +- 1.8/faq/login.md | 53 +++++++---- 1.8/faq/logout.md | 4 +- 8 files changed, 243 insertions(+), 56 deletions(-) diff --git a/1.8/administration/security/2fa.md b/1.8/administration/security/2fa.md index 46a3e02b..45d6958e 100644 --- a/1.8/administration/security/2fa.md +++ b/1.8/administration/security/2fa.md @@ -1,10 +1,12 @@ --- layout: page -title: "Using Two-Factor-Authentication with MyBB" +title: "Using Two-Factor Authentication with MyBB" categories: [security] --- -The following apps can be used as Two-Factor-Authentication Apps. Note that this list is incomplete and that a lot more apps exist for different operating systems. +# Authenticator Apps + +The following apps can be used as Two-Factor Authentication Apps. Note that this list is incomplete and that more apps exist for different operating systems. @@ -16,13 +18,13 @@ The following apps can be used as Two-Factor-Authentication Apps. Note that this - + - + @@ -32,3 +34,7 @@ The following apps can be used as Two-Factor-Authentication Apps. Note that this
Google Authenticator Android app on Google PlayDownload on the App Store -
Authy Android app on Google PlayDownload on the App Store -
Windows Store
+ +# Troubleshooting + ++ Verify that the server and authenticator device are in the same timezone. The codes are dependent upon time, within a 30 second time span. diff --git a/1.8/administration/security/protection.md b/1.8/administration/security/protection.md index c3670a18..8eb71c92 100644 --- a/1.8/administration/security/protection.md +++ b/1.8/administration/security/protection.md @@ -12,29 +12,118 @@ One thing we cannot stress enough is to always have your MyBB installation up to The Admin CP is the most powerful tool in MyBB. If anyone gains access to it, they can easily deface your forum and get complete control over it. It is therefore important to guarantee that only you or your administrators can access it. For starters you should [rename your Admin CP directory and hide all links to it](http://www.mybbsecurity.net/topic-renaming-the-administrator-directory). Once you have done that it is a good idea to install [Admin CP Honeypot](http://community.mybb.com/thread-94406.html). This will take your previous Admin CP location and install a fake Admin CP, which will record the IP of anyone who tries to login to it and email you a small report. -Now your real Admin CP directory should look something like `Svt06wbowXgMVvFmkFaz` (which you should bookmark or take note of) and the fake Admin CP will be located at `admin` (which will record the details of anyone who tries to access it). To finalize, [you should password protect your real Admin CP with HTTP Basic Auth](http://www.mybbsecurity.net/topic-protecting-the-admin-cp-with-http-basic-auth). Additionally you can enable the Admin CP PIN, which was added in 1.8, but having to go through all of these steps might be a little troublesome if you just want to do some quick edits. +Now your real Admin CP directory should look something like `Svt06wbowXgMVvFmkFaz` (which you should bookmark or take note of) and the fake Admin CP will be located at `admin` (which will record the details of anyone who tries to access it). To finalize, [you should password protect your real Admin CP with HTTP Basic Auth](#Protect_the_Admin_CP_with_HTTP_Basic_Auth). Additionally you can enable the Admin CP PIN, which was added in 1.8, but having to go through all of these steps might be a little troublesome if you just want to do some quick edits. **Nota Bene**: if you change the Admin CP directory and add plugin using it after, you will have to rename the directory in the plugin source before uploading it. +# Protect the Admin CP with HTTP Basic Auth + +Also known as "htpasswd protection," adding HTTP Basic Auth protection to your Admin Control Panel directory is one of many ways to put sensitive settings behind another layer of security, and thus making it theoretically harder for hackers to take advantage of. The procedures differ between web servers, but specific instructions for cPanel, Apache, and Nginx (all on a Linux system) are provided below. + +When finished with one of the instruction sets below, browse to your Admin CP again, and you should receive an additional username/password prompt before seeing the Admin CP login or interface. + +## cPanel Basic Auth Configuration (without SSH) + +Similar to Apache, but with the cPanel UI on shared hosts. + ++ Search for the `Directory Privacy` menu item (icon: blue folder with lock) ++ Select the directory you wish to protect (your Admin CP directory) ++ **Check** the `Password protect this directory.` checkbox. ++ Fill out the given form with a username and strong password (>85 score) ++ Click `Save`. + +## Apache Basic Auth Configuration (with or without SSH) + +Requirements: ++ SSH access to site + + If not available, use [DynamicDrive's generator tool](http://www.tools.dynamicdrive.com/password/) and upload the files, as if you followed the directions below to create them. ++ Apache configured to allow .htaccess files to override configuration values + +First, create a new file in the Admin CP directory named .htaccess. Apache will interpret the file as a local configuration file in the directory and any subdirectories inside of it. + ++ Open the `.htaccess` file ++ **ADD**: + AuthUserFile /path/to/.htpasswd + AuthGroupFile /dev/null + AuthName Restricted + AuthType Basic + require valid-user ++ Run shell command: + htpasswd -c -b /path/to/.htpasswd desired_username desired_secure_password + + **NOTE:** Replace `/path/to/.htpasswd` in both places with the respective file location. + +## Nginx Basic Auth Configuration (with SSH) + +Requirements: ++ SSH access to site configuration file + +Let's begin: ++ Open your nginx site configuration file. ++ Within the `server` block, **ADD** + location /path/to/ACP { + auth_basic "Restricted"; + auth_basic_user_file /path/to/.htpasswd; + } ++ Run shell command: + htpasswd -c -b /path/to/.htpasswd desired_username desired_secure_password + + If the command is not found, install the `apache2-utils`, `httpd-utils`, or similar package for your Linux distribution. + + + **NOTE:** Replace `/path/to/.htpasswd` in both places with the respective file location. + +# Configuring an Admin CP PIN + +With MyBB 1.8, an Admin Control Panel "Secret PIN" setting was added to the core, inspired by a popular community tutorial. To enable the PIN: + ++ Open `inc/config.php` + ++ **FIND** or **ADD**: + +{% highlight php startinline %} +$config['secret_pin'] +{% endhighlight %} + ++ Set the variable to a value, such as `'S0me p1n'`. + ++ **DONE** + +Example: + +{% highlight php startinline %} +$config['secret_pin'] = 'S0me p1n'; +{% endhighlight %} + ## Administrator Accounts -No matter how hard you try to secure the Admin CP, if people other than yourself have access to it then it really is a risk. You should only allow Admin CP access to people you know well and trust. Do not randomly allow a user of your forum to access it, even if he promises you to install a bunch of cool plugins or themes. Administrators should be selected carefully and reviewed thoroughly. Be **very careful** in who you trust access to the Admin CP to. If you trust no one, then perhaps you're better off as an administrator. In fact, if you don't need help with webmaster or admin tasks it really is best to remain the only administrator. +### More Admins = Less Security +No matter how hard you try to secure the Admin CP, if people other than yourself have access to it then it really is a risk. You should only allow Admin CP access to people you know well and trust. Do not randomly allow a user of your forum to access it, even if they promise to install a bunch of cool plugins or themes. Administrators should be selected carefully and reviewed thoroughly. Be **very careful** in who you trust access to the Admin CP to. If you trust no one, then perhaps you're better off as an administrator. In fact, if you don't need help with webmaster or admin tasks, it really is best to remain the only administrator. + +### Give Each Administrator Minimal Permissions + +Permissions for each Administrator can be configured at `Admin CP > Users & Groups > Admin Permissions`. + +If you have multiple administrators, assign specific roles to apply a "divide and conquer" strategy across your administrators. + +Examples: ++ If one is strong in design, give them access to Templates and Style ACP features, but not settings, users, or system tools. They shouldn't need them for design tasks, and if they do, they can ask someone else to perform those actions. ++ Perhaps another admin is great with managing community members. Give them access to Users and Groups, but nothing more. -However, if you need help as an administrator permissions should be limited as much as possible. Distribute tasks between all the accounts. Discuss this with your admins and decide who should take care of what. For example, one of your administrators may be an HTML & CSS guru and could be in charge of making changes to templates and keeping the code clean. The other administrators may not know HTML, so why should they have access to the Templates & Style module? Similarly, if the HTML-guy doesn't like managing users and group permissions, then he definitely doesn't need access to that module. You can configure all of this in Admin CP > Users & Groups > Admin Permissions. Your administrators will be listed there, and you can specify everything they can and cannot access. Be rigorous and only allow access to the parts your administrators really need. As an example, you should probably disable all administrators other than yourself from accessing the database backups section. A backup of your database essentially contains all the information in your forum, which can be quite dangerous in the wrong hands. Provided that you have a proper backup solution (covered later on) there is no need for them to be able to create backups. +The more features you give to each administrator, the more power you grant to each of them over your community and its security. ## Protect the `inc` Directory -The `inc` directory in your MyBB installation is something that should not be accessible to the end user at all. It contains sensitive information such as your database details (`inc/config.php`). And even though it is almost impossible for hackers to access that data, it's always a good idea to make things extra difficult to access. And the `inc` directory certainly doesn't need to be publicly available. You should therefore protect it completely by [disallowing access to the `inc` directory](http://www.mybbsecurity.net/topic-protecting-the-inc-directory). +The `inc` directory in your MyBB installation should not be accessible to the end user at all. It contains sensitive information such as your database details (`inc/config.php`). Even though it is almost impossible for hackers to access that data, it's always a good idea to have an extra layer of protection. The `inc` directory doesn't need to be publicly available, so protect it completely by [disallowing access to the `inc` directory](http://www.mybbsecurity.net/topic-protecting-the-inc-directory). ## Change the Default Table Prefix -Changing your table prefix can prove to be helpful in certain cases. If a hacker manages to run an SQL query, he can easily destroy your forum completely. But if for some reason he doesn't know what your table prefix is (and therefore doesn't have a table name to query) it would certainly slow him down. Having that said, consider [changing your table prefix](http://www.mybbsecurity.net/topic-security-through-obscurity-changing-the-default-table-prefix). +Changing your table prefix can prove to be helpful in certain cases. If a hacker manages to run an SQL query, he can easily destroy your forum completely. But if they don't know what your table prefix is (and therefore don't have a table name to query) it would slow them down. Consider [changing your table prefix](http://www.mybbsecurity.net/topic-security-through-obscurity-changing-the-default-table-prefix). ## Disallow HTML in Posts -Allowing HTML to be used in posts is a terrible, terrible idea. That is why MyBB does not allow it by default. Unless you are absolutely certain that you want to use it (in which case you should install [HTML Purifier](http://mods.mybb.com/view/htmlpurifier)) it should be disabled on all forums. To do this quickly, run the following SQL query. +Allowing HTML to be used in posts is a terrible, terrible idea. That is why MyBB does not allow it by default. Unless you are absolutely certain that you want to use it (in which case you should install [HTML Purifier](http://mods.mybb.com/view/htmlpurifier)), it should be disabled on all forums. To do this quickly, run the following SQL query. - UPDATE `mybb_forums` SET `allowhtml` = '0'; +{% highlight sql %} +UPDATE `mybb_forums` SET `allowhtml` = '0'; +{% endhighlight %} Afterwards you should go to Admin CP > Tools & Maintenance > Cache Manager > forums > Rebuild Cache to make sure this change is cached and is applied immediately. @@ -42,7 +131,7 @@ Afterwards you should go to Admin CP > Tools & Maintenance > Cache Manager > for Displaying which MyBB version you're running is essentially the same as yelling "hey, I'm running this specific version, which contains these specific vulnerabilities". It's an open invitation to hackers. If you're running on the latest version, it's probably nothing to worry about, but there is simply no point in displaying it. To hide it go to Admin CP > Configuration > Settings > Site Details > Show Version Numbers > Off. -## Keep Plugins to a Minimum +## Minimize Installed Plugins The more plugins you have installed, the more code can hackers exploit. Most plugins are fairly secure, but if one of them has a vulnerability, hackers can take advantage of it to get access to your forum. And for that simple reason it is highly recommended to keep the number of plugins to a minimum and only install those that you really need. It's also worth considering the popularity and the author of the plugin. Having that said, to improve your forum's security, we still recommend having a look at our list of [security plugins](http://community.mybb.com/thread-109872.html). diff --git a/1.8/administration/security/recovery.md b/1.8/administration/security/recovery.md index 79425b5c..6c812ee7 100644 --- a/1.8/administration/security/recovery.md +++ b/1.8/administration/security/recovery.md @@ -16,16 +16,24 @@ First things first: secure your computer. It is possible that you downloaded som However if you don't have another computer lying around or other people to help you then you will have to take care of it right now. If you're using Windows we urge you to run tools like: -- [Spybot - Search & Destroy](http://www.safer-networking.org/en/spybotsd/index.html) +- [HitmanPro 3](http://www.surfright.nl/en/hitmanpro) + + Somewhat similar to HijackThis. Scans the computer for virus activities or suspicous files that have the characteristics of malware. +- [Kaspersky Virus Removal Tool](http://www.kaspersky.com/antivirus-removal-tool) + + Tool to help remove common malware infections, if detected. - [Malwarebytes](http://www.malwarebytes.org/) + + Popular, trusted free solution for malware scanning. Quick definition updates and rigorous detections for more than plain malware. - [HiJackThis](http://www.filehippo.com/download_hijackthis/) + + Tool that generates a report about system settings and files commonly modified by malware. -Scanning your computer with your antivirus' own tools is also a good idea and installing a firewall. We recommend the following: +Scanning your computer with your antivirus' own tools is also a good idea and installing a firewall. We recommend one of the following: - [Microsoft Security Essentials](http://windows.microsoft.com/MSE) - [AntiVir](http://www.avira.com/en/avira-free-antivirus) + + Standard antimalware software. Not especially great, but it is usually good enough. - [Comodo Internet Security](http://www.comodo.com/home/internet-security/free-internet-security.php) + + Standard antimalware software. Not especially great, but it is usually good enough. - [ZoneAlarm](http://www.zonealarm.com/) + + Inbound intrusion detection system and firewall that is highly customizable, allowing the user to specify what applications can create outbound network connections. ### Secure Your Online Accounts diff --git a/1.8/development/contribute.md b/1.8/development/contribute.md index 08ed83a4..596bb254 100644 --- a/1.8/development/contribute.md +++ b/1.8/development/contribute.md @@ -60,29 +60,50 @@ When reviewing a commit, if the entire file looks as though it has changed (and While all team members are able to contribute directly with the repositories, SQA are still required to confirm the work fixes the issue/no issues arise from the feature. An issue therefore may have several labels/statuses throughout development -The basic status is **Open** or **Closed**. GitHub provides an easy to use UI to differentiate between these statuses with tabs at the top of the issue list. In the terminology, a *developer* may be a member of the Development Team, a member of the MyBB Group or a 3rd party contributor who is not a member of either Team or Group. The *reporter* is the person(s) who originally reported the issue. +The basic status is **Open** or **Closed**. GitHub provides an easy to use UI to differentiate between these statuses with tabs at the top of the issue list. In the terminology, a *developer* may be a member of the Development Team, a member of the MyBB Group, or a 3rd party contributor who is not a member of either Team or Group. The *reporter* is the person(s) who originally reported the issue. An **Open** issue describes a problem that is yet to be fixed by a developer. These may have the following labels:
-
Confirmed
+
s:confirmed
The issue has been confirmed as being a valid problem with MyBB and contains enough evidence for a developer to work on a fix.
-
Feedback
+
s:feedback
The issue may not contain enough evidence of a valid problem, or difficult to reproduce, and requires more input from the reporter. The issue may have been fixed by a developer but may not have actually solved the problem/causes further problems/contains code that doesn't match the Development Standards.
+ +
s:in-progress
+
The issue is being worked on by someone.
+ +
s:deferred
+
The issue should be fixed in the future, but is not a current priority and may or may not be fixed in the near future.
+ +
p:immediate
+
The issue demands an immediate fix because it affects all or nearly all MyBB users and may cause serious errors or functionality bugs that make the software difficult to use.
+ +
p:urgent
+
The issue is confirmed to affect many MyBB users and affects the software in a severe way, such as a security or data loss risk, or frequent server errors.
+ +
p:high
+
The issue is of high importance and necessitates a timely fix.
+ +
p:normal
+
The issue is of typical importance, neither more nor less important than the average report.
+ +
p:low
+
The issue is a minor bug that doesn't affect the function of MyBB often, or does so in a very minor way that is not significant.
A **Closed** issue may have different labels depending on the outcome of the initial investigation:
-
Approved
+
s:fixed
The issue has been fixed by a developer and the fix is confirmed as solving the problem by an SQA Team member.
-
Rejected
+
s:rejected
The issue is a duplicate of an already reported issue The issue was not a valid issue with MyBB diff --git a/1.8/development/cookies.md b/1.8/development/cookies.md index 16797a27..8daac76d 100644 --- a/1.8/development/cookies.md +++ b/1.8/development/cookies.md @@ -70,34 +70,35 @@ The following is a list of the cookies that MyBB sets, and a note about each one
acploginattempts
Stores the number of ACP login attempts a user has had.
-
acploginattempts
+
acp_view
+
Stores the admin's preferred view when inline editing users in the ACP.
+ +
adminsid
Stores the current admin's Admin Session ID.
-
loginattempts
-
Stores the number of login attempts a user has had.
+
collapsed
+
This cookie keeps track of which categories and boxes have been collapsed (as opposed to being expanded by default).
-
mybb
-
The mybb cookie is actually an array of cookies:
+
coppadob
+
Stores user date of birth to submit with registration.
-
mybb[lastvisit]
-
This cookie stores the last time of visit in the UNIX timestamp format.
+
coppauser
+
Stores whether the user is a COPPA user or not.
-
mybb[lastactive]
-
This cookie stores the last time that a forum page has been loaded, in the UNIX timestamp format.
+
failedlogin
+
If the user has exceed the maximum login attempts, failedlogin stores the time (UNIX timestamp) of the failure.
-
mybbuser
-
This cookie stores the login information for the Front End, and is set when a user logs in, and is removed when the user logs out. The UID and the login key are stored in this cookie.
- -
collapsed
-
This cookie keeps track of which categories and boxes have been collapsed (as opposed to being expanded by default).
+
forumpass[$fid]
+
Stores a version of the forum password for $fid when a user has entered it correctly, to avoid prompting the user for a password more often than required.
inlinemod_
- There are two kinds of inline moderating cookies: forum and thread and they are named as follows: + There are multiple kinds of inline moderating cookies: forum, thread, and user, including:
  • inlinemod_forumfid
  • inlinemod_threadtid
    • +
  • inlinemod_useracp - for storing users to inline-edit in the Admin CP
fid is replaced with the forum ID and tid is replaced with the thread ID. @@ -105,6 +106,51 @@ The following is a list of the cookies that MyBB sets, and a note about each one The contents are a pipe-delimited and pipe-enclosed list of thread IDs or post IDs which have been checked for inline moderation.
+
loginattempts
+
Stores the number of login attempts a user has had.
+ +
multiquote
+
+ +
mybb
+
The mybb cookie is actually an array of cookies:
+ +
mybb[announcements]
+
Stores read annoucement IDs.
+ +
mybb[forumread]
+
Stores forums the user has read.
+ +
mybb[lastvisit]
+
This cookie stores the last time of visit in the UNIX timestamp format.
+ +
mybb[lastactive]
+
This cookie stores the last time that a forum page has been loaded, in the UNIX timestamp format.
+ +
mybb[threadread]
+
Stores threads read by the user.
+ +
mybb[readallforums]
+
Stores if the user has read all forums. Updated with mybb[lastvisit] in inc/functions_indicators.php.
+ +
mybb[referrer]
+
+ +
mybblang
+
Stores the language preference of a guest.
+ +
mybbratethread[{$tid}]
+
Stores the user's rating of thread $tid.
+ +
mybbtheme
+
Stores the theme preference of a guest.
+ +
mybbuser
+
This cookie stores the login information for the Front End, and is set when a user logs in, and is removed when the user logs out. The UID and the login key are stored in this cookie.
+ +
pollvotes[$pid]
+
Stores a guest's vote on poll $pid.
+
sid
The current user's Session ID.
diff --git a/1.8/development/standards.md b/1.8/development/standards.md index c04707ab..6572ff20 100644 --- a/1.8/development/standards.md +++ b/1.8/development/standards.md @@ -30,7 +30,7 @@ Trailing whitespace on the end of lines or end of files is not permitted. Most t ### PHP Code Demarcation -Short PHP open and close tags (`` or ``) are not permitted. To delimit PHP code, the full `` tags must be used as this is the most portable way to include PHP code on differing PHP configurations. +Short PHP open and close tags (`` or ``) are not permitted. Additionally, **no** PHP closing tags should be used. ### Strings @@ -232,6 +232,8 @@ When increasing or decreasing the value of a variable, the arithmetic operator ( - Use of ternary operators - Use the full if-else syntax with curly braces +- Use of PHP closing tags + ### Type Juggling To convert a variable's type you should use type casting. diff --git a/1.8/faq/login.md b/1.8/faq/login.md index fc444b14..81cb57e7 100644 --- a/1.8/faq/login.md +++ b/1.8/faq/login.md @@ -4,11 +4,9 @@ title: "Login Problems" categories: [faq] --- -# Unable to login +# Unable to Log In -So every day we have people reporting that logins don't work on their forum. Let's fix this once and for all! - -Most of the time this is a problem with your cookie settings being incorrect or inadequate. For more information about MyBB's cookies, read [Cookies](../miscellaneous/cookies). +Most of the time this is a problem with your cookie settings being incorrect or inadequate. For more information about MyBB's cookies, read [Cookies](/1.8/development/cookies/). Your cookie settings can be found in: **Admin CP** > **Configuration** > **Settings** > **General Configuration**. The two settings are *Cookie Domain* and *Cookie Path*. @@ -16,23 +14,40 @@ By default, MyBB suggests Cookie Domain to be blank, and Cookie Path to be **/** First a few examples of what your cookie settings should look like: -If your URL is **http://www.example.com**, your settings should be: - - Cookie Domain: .example.com - Cookie Path: / - -If your URL is **http://www.example.com/myforum**, your settings should be: - - Cookie Domain: .example.com - Cookie Path: /myforum/ - -If your URL is **http://subdomain.example.com/wow**, your settings should be: - - Cookie Domain: .subdomain.example.com OR .example.com - Cookie Path: /wow/ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Forum URLCookie DomainCookie Path
http://www.example.com.example.com/
http://www.example.com/directory/.example.com/directory/
http://www.subdomain.example.comsubdomain.example.com/
http://www.subdomain.example.com/directory/subdomain.example.com/directory/
Alternatively you can use [this tool](http://www.dennistt.net/mybb/cookiesettings.php) to provide your cookie settings based on your forum's URL. These cookie settings should work on all MyBB installations. If you have site-integration, your cookie settings may need to be more generalized. -After you change your cookie settings, please advise your users to log out and [clear their cookies from their browser](/faq/clear-board-cookies), so that the new cookies can take effect. +After you change your cookie settings, please advise your users to log out and clear cookies stored by their browser, so that the new cookies can take effect. diff --git a/1.8/faq/logout.md b/1.8/faq/logout.md index 25405cf1..1039f5ed 100644 --- a/1.8/faq/logout.md +++ b/1.8/faq/logout.md @@ -17,7 +17,7 @@ This means that your Logout link doesn't contain an SID and since MyBB 1.2.8, th 1. The board has been updated to a newer version of MyBB but some template information hasn't been updated. 2. You are using a template designed for a version of MyBB older than 1.2.8 and as such, the logout link is also missing the SID component. -A fix for both these issues can be found by following the instructions [here](http://community.mybb.com/showthread.php?tid=25210&pid=177101#pid177101) to manually update your templates' Logout link to contain the SID. Note: You will need to do this for every theme that you use on your forum which does not currently contain an SID link. +A fix for both of these issues can be found by following the instructions [here](http://community.mybb.com/showthread.php?tid=25210&pid=177101#pid177101) to manually update your templates' Logout link to contain the SID. Note: You will need to do this for every theme that you use on your forum which does not currently contain an SID link. If after making the above changes you are still unable to logout and are running MyBB 1.2.10. Please try the following: @@ -25,6 +25,6 @@ The third reason could relate to your cookie settings. Either, the Cookie settin Or, you have some cookies remaining from a previous session (when the Cookie settings were different) and also a set of cookies for this session (with the new cookie settings). In this case, MyBB will clear your new cookies, but not the old ones so you will appear unable to logout. -Please see [Cannot login](cant-login) or [Cookies](../miscellaneous/cookies) to find your correct cookie settings. +Please see [Login Problems](/1.8/faq/login/) or [Cookies](/1.8/development/cookies/) to find your correct cookie settings. In both situations, the best solution is to clear the cookies in your browser.