Auto Login

[dandymcgee]

I think you are right. When i look at my cookies for thechaosrift.com i only have a "style_cookie" but on elysianshadows.com/phpbb3 i have "phpbb3_7cah8_u", "phpbb3_7cah8_k" and "phpbb3_7cah8_sid" in addition to that. They don't store my username/pass in plain text, but i guess they are encoded/encrypted in some way...

The cookie doesn't store your password at all, just a session id. If you log in on thechaosrift.com and check the box I thinnkkk it will work as expected. Give it a try if you haven't already.

[dnxviral]

I think you are right. When i look at my cookies for thechaosrift.com i only have a "style_cookie" but on elysianshadows.com/phpbb3 i have "phpbb3_7cah8_u", "phpbb3_7cah8_k" and "phpbb3_7cah8_sid" in addition to that. They don't store my username/pass in plain text, but i guess they are encoded/encrypted in some way...

The cookie doesn't store your password at all, just a session id. If you log in on thechaosrift.com and check the box I thinnkkk it will work as expected. Give it a try if you haven't already.

Yea it doesn't do that. That would be a major security issue. I've removed all the cookies logged in on both sites checking the box and it doesn't like it on the 'thechaosrift.com' one :/

[dandymcgee]

I think you are right. When i look at my cookies for thechaosrift.com i only have a "style_cookie" but on elysianshadows.com/phpbb3 i have "phpbb3_7cah8_u", "phpbb3_7cah8_k" and "phpbb3_7cah8_sid" in addition to that. They don't store my username/pass in plain text, but i guess they are encoded/encrypted in some way...

The cookie doesn't store your password at all, just a session id. If you log in on thechaosrift.com and check the box I thinnkkk it will work as expected. Give it a try if you haven't already.

Yea it doesn't do that. That would be a major security issue. I've removed all the cookies logged in on both sites checking the box and it doesn't like it on the 'thechaosrift.com' one :/

You're right, storing your password in plaintext would be a much better idea.

[dnxviral]

I think you are right. When i look at my cookies for thechaosrift.com i only have a "style_cookie" but on elysianshadows.com/phpbb3 i have "phpbb3_7cah8_u", "phpbb3_7cah8_k" and "phpbb3_7cah8_sid" in addition to that. They don't store my username/pass in plain text, but i guess they are encoded/encrypted in some way...

The cookie doesn't store your password at all, just a session id. If you log in on thechaosrift.com and check the box I thinnkkk it will work as expected. Give it a try if you haven't already.

Yea it doesn't do that. That would be a major security issue. I've removed all the cookies logged in on both sites checking the box and it doesn't like it on the 'thechaosrift.com' one :/

You're right, storing your password in plaintext would be a much better idea.

Haha most likely.

[ismetteren]

I think you are right. When i look at my cookies for thechaosrift.com i only have a "style_cookie" but on elysianshadows.com/phpbb3 i have "phpbb3_7cah8_u", "phpbb3_7cah8_k" and "phpbb3_7cah8_sid" in addition to that. They don't store my username/pass in plain text, but i guess they are encoded/encrypted in some way...

The cookie doesn't store your password at all, just a session id. If you log in on thechaosrift.com and check the box I thinnkkk it will work as expected. Give it a try if you haven't already.

I always log in from thechaosrift.com, and it does not work for me.

A little off topic: Are you saying that most websites implement the remember me feature by just giving the user a very long session?

[dandymcgee]

I think you are right. When i look at my cookies for thechaosrift.com i only have a "style_cookie" but on elysianshadows.com/phpbb3 i have "phpbb3_7cah8_u", "phpbb3_7cah8_k" and "phpbb3_7cah8_sid" in addition to that. They don't store my username/pass in plain text, but i guess they are encoded/encrypted in some way...

The cookie doesn't store your password at all, just a session id. If you log in on thechaosrift.com and check the box I thinnkkk it will work as expected. Give it a try if you haven't already.

I always log in from thechaosrift.com, and it does not work for me.

Dunno why, but it doesn't work for me either on www.thechaosrift.com. I recommend you start using http://www.elysianshadows.com/phpBB3.

A little off topic: Are you saying that most websites implement the remember me feature by just giving the user a very long session?

Yup. If you steal someone's cookie you have access to their account until it expires or you delete the cookie.

[dnxviral]

I think you are right. When i look at my cookies for thechaosrift.com i only have a "style_cookie" but on elysianshadows.com/phpbb3 i have "phpbb3_7cah8_u", "phpbb3_7cah8_k" and "phpbb3_7cah8_sid" in addition to that. They don't store my username/pass in plain text, but i guess they are encoded/encrypted in some way...

The cookie doesn't store your password at all, just a session id. If you log in on thechaosrift.com and check the box I thinnkkk it will work as expected. Give it a try if you haven't already.

I always log in from thechaosrift.com, and it does not work for me.

Dunno why, but it doesn't work for me either on http://www.thechaosrift.com. I recommend you start using http://www.elysianshadows.com/phpBB3.

Yea, I've changed my bookmark and are now using elysianshadows. So I don't really mind anymore now that it works for me but just for anybody else maybe it should be looked into? Thanks for your help dandymcgee and company

[dandymcgee]

I think you are right. When i look at my cookies for thechaosrift.com i only have a "style_cookie" but on elysianshadows.com/phpbb3 i have "phpbb3_7cah8_u", "phpbb3_7cah8_k" and "phpbb3_7cah8_sid" in addition to that. They don't store my username/pass in plain text, but i guess they are encoded/encrypted in some way...

The cookie doesn't store your password at all, just a session id. If you log in on thechaosrift.com and check the box I thinnkkk it will work as expected. Give it a try if you haven't already.

I always log in from thechaosrift.com, and it does not work for me.

Dunno why, but it doesn't work for me either on http://www.thechaosrift.com. I recommend you start using http://www.elysianshadows.com/phpBB3.

Yea, I've changed my bookmark and are now using elysianshadows. So I don't really mind anymore now that it works for me but just for anybody else maybe it should be looked into? Thanks for your help dandymcgee and company

No problem. As far as it being looked into I don't think there's anything we can do about it. "elysianshadows.com" is the official domain name, whereas "thechaosrift.com" remains pointed directly to the community forums to preserve older links. If we do change this setup in the future we'll be sure to let you all know what's up.

[eatcomics]

A little off topic: Are you saying that most websites implement the remember me feature by just giving the user a very long session?

Yup. If you steal someone's cookie you have access to their account until it expires or you delete the cookie.

Which you can get with some simple javascript

[dandymcgee]

A little off topic: Are you saying that most websites implement the remember me feature by just giving the user a very long session?

Yup. If you steal someone's cookie you have access to their account until it expires or you delete the cookie.

Which you can get with some simple javascript

Wrong. THAT would be a major security flaw. Only the domain the cookie is registered to can access the cookie (hence elysianshadows not knowing about the chaosrift cookie).

[dnxviral]

A little off topic: Are you saying that most websites implement the remember me feature by just giving the user a very long session?

Yup. If you steal someone's cookie you have access to their account until it expires or you delete the cookie.

Which you can get with some simple javascript

Wrong. THAT would be a major security flaw. Only the domain the cookie is registered to can access the cookie (hence elysianshadows not knowing about the chaosrift cookie).

Hmm can't cross domains within the cookie then?

[dandymcgee]

Hmm can't cross domains within the cookie then?

Not quite sure what you mean by that.

[eatcomics]

A little off topic: Are you saying that most websites implement the remember me feature by just giving the user a very long session?

Yup. If you steal someone's cookie you have access to their account until it expires or you delete the cookie.

Which you can get with some simple javascript

Wrong. THAT would be a major security flaw. Only the domain the cookie is registered to can access the cookie (hence elysianshadows not knowing about the chaosrift cookie).

I script put on said sight could send said cookie to a specified place for storage and retrieval

and yeah its a security flaw....

[dnxviral]

Hmm can't cross domains within the cookie then?

Not quite sure what you mean by that.

I'm not sure what that means lol.
When a site writes a cookie can it write its read attributes? Like which domains can view them.

[dandymcgee]

I script put on said sight could send said cookie to a specified place for storage and retrieval

and yeah its a security flaw....

In that case the security flaw isn't how cookies work, but rather that the site is allowing arbitrary scripts submitted by a non-trusted user (you) to execute on its behalf. It's called Cross-site scripting (XSS) and is preventable.

When a site writes a cookie can it write its read attributes? Like which domains can view them.

Think of a cookie like a variable. It has two main attributes to be set, a name and a data value. The domain is set by the script that gave the user the cookie. That is the only domain that can access it again later.