Page 2 of 3
Re: Auto Login
Posted: Thu Dec 30, 2010 11:24 am
by dandymcgee
ismetteren wrote:I think you are right. When i look at my cookies for thechaosrift.com i only have a "style_cookie" but on elysianshadows.com/phpbb3 i have "phpbb3_7cah8_u", "phpbb3_7cah8_k" and "phpbb3_7cah8_sid" in addition to that. They don't store my username/pass in plain text, but i guess they are encoded/encrypted in some way...
The cookie doesn't store your password at all, just a session id. If you log in on thechaosrift.com and check the box I thinnkkk it will work as expected. Give it a try if you haven't already.
Re: Auto Login
Posted: Thu Dec 30, 2010 1:11 pm
by dnxviral
dandymcgee wrote:ismetteren wrote:I think you are right. When i look at my cookies for thechaosrift.com i only have a "style_cookie" but on elysianshadows.com/phpbb3 i have "phpbb3_7cah8_u", "phpbb3_7cah8_k" and "phpbb3_7cah8_sid" in addition to that. They don't store my username/pass in plain text, but i guess they are encoded/encrypted in some way...
The cookie doesn't store your password at all, just a session id. If you log in on thechaosrift.com and check the box I thinnkkk it will work as expected. Give it a try if you haven't already.
Yea it doesn't do that. That would be a major security issue. I've removed all the cookies logged in on both sites checking the box and it doesn't like it on the 'thechaosrift.com' one :/
Re: Auto Login
Posted: Thu Dec 30, 2010 3:22 pm
by dandymcgee
dnxviral wrote:dandymcgee wrote:ismetteren wrote:I think you are right. When i look at my cookies for thechaosrift.com i only have a "style_cookie" but on elysianshadows.com/phpbb3 i have "phpbb3_7cah8_u", "phpbb3_7cah8_k" and "phpbb3_7cah8_sid" in addition to that. They don't store my username/pass in plain text, but i guess they are encoded/encrypted in some way...
The cookie doesn't store your password at all, just a session id. If you log in on thechaosrift.com and check the box I thinnkkk it will work as expected. Give it a try if you haven't already.
Yea it doesn't do that. That would be a major security issue. I've removed all the cookies logged in on both sites checking the box and it doesn't like it on the 'thechaosrift.com' one :/
You're right, storing your password in plaintext would be a much better idea.
Re: Auto Login
Posted: Thu Dec 30, 2010 4:33 pm
by dnxviral
dandymcgee wrote:dnxviral wrote:dandymcgee wrote:ismetteren wrote:I think you are right. When i look at my cookies for thechaosrift.com i only have a "style_cookie" but on elysianshadows.com/phpbb3 i have "phpbb3_7cah8_u", "phpbb3_7cah8_k" and "phpbb3_7cah8_sid" in addition to that. They don't store my username/pass in plain text, but i guess they are encoded/encrypted in some way...
The cookie doesn't store your password at all, just a session id. If you log in on thechaosrift.com and check the box I thinnkkk it will work as expected. Give it a try if you haven't already.
Yea it doesn't do that. That would be a major security issue. I've removed all the cookies logged in on both sites checking the box and it doesn't like it on the 'thechaosrift.com' one :/
You're right, storing your password in plaintext would be a much better idea.
Haha
most likely.
Re: Auto Login
Posted: Thu Dec 30, 2010 4:48 pm
by ismetteren
dandymcgee wrote:ismetteren wrote:I think you are right. When i look at my cookies for thechaosrift.com i only have a "style_cookie" but on elysianshadows.com/phpbb3 i have "phpbb3_7cah8_u", "phpbb3_7cah8_k" and "phpbb3_7cah8_sid" in addition to that. They don't store my username/pass in plain text, but i guess they are encoded/encrypted in some way...
The cookie doesn't store your password at all, just a session id. If you log in on thechaosrift.com and check the box I thinnkkk it will work as expected. Give it a try if you haven't already.
I always log in from thechaosrift.com, and it does not work for me.
A little off topic: Are you saying that most websites implement the remember me feature by just giving the user a very long session?
Re: Auto Login
Posted: Thu Dec 30, 2010 5:41 pm
by dandymcgee
ismetteren wrote:dandymcgee wrote:ismetteren wrote:I think you are right. When i look at my cookies for thechaosrift.com i only have a "style_cookie" but on elysianshadows.com/phpbb3 i have "phpbb3_7cah8_u", "phpbb3_7cah8_k" and "phpbb3_7cah8_sid" in addition to that. They don't store my username/pass in plain text, but i guess they are encoded/encrypted in some way...
The cookie doesn't store your password at all, just a session id. If you log in on thechaosrift.com and check the box I thinnkkk it will work as expected. Give it a try if you haven't already.
I always log in from thechaosrift.com, and it does not work for me.
Dunno why, but it doesn't work for me either on
www.thechaosrift.com. I recommend you start using
http://www.elysianshadows.com/phpBB3.
ismetteren wrote:
A little off topic: Are you saying that most websites implement the remember me feature by just giving the user a very long session?
Yup. If you steal someone's cookie you have access to their account until it expires or you delete the cookie.
Re: Auto Login
Posted: Fri Dec 31, 2010 11:49 am
by dnxviral
dandymcgee wrote:ismetteren wrote:dandymcgee wrote:ismetteren wrote:I think you are right. When i look at my cookies for thechaosrift.com i only have a "style_cookie" but on elysianshadows.com/phpbb3 i have "phpbb3_7cah8_u", "phpbb3_7cah8_k" and "phpbb3_7cah8_sid" in addition to that. They don't store my username/pass in plain text, but i guess they are encoded/encrypted in some way...
The cookie doesn't store your password at all, just a session id. If you log in on thechaosrift.com and check the box I thinnkkk it will work as expected. Give it a try if you haven't already.
I always log in from thechaosrift.com, and it does not work for me.
Dunno why, but it doesn't work for me either on
http://www.thechaosrift.com. I recommend you start using
http://www.elysianshadows.com/phpBB3.
Yea, I've changed my bookmark and are now using elysianshadows. So I don't really mind anymore now that it works for me but just for anybody else maybe it should be looked into? Thanks for your help dandymcgee and company
Re: Auto Login
Posted: Fri Dec 31, 2010 12:22 pm
by dandymcgee
dnxviral wrote:dandymcgee wrote:ismetteren wrote:dandymcgee wrote:ismetteren wrote:I think you are right. When i look at my cookies for thechaosrift.com i only have a "style_cookie" but on elysianshadows.com/phpbb3 i have "phpbb3_7cah8_u", "phpbb3_7cah8_k" and "phpbb3_7cah8_sid" in addition to that. They don't store my username/pass in plain text, but i guess they are encoded/encrypted in some way...
The cookie doesn't store your password at all, just a session id. If you log in on thechaosrift.com and check the box I thinnkkk it will work as expected. Give it a try if you haven't already.
I always log in from thechaosrift.com, and it does not work for me.
Dunno why, but it doesn't work for me either on
http://www.thechaosrift.com. I recommend you start using
http://www.elysianshadows.com/phpBB3.
Yea, I've changed my bookmark and are now using elysianshadows. So I don't really mind anymore now that it works for me but just for anybody else maybe it should be looked into? Thanks for your help dandymcgee and company
No problem. As far as it being looked into I don't think there's anything we can do about it. "elysianshadows.com" is the official domain name, whereas "thechaosrift.com" remains pointed directly to the community forums to preserve older links. If we do change this setup in the future we'll be sure to let you all know what's up.
Re: Auto Login
Posted: Fri Dec 31, 2010 2:22 pm
by eatcomics
dandymcgee wrote:ismetteren wrote:
A little off topic: Are you saying that most websites implement the remember me feature by just giving the user a very long session?
Yup. If you steal someone's cookie you have access to their account until it expires or you delete the cookie.
Which you can get with some simple javascript
Re: Auto Login
Posted: Fri Dec 31, 2010 3:02 pm
by dandymcgee
eatcomics wrote:dandymcgee wrote:ismetteren wrote:
A little off topic: Are you saying that most websites implement the remember me feature by just giving the user a very long session?
Yup. If you steal someone's cookie you have access to their account until it expires or you delete the cookie.
Which you can get with some simple javascript
Wrong. THAT would be a major security flaw. Only the domain the cookie is registered to can access the cookie (hence elysianshadows not knowing about the chaosrift cookie).
Re: Auto Login
Posted: Fri Dec 31, 2010 3:58 pm
by dnxviral
dandymcgee wrote:eatcomics wrote:dandymcgee wrote:ismetteren wrote:
A little off topic: Are you saying that most websites implement the remember me feature by just giving the user a very long session?
Yup. If you steal someone's cookie you have access to their account until it expires or you delete the cookie.
Which you can get with some simple javascript
Wrong. THAT would be a major security flaw. Only the domain the cookie is registered to can access the cookie (hence elysianshadows not knowing about the chaosrift cookie).
Hmm can't cross domains within the cookie then?
Re: Auto Login
Posted: Fri Dec 31, 2010 8:58 pm
by dandymcgee
dnxviral wrote:Hmm can't cross domains within the cookie then?
Not quite sure what you mean by that.
Re: Auto Login
Posted: Fri Dec 31, 2010 9:00 pm
by eatcomics
dandymcgee wrote:eatcomics wrote:dandymcgee wrote:ismetteren wrote:
A little off topic: Are you saying that most websites implement the remember me feature by just giving the user a very long session?
Yup. If you steal someone's cookie you have access to their account until it expires or you delete the cookie.
Which you can get with some simple javascript
Wrong. THAT would be a major security flaw. Only the domain the cookie is registered to can access the cookie (hence elysianshadows not knowing about the chaosrift cookie).
I script put on said sight could send said cookie to a specified place for storage and retrieval
and yeah its a security flaw....
Re: Auto Login
Posted: Sat Jan 01, 2011 11:36 am
by dnxviral
dandymcgee wrote:dnxviral wrote:Hmm can't cross domains within the cookie then?
Not quite sure what you mean by that.
I'm not sure what that means lol.
When a site writes a cookie can it write its read attributes? Like which domains can view them.
Re: Auto Login
Posted: Sat Jan 01, 2011 12:06 pm
by dandymcgee
eatcomics wrote:
I script put on said sight could send said cookie to a specified place for storage and retrieval
and yeah its a security flaw....
In that case the security flaw isn't how cookies work, but rather that the site is allowing arbitrary scripts submitted by a non-trusted user (you) to execute on its behalf. It's called Cross-site scripting (XSS) and is preventable.
dnxviral wrote:When a site writes a cookie can it write its read attributes? Like which domains can view them.
Think of a cookie like a variable. It has two main attributes to be set, a name and a data value. The domain is set by the script that gave the user the cookie. That is the only domain that can access it again later.