Fate of Io
Being Kept Logged In
2002/11/15 14:06:22 PST by Morpheus [0/5]
Edited at 2002/11/15 14:06:39 PST

Any chance we can have it so that we are kept logged in with our IP? Just like the last forums, it was rather handy... that and I'm pretty lasy. Just a suggestion.

2002/11/15 15:51:23 PST by Siemova [0/24]
[Siemova's avatar]

Completely agreed. Very handy feature. Sometimes I get spontaneously logged out while I'm browsing the site as well, and then posting won't work. What a pain. Cookies could fix this rather well. :)

2002/11/15 16:00:42 PST by mystik3eb [0/43]
Edited at 2002/11/15 16:13:05 PST
[mystik3eb's avatar]

This answer was already given, though I'm too lazy to find the node where Temp said "no".

Besides, don't all the newer browsers ask if you want to have the slots automatically filled when you enter the site? Mine does for me (Netscape 7 Mac) and all I have to do when I come to this page is click the login button. Really, not much to complain about. Not from my side at least.

EDIT: Sorry Temp, guess my assumption was wrong again =)

2002/11/15 16:06:55 PST by Temporal [manager]
[Temporal's avatar]

Actually, I'm planning on adding this feature at some point. It's just not a very high priority since typing in your username and password probably takes less time than loading the site in the first place. What's the big deal? :P

Siemova: The only way you could be spontaneously logged out is if you spent more than 30 minutes without accessing a page (timed out) or if I reset the server while you were browsing because I had to fix a bug. It was probably the later. That won't happen too often -- I hope. :)

2002/11/15 19:02:04 PST by Morpheus [0/5]

Well it is not needed right away, but it is nice to have on the list, and I keep that feature of my browser turned off because there are others who use the computer and it became a pain. No hurry, just a suggestion :)

2002/11/16 02:31:17 PST by Alex [0/0]

Hehe, bug of the day! The Challenge string that the script should randomize for each page-load remains the same. Until this bug fixed, the following DHTML code can be used to log in automatically:

<html><head><script language="javascript" type="text/javascript" src="http://www.fateofio.org/v4/authenticate.js"></script><script language="javascript" type="text/javascript">function LogIn() {var Login = "Arnold";var Password = "Schwarzenegger";var Challenge = "4627a3b8d09dcbb95b88be483787fa40";var Response = hexMD5 (hexMD5 (Password) + Challenge);document.authForm.username.value = Login;document.authForm.response.value = Response;document.authForm.submit();}</script></head><body onLoad="LogIn();"><form name="authForm" method="post" action="http://www.fateofio.org/v4/v4.jsp?login"><input type="hidden" name="username" /><input type="hidden" name="response" /></form></body></html>

Just copy'n'paste the above code-mesh to a .html file, replace the Login / Password values as needed, save that file somewhere on your HD, and bookmark it as "Fate of Io".

Once Temporal fixes the static Challenge bug, a Java applet can be made for mining out the correct seed every time, while spoofing the referrer value. Even if the output content changes, a hex pattern in quotes is very easy to match.

This is, of course, just speculation of what could be done. No one would probably want to do that. The purpose of this post has been to propose changes / bug fixes to v4PM's authentication process.

2002/11/16 07:01:01 PST by Delete Me [0/0]

Hmm, now I can't log in as Alex at all. What gives?

2002/11/16 10:08:05 PST by Temporal [manager]
[Temporal's avatar]

No such bug. Challenge strings are generated once for each session. If you come back half an hour later, or if you delete your cookies, the challenge string will change.

Challenge strings are generated by a SHA1-based PRNG. So, try as you might, you aren't going to be able to predict them. I actually don't think such security is necessary (I can't think of any reason why a predictable challenge string would be less secure, so long as it was different each time), but I did it that way anyway since Java makes it super easy. :)

As for not being able to log in as "Alex", Alex informs me that this was his own mistake.

fateofio.org © Copyright 2001-2005 Sam Pierce, Kenton Varda, and contributors
Powered by Io Community Manager, Evlan, and FreeBSD