11 9 / 2011
Rewriting the Login Backend
We’ve been experiencing some problems with cookies, and they’re a bit unreliable and vunreble to XSS attacks, so we’ve switched over to a full session based system. Sadly, the small downside to sessions, is we won’t be able to remember you! :( You’ll have to login after every time you re-open your browser.
The security of the sessions are around about the same, aside from the fact that we aren’t running as many checks, as they aren’t necessary. But we do validate for some things that could be a possible indication of an XSS hack. We will validate the temporary session id for IP addresses, as well as your user agent. If either one is different in the same session, you’re flagged, and have to login again.
Although, we’re having some problems getting the login system up and running, our authorization is failing at the moment, and that should be resolved in the next few hours :)
Permalink 86 notes