Blog Documentation Book a Demo
Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

How can I use Vanilla at home and work, and not have to log in each time!?

2»

Comments

  • MinisweeperMinisweeper New
    well if someone can be bothered to duplicate my fingerprint then they're welcome to my secret stash of porn.
  • nick1prestanick1presta

    If someone comes up with a method that I think is better (more secure) than mine, I'd be happy to replace mine.
    Here is how I would make a secure login cookie,

    Grab the user ID and a bunch of random characters then concatenate them with a dividing character, like "|". For example, "5|993ufbnv3fiw9u4g4". Then md5() that and set it as a cookie. Over in the database, users table of course, make a new field called cookie or auth or whatever. In this field, put the md5'd value AND the user's host name. If the md5 hash happens to be 32 0's, it will be "00000000000000000000000000000000myhost.com".

    Now, when the user starts a session, this will be your query (assuming $cookie is the cookie contents and $host is the user's hostname): SELECT * FROM users WHERE auth = '$cookie$host'

    If that returns a row, then the user has resumed their session. You'd then change the random characters, reset the cookie and update the database with the new random string (along with last login time, last IP, etc).

    This means a user from another ISP can't simply copy the cookie value and be logged in. And if they log in from another location, the random string has changed and the first location is no longer logged in (assuming they don't have an active session).
  • jsandersjsanders
    but this still doesn't resolve the complaints about having to log in at work and at home, right? unless you work at home, that is
  • nick1prestanick1presta
    I would rather know that my account is secure rather than not having to type my username/password within three seconds each time I move locations.
  • MarkMark Vanilla Staff
    edited January 2006
    Cookies can get hijacked very easily with xss attacks (or even packet sniffers). Which is why I've made mine such a pain in the ass. If I was really really paranoid, I'd take it a step further and change and reset the cookies (and the referenced db value) on every page load. I've had sites get hacked by cookies before, and I'm not planning on reliving that feeling. I'm sure a security expert will come along with some amazingly simple and awesome way to make remembery cookies secure. Until that day comes, I'm content with what I've got. I'm sure that one of you will come up with a less secure method that doesn't annoy you all so much, and you can install that on your forums and live happily ever after (i hope).
  • lechlech
    /me authenticates via stubs
  • 3stripe3stripe ✭✭
    edited January 2006
    /me sets up a 3stripe@work account
  • ithcyithcy New
    remembery... hehe
  • blizeHblizeH ✭✭
    Yeah, maybe just an option from the control panel regarding whether or not we use multiple computers? Just an idea :)
This discussion has been closed.