Benjamin Juang (ibneko) wrote,
Benjamin Juang

Whoo~ spiffyness. A Login session checker

Came with the recent security shove, I believe.

Speaking of which, there's some complaining going on for some of them:
Cookies/Domains -
Honestly, I'm not all too fond of this. I liked my privilege of having my own subdomain. It's pretty, and a simple exterior show-off thing. I understand the reasoning though. However, I think (but I don't know how) there should be some other way around this. Tying the cookies to the database, and checking based on directory/page you're accessing? I don't know, I haven't thought it through. Still, it's opened up more issues than it should have.

Granted, they can't take the time to beta-test a security patch. Every second delayed = another window of opportunity for hackers to get in.

Also, the domain switch back to for verification keeps flagging itself as a hack when I'm watching my browser. It scared the fuck out of me earlier today when I was replying to an anonymous comment via an e-mail link: it was like, Eeep, was that a phishing e-mail!?!

--> Cookie changelog

Other Friends page set to public entries only:
Not an issue for me, since I don't use it. Still, I don't see how it could have hurt yet, although I have a feeling it's got something to do with cookies, and the now-domain-based authentication system... Although... they're just making things more complex.

And while a half-workaround would be to use the /friendsfriends/group, where group = some group with only one person in it, it wouldn't work for some of the complaints I've read out there.

The new cookie scheme is intended to make sure that the only journal who gets compromised in the event of cookie theft is the attacker's. If Attacker X steals Victim Y's cookie, the worst Attacker X can do is forge comments by Victim Y in AX's own livejournal. However, VY were allowed to view the friends-only posts of his friends on AX's journal, it would be a whole different story. AX would simply be able to add VY to their friends list and suddenly read VY's friends-only entries. All the people who had friended VY would be made vulnerable as well.
- as posted on lj_dev, here

I dunno. Security's good and all, and I know there's some limits to the way cookies are handled by browsers, but... the workaround shouldn't be so ugly. Granted, they're probably coding in a hurry, and doing minimal testing.

The other side of me says that you livejournal users are spoiled by the fact that there's been a beta-test server, where all changes go first to get tested. So when things fuck up, people get all bitchy. Granted, it does suck for those who are paying, or have paid (like myself~).
Tags: livejournal

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded