http-auth-client
- Tank Program
- Forum & Project Admin, PhD
- Posts: 6711
- Joined: Thu Dec 18, 2003 7:03 pm
http-auth-client
I did a html/php/javascript implementation of authentication the same as how I understand that the server does it. It's not quite bugfree, but works with the forums.
http://authentication.armagetronad.net/login/
lp:~armagetronad-dev/armagetronad/trunk-http-auth-client-work (this branch might not be the right place for it, but I wanted to put it someplace.)
http://authentication.armagetronad.net/login/
lp:~armagetronad-dev/armagetronad/trunk-http-auth-client-work (this branch might not be the right place for it, but I wanted to put it someplace.)
- Tank Program
- Forum & Project Admin, PhD
- Posts: 6711
- Joined: Thu Dec 18, 2003 7:03 pm
The next step in this system has occurred. Try logging in to here with your authority accounts please.
- Lackadaisical
- Shutout Match Winner
- Posts: 823
- Joined: Sun Dec 21, 2003 4:58 pm
- Location: Amsterdam, Netherlands
- Contact:
It works, I guess? This looks awesome for handling tournament registration, but how do I know I didn't just give you my password?
Official Officiant of the Official Armagetron Clan Registration Office
Back (in the sig) by popular demand: Lack draws
Back (in the sig) by popular demand: Lack draws
Well, you can't. But if you look at the page source right now, you'll see that basically the same things happening in the arma client are implemented there as javascript; the password is not transmitted verbatim, but hashed and salted. That means, whatever the server code does, he can at most steal your ID for one session on one server for the old bmd5 authentication method. For the md5 method, you should be as safe as Tank is unable to reverse md5.
Of course, the page source can change anytime, but that's what the "Log me on automatically" thing is for. Glance at the page source, verify it's not sending a verbatim password or the first hash code, and click that button. OR YOU JUST TRUST HIM BECAUSE HE IS TANK PROGRAM?
Of course, the page source can change anytime, but that's what the "Log me on automatically" thing is for. Glance at the page source, verify it's not sending a verbatim password or the first hash code, and click that button. OR YOU JUST TRUST HIM BECAUSE HE IS TANK PROGRAM?
- Tank Program
- Forum & Project Admin, PhD
- Posts: 6711
- Joined: Thu Dec 18, 2003 7:03 pm
Really, if I wanted to steal your password, there'd be a lot of easier ways to do it...
But yes, what's happening there is effectively what the server does.
If a few people could test this out and you know, report if it works or not, that'd be good. I'd hate to change systems and suddenly no one can login.
But yes, what's happening there is effectively what the server does.
If a few people could test this out and you know, report if it works or not, that'd be good. I'd hate to change systems and suddenly no one can login.
-
- Dr Z Level
- Posts: 2246
- Joined: Sun Mar 20, 2005 4:03 pm
- Location: IM: [email protected]
- Freewheelin'56
- Round Winner
- Posts: 377
- Joined: Sun Dec 21, 2003 7:02 pm
- Location: Toronto, Canada
- Tank Program
- Forum & Project Admin, PhD
- Posts: 6711
- Joined: Thu Dec 18, 2003 7:03 pm
-
- Dr Z Level
- Posts: 2246
- Joined: Sun Mar 20, 2005 4:03 pm
- Location: IM: [email protected]
- Tank Program
- Forum & Project Admin, PhD
- Posts: 6711
- Joined: Thu Dec 18, 2003 7:03 pm
So you tried logging in as [email protected]?
- Tank Program
- Forum & Project Admin, PhD
- Posts: 6711
- Joined: Thu Dec 18, 2003 7:03 pm