I showed my forums (http://www.datatheandroid.com/forum/forum.dmb) to Yurgeta, a friend of mine. He told me that I would be able to get his password if he logged in and store it in the MySQL database if I wanted and that "everything is loggable".
Care to show me how the process exactly works to put people like him at ease?
ID:260150
 May 22 2006, 11:33 am
|
|
|
May 22 2006, 11:44 am
|
|
Scoobert
 |
That is not true, the login process takes you outside of your forums, places a cookie, and then runs back to your site. This leaves your server outside of the password loop. Your server knows passwords no better than DreamMaker does normally.
|
Given your record words alone will not be effective.
| |
How does the process exactly work? Step by step?
What are my limits? What would I be able to do with the information I get? | |
Crashed wrote:
Given your record words alone will not be effective.Actually, the person in question thinks that of DMCGI applications in general, not just my simple forums. | |
You click login-->secure.byond.com login page-->cookie placed-->back to your forums-->cookie checked with hub/secure.byond.com-->Cookie accepted.
This is how I imagin it working, but I am not totally sure. Anywho, your friend is assuming he is putting the password into your forums, which he is not. Tell him to check the address bar. | |
You can trace most of the steps in the DMCGI login process by following what your browser does.
1. You are redirected to https://secure.byond.com/ 2. You securely send your key name and password to secure.byond.com. 3. secure.byond.com redirects you back to the original site, with a BYOND certificate added to the url. The certificate is only valid for the given BYOND user at the web domain used for DMCGI. It cannot be used to login to any other BYOND or DMCGI site. 4. The DMCGI application at the original site reads the BYOND certificate and contacts the BYOND hub for verification. DMCGI sends the certificate number and the current web domain to the hub. 5. The BYOND hub looks up the certificate/web-domain pair. If there is a valid, unexpired match, it sends back the key name. If not, the certificate is returned as invalid. 6. Given a valid response and key name, DMCGI now considers you logged in. DMCGI saves a local copy of your key name tied to the certificate and web domain so that it doesn't have to spam the BYOND hub for validation next time you access a DMCGI page on the site. 7. DMCGI sets the byondcert cookie for its own domain to the valid certificate. Next time you access the page, it validates the cookie against its local database for login instead of going through all the steps above. Notice that your password is only ever sent to secure.byond.com, over a secure connection. Nobody running a DMCGI site can get to it. The certificate is only valid for one specific web domain, so again, nobody running a DMCGI site can harvest certificates to do any damage with them. | |
Scoobert wrote:
Darn, I was close but not quite there. close, as in me carrying a thermo-nuclear device in my pants and going, 'whoops!' *BOOM* | |
Du'wat' now? My process was close to what he had, but lacking many details. I just guessed based on how my browser went, just like he suggested.
| |
yup - like lacking all the details of how said nuclear device got in my pants to begin with! :D
we now return you to our regularly scheduled topic! | |