Results 1 to 7 of 7

Thread: secure login

  1. #1
    0_o Mastermind keezel's Avatar
    Join Date
    Jun 2003
    Posts
    1,024

    secure login

    Over in questions about AO I've been talking about how I have a problem with signing into AO from computers I don't trust. MsM recommended that I make a suggestion about it...so here it is. Would it be feasible for us to have an encrypted/secure login similar to the one hotmail/yahoo uses for email login?

  2. #2
    Banned
    Join Date
    Jul 2001
    Posts
    1,100
    Greetings:

    Unfortunately, this couldn't be done without a LOT of modification to the site code. Because of cookies, server sessions and the like, you would have to interact with the site entirely in ssl after you've been logged in. The site is just not designed for that...

    There are some changes that I had in the works before I sold the site that could be implemented to help make things a bit more secure though. Such as a user security center, that would let them globally log out all cookies no matter what box they're on, limiting logins to certain IPs or subnets, show a list of all IPs that have accessed the site under their account, etc. etc. Features like that would be very easy to integrate, and much of the data necessary to work them is already (or at least was) collected by the site.

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Keezel: Still doesn't stop keyloggers unfortunately..... You have to trust the machine your on before the SSL makes the network you are on trustable......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    AO Antique pwaring's Avatar
    Join Date
    Aug 2001
    Posts
    1,409
    I've been using AO for over three years now, I think if someone really wanted to sniff my password they would have done so already.

    Seriously though, I don't think SSL support for AO is really worth the hassle - it's not as if you're providing sensitive information such as credit card details. I guess we could have a a secure sign in option (so that your username/password wouldn't be transmitted in plaintext - shouldn't be too difficult to implement) but the question you have to ask is whether it provides any benefit and to JM whether it would produce a return on the cost of implementing it.
    Paul Waring - Web site design and development.

  5. #5
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    I've been using AO for over three years now, I think if someone really wanted to sniff my password they would have done so already.
    Not only that, but anyone trying to sniff out anyone's account must on AO must really not have a life.
    Space For Rent.. =]

  6. #6
    Administrator mnstrgrl's Avatar
    Join Date
    Feb 2003
    Posts
    512
    I recall another request for a "delete all cookies" option, so that's been added, as an alternate logout option. Note that even for guest users, a cookie is set with a session hash and lastvisit timestamp. This means that immediately after you've removed all cookies, 2 new ones will be set containing that data. They won't be tied in any way to your account info.

    So what cookies are removed?
    • username
    • password (which was encrypted when stored)
    • lastvisit
    • sessionhash
    • threadview list


    - h
    I'm not mean. You're just a sissy.

  7. #7
    0_o Mastermind keezel's Avatar
    Join Date
    Jun 2003
    Posts
    1,024
    Resurrecting the dead here, but this came in useful today. The admins in this one computer lab I use finally found their brains and disabled access to internet options in IE (other stuff had been disabled long ago) and I don't know of another way to delete cookies....and I *hate* leaving a trail with my usernames and passwords on computers. So...I just wanted to say: thanks!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •