Possible Glitch with "Start a Discussion" From a Review
01-18-05 | 09:22 AM
#1
Thread Starter
DVD Talk Hero
Possible Glitch with "Start a Discussion" From a Review
I don't recall this ever being a problem before, but I haven't started a discussion about a review since the "upgrade", so maybe I've missed it.
The "Start a Discussion" page requests user name and password now regardless of whether you're logged in or not, and the password field is marked as just a text box (not a password box). I haven't tested whether it works, because while I know there's no fundamental security difference, I'm not about to type a password into a regular textbox just on principle.
Anyway, is this just me, or is there a problem here?
das
The "Start a Discussion" page requests user name and password now regardless of whether you're logged in or not, and the password field is marked as just a text box (not a password box). I haven't tested whether it works, because while I know there's no fundamental security difference, I'm not about to type a password into a regular textbox just on principle.
Anyway, is this just me, or is there a problem here?
das
01-18-05 | 09:46 AM
#2
DVD Talk Reviewer/ Admin
Joined: Sep 1999
Posts: 31,711
Received 2,803 Likes
on
1,864 Posts
From: Greenville, South Cackalack
Originally Posted by das Monkey
Anyway, is this just me, or is there a problem here?
As far as logging in -- I don't know what to tell you. vBulletin changed the way their cookies relate to passwords, and without poring through each of their files, I don't know of a quick way to authenticate a user. If I didn't authenticate, it would be a breeze, but we had problems with someone forging cookies and making fake posts through this tool a while back. It's easy to fake the numeric user ID, but it's a lot tougher when I authenticate.
The password vBulletin stores in the database is an md5 hash of the md5 hash of the password concatenated with a randomly generated 'salt' string. so (md5(md5(password) . salt) I know how to verify passwords if they're starting in their original form. vBulletin used to store an md5 hash of the password in the cookie, and it was easy to authenticate that too, but they're apparently not doing that anymore. I can't figure out how that cookied password is encoded now. I'll try to figure it out later.
01-18-05 | 09:55 AM
#3
Thread Starter
DVD Talk Hero
• Adam Tyner •
I'd argue that there's not -- as you mentioned, there's no security difference between a password box and a text box (although if you scroll back through your history, password boxes are automatically cleared out, so I guess there's that small difference), but I went ahead and made that box a password field.
I'd argue that there's not -- as you mentioned, there's no security difference between a password box and a text box (although if you scroll back through your history, password boxes are automatically cleared out, so I guess there's that small difference), but I went ahead and made that box a password field.
As for having to login again, that's no big deal, just so long as someone is aware of the issue, which clearly you are. Now to go cause trouble in the DVD Reviews forum ...
Thanks for the detailed response.
das
