Loading ...
Sorry, an error occurred while loading the content.

266Re: [fanficauthors] Re: Site structure anoyance.

Expand Messages
  • pfeil
    Dec 19, 2010
    • 0 Attachment
      On Sun, Dec 19, 2010 at 01:22, ubereng <mryahell@...> wrote:
      >
      > I never said that I had to relogin, once logged in.  (Except when logins expire or cookies are deleted)
      > The problem comes with following a link to a story on subsite B, but the PW manager only has a record for subsite A.  So every time we visit a new subsite, it either has to be within a few days of our last visit (not likely, given the activity level at FFA), or we must dredge up the account credentials and create yet another PW-manger entry for FFA.
      >
      > As for fixing my password manager, there is nothing wrong with it, I didn't write it, and it's not the source of the problem -- and as already seen on this thread, others have the same issue.
      >

      Cookies allow the specification of both a domain -- which may or may
      not be a *. domain -- and a path -- under which they apply -- for good
      reason. Any password manager that can't handle both those things in
      fundamentally broken.

      Different subdomains isn't just a quirk of FFA; It's how sites like
      wikipedia work too. (<fr.wikipedia.org> and <en.wikipedia.org>.)

      And if it doesn't handle paths, then you're just asking for phishing
      attacks on free hosting sites where each hostee gets a different
      subdirectory. If your password manager gives the username and
      password for <hosting.com/goodsite> to <hosting.com/G00DSITE>, then
      your password manager is a security hole.

      >
      > Redirecting to login.fanficauthors.net would probably be an acceptable band-aid, but more work than just switching the structure -- which could be as easy as one redirect in the server config. (FFA appears to use Nginx, which I'm not too familiar with).
      >

      Except that changing the structure also means that autocomplete for
      URLs no longer works as well, and you don't want to have two different
      links for the same thing for SEO reasons.

      And the "different login domain" isn't a "band-aid", it's the right
      way to solve the problem of auth across different sites. Note, for
      example, that going to <gmail.com> takes you to
      <www.google.com/accounts/ServiceLogin>, which then redirects you back
      to <mail.google.com>.
    • Show all 19 messages in this topic