KATG iPhone App Take 3

[hayroob]

So this is what I've been working on instead of posting here for the last few days:
Secure Persistent Login With Very Little SSL Part 1 | Get It Down On Paper
and
Secure Persistent Login With Very Little SSL Part 2 | Get It Down On Paper

If you're into web programming/security let me know what you think.

[Subsonix]

Quote:

Originally Posted by hayroob

So this is what I've been working on instead of posting here for the last few days:
Secure Persistent Login With Very Little SSL Part 1 | Get It Down On Paper
and
Secure Persistent Login With Very Little SSL Part 2 | Get It Down On Paper

If you're into web programming/security let me know what you think.

I DO NOT KAY YOUR BLOG.

Please add pictures and funneh to explain.

KTHNKBAI.

[colk]

I see an issue the cookie has to be valid for both the http side and the https , otherwise when you switch to http after logging in you will get stuck in a login loop. One way to accomplish this is to have the cookie set via http point to the https id using a secure identifier (ie salt etc). The main issue is the cookie for http will be passed in clear text over the wire so whatever info you put into it cannot be used to login directly to the site if someone yanked the cookie. Also, you should look into separating your HTML and php using something like smarty. (Just a suggestion makes the code look clean)

[hayroob]

Quote:

Originally Posted by colk

I see an issue the cookie has to be valid for both the http side and the https , otherwise when you switch to http after logging in you will get stuck in a login loop. One way to accomplish this is to have the cookie set via http point to the https id using a secure identifier (ie salt etc). The main issue is the cookie for http will be passed in clear text over the wire so whatever info you put into it cannot be used to login directly to the site if someone yanked the cookie. Also, you should look into separating your HTML and php using something like smarty. (Just a suggestion makes the code look clean)

I'll look into the smarty thing, I do enjoy clean code.

I think you misunderstood, there is a php session cookie that works over http and https that is responsible for actually being logged in, the https hash cookie (snickers to himself) is only responsible for reauthentication which is done over https.

If there's confusing or poorly explained language in my article I would love feedback to make it more clear.

EDIT: I have added a link to my live implementation in part 1

[hayroob]

I submitted my code to a site that talks about this stuff, if people could give me a vote it would really help drive traffic to my blog.

Hacker News | Secure Persistent Login With Very Little SSL Redux

[hayroob]

Just as an FYI you have to click the little arrow next to the post to vote, it's dumb and it took me a minute to realize so I thought I'd post it.

[Bri Mad]

Wow. Streaming works great, and I can see the upcoming show time with one button press.

Thanks for adding me, and for all the work, Hayroob!

B

[hayroob]

Quote:

Originally Posted by Bri Mad

Wow. Streaming works great, and I can see the upcoming show time with one button press.

Thanks for adding me, and for all the work, Hayroob!

B

I'll tell you what I tell everybody, I accept gratitude in the forms of nice sayings, donations (note the link in my sig) and pictures of boobs (girls boobs, no picture of dicks, looking at you newsy)

[outlaw]

Quote:

Originally Posted by hayroob

Just as an FYI you have to click the little arrow next to the post to vote, it's dumb and it took me a minute to realize so I thought I'd post it.

Wow, you weren't kidding. Even after reading your post, it took me a minute to find that arrow. Talk about bad UI design, that site is horrible. Oh well, my vote has been cast. Good luck.

[hayroob]

Quote:

Originally Posted by outlaw

Wow, you weren't kidding. Even after reading your post, it took me a minute to find that arrow. Talk about bad UI design, that site is horrible. Oh well, my vote has been cast. Good luck.

Thanks for the vote, and yes the UI on that site is shittastic, I found it by clicking on literally everything until something happened. This is what happens when engineers build websites, but don't talk to designers. It never crashes and the performance is great, but only if you can actually decrypt their nonsense layout.