Closed robbie-wilson closed 10 years ago
robbie-wilson
commented
10 years ago You could have it so that visiting a certain URL returns "false" or "failure" if the user is not logged in and the username and email if they are. Saves changing the way the cookie is created/saved and passing session id's between servers/domains.
gdude2002
commented
10 years ago I don't like the sound of that - it sounds too.. Anti-security. It would be too easy to harvest emails using JS injection.
robbie-wilson
commented
10 years ago But surely the session id is random and its not like your going to be able to get any more info than if you have the persons password and just log in as them
gdude2002
commented
10 years ago Yes, but you don't /need/ the password in this case.
robbie-wilson
commented
10 years ago This would just run a script that gets the session id and checks it against the database, I don't see how it is insecure
gdude2002
commented
10 years ago It's insecure because you're relying on your XSS protection being good enough - it's best not to leave these vectors in the first place. Everyone fucks up.
robbie-wilson
commented
10 years ago Okay then, forget the whole url idea then
bendem
commented
10 years ago Agreed with @gdude2002 ;)
robbie-wilson
commented
10 years ago The user's rank, (user, admin etc) should be saved with that data aswell.
gdude2002
commented
10 years ago Well, really, it could just refer to the ObjectID of the user, as well as maybe a date and IP address for session validation - for the sake of efficiency and security - and then we'd just use that to get the specific user data we need from Mongo.
robbie-wilson
commented
10 years ago yeah I guess that's does the same thing, @greatman can decide how he wants it to work
gdude2002
commented
10 years ago It's a database design thing. DRY taken to the max.
robbie-wilson
commented
10 years ago 'DRY'?
gdude2002
commented
10 years ago D on't R epeat Y ourself.
Could someone implement it to the logging in section so that when someone logs in it saves the session cookie content to the database making it so that other sections of Statik can check to see if a user is logged in.
The data saved to the database should contain:
Other data can be saved if you see fit.
There should only ever be one instance of each username in the collection at one time, when someone logs in it should replace any previous instance of that user being in that database.
The cookie should be accessible to be read from any sub-domain of statik.io
You may want to create a page that takes the session id and returns the values although this is not mandatory.