[Home]ToothyWikiInternals/GoryCookieDetails

ec2-54-226-34-209.compute-1.amazonaws.com | ToothyWiki | ToothyWikiInternals | RecentChanges | Login | Advent calendar | Webcomic

MoonShadow has just realised that the ToothyWiki logging in and out system is actually slightly b0rked.

When you log in to ToothyWiki, a cookie is sent to your browser. ToothyWiki then asks for it back whenever it needs to know who you are. Browsers will send back cookies only to the domain which they originally came from (unless they are broken), since otherwise someone could steal cookies that don't belong to them and cookies are used on commercial sites for things like shopping trolley checkouts and online banking sessions, so stealing them would be A Bad Thing (at lunchtime, I'll put links here to where one can find out more if one is interested).

Now, some ToothyWiki links currently assume that you are using http://www.toothycat.net/wiki/wiki.pl. However, you could also be using http://toothycat.net/wiki/wiki.pl. If you are using the latter and click on a link that assumes the former, the wiki won't get your cookie and so won't recognise you, and will assume you are a new user (unless someone using the machine before you and going to www.toothycat.net/... didn't log out, in which case you'll get to edit their preferences. What fun!)

What ToothyWikizens can do about it



If you came in through toothycat.net, you can use [this] link to log out, then [this] link to log in. Next time you log in, go to http://www.toothycat.net/wiki/wiki.pl rather than http://toothycat.net/wiki/wiki.pl. Or, alternatively, keep an eye on where links actually point to - that should be a habit anyway if you are using MSIE, since there are a number of ways to exploit it from a malicious page.


What MoonShadow can do about it



The script knows which URL you are using, and links are generated on the fly; so it should be possible for MoonShadow to munge the script to always give you links that actually work automatically. This has been done for Action: links but not ToothyWiki: links yet.

ec2-54-226-34-209.compute-1.amazonaws.com | ToothyWiki | ToothyWikiInternals | RecentChanges | Login | Advent calendar | Webcomic
Edit this page | View other revisions | Recently used referrers
Last edited January 24, 2003 3:59 pm (viewing revision 3, which is the newest) (diff)
Search: