by Oli on 25 February 2021 - 08:02
As probably a few of you have noticed, there have been some issues lately. They should all be fixed now, but some may need to do a final login to get all latest fixes to their browser.
So, the thing is that I have completely redone the whole authentication process, including identification. Passwords are stored in a much more secure way (SHA512 for those interested) and are automatically converted the first time a user logs in after the change.
The site had to go from an innocent "start of 2000s: what's security?" mindset to "It's the 2020s, state actors target every single open website for injection vectors on it's users"
Really didn't have any choice, since all the major browsers are also taking a stand on what they allow a site to do and most of them have announced stricter controls on stuff like cookie handling and authentication processes in the future. So it was either do the change on my time or wait until forced to change and perhaps have the majority of users unable to log in/use the website or worse, being put on a "unsafe" list and users prevented from accessing.
So the "logging out" issue wasn't really an issue with being logged out, but an issue with being thrown back into unsecure communications (HTTP) where your own browser doesn't trust the communication layer and doesn't send the authentication token. The fix was simply to go back into secure (HTTPS), but understandably not obvious, so a lot of you where logging in again and again. The main culprit was a redirection bug, that sent you to HTTP after posting something, that is fixed now. Second reason are saved links that are using HTTP rather than HTTPS. That's a bit harder for me to fix on our end, but when you log in now, the server sends an additional instruction to your browser: "Always use HTTPS, for *this* amount of time, when accessing pedigreedatabase.com", which is the same time as the life of the authentication token. But those instructions won't activate until you log in again (hopefully last login change I need to do).
Some changes to the Remember checkbox
- Unchecked: creates a token that will live for 24 hours or until you log out.
- Checked: creates a token that will live for 30 days and if you access the website when there is less than a week left of the token, it will automatically renew the token for another month
- Log out: Clears the token from your browser and from pedigreedatabase.com, preventing any possible future reuse
- Log in: Stricter login process, including a bot checker and a cooldown period after a wrong guess/try
The changes are all infrastructure and communication changes (no cosmetics or site functionality changes, except for a stricter login process) and I was hoping that the deployment would go unnoticed, but clearly didn't do enough testing. Such is life of a lone developer with not enough free time. But hopefully everything should be back to normal now and for those that log in today, the new browser request should keep you firmly in the secure zone while you are logged in.
ps. For those of you wondering what there is to worry about, since pedigreedatabase.com, doesn't really keep any valuable or identifiable information: Your email + password are indeed a very valuable commodity, that can be used to target other, more valuable, websites. Just to name one.
by Hundmutter on 26 February 2021 - 03:02
Thank you Oli, I was one of those getting difficulties with this, and so far they now seem to be fixed. So I can still get my fix of PDB !!! Very grateful, especially for your working hard to give us & the site updated security. Sadly very necessary these days.
by Q Man on 27 February 2021 - 11:02
by Oli on 27 February 2021 - 18:02
I did one more change, every page that you visit over https, will send the instructions to use https every single time. Just to be sure.
(Deployed on main site about 6 hours ago)
So you should just need to go once over to secure to stay only in secure and logged in. No need to log in again.
Was trying to minimize noise sent to browser from server to browser but figured out it was simply miniscule compared to the actual webpage and rest of images and stuff. Should have implemented this way straight away. Does no harm nor save anything on your browser and only does good if the request is new for the browser.