13 replies to this topic

[Spooky]

Is the 'Keep me logged in' option working for anyone? At least for me it's not working on three different systems, though FireFox 9.0.1 in every case. Furthermore, due to the way the login-form is set up, FireFox is unable to automatically save the Username and Password, without doing some further alterations on your own.

[Thorqemada]

I have the same issue in IE and Win7 x64 but IE has the Login-Data stored and i only need to click it in.

Edited by Thorqemada, 12 January 2012 - 08:58 AM.

[Kaemon]

Obvious - check your options in FF to make sure you don't have the old 'clean on close' enabled


Also try it in Google Chrome and verify it's a MW:O site issue and not just FF

[Threat Doc]

Kaemon, not obvious. Even when you log in on the site, if you close your MWO window, after about ten minutes you get dropped from the site. There is no permanent login at this time, and likely will not be until PGI can work out further security features to allow it. Your in-game account and your forum account are going to match and, my guess is, they haven't figured out how to match the security inside the game to the forum security.

[Spooky]

@Kaemon: yeah that's not it. It's not active by default, but even then, Cookies and Sessions would need to be specifically activated in the settings (though, this would be active by default).


@Kay Wolf: well there is a sticky that specifically says, that it should be working.

[T0RC4ED]

YES, please keep me logged in... IM NOT WORKING =)

Ok, i want to be helpful, but im not using that setting...Its never a good idea to be perma logged in... account security and all

Edited by T0RC4ED, 12 January 2012 - 11:26 AM.

[Kaemon]

Kay Wolf, on 12 January 2012 - 08:58 AM, said:

Kaemon, not obvious. Even when you log in on the site, if you close your MWO window, after about ten minutes you get dropped from the site. There is no permanent login at this time, and likely will not be until PGI can work out further security features to allow it. Your in-game account and your forum account are going to match and, my guess is, they haven't figured out how to match the security inside the game to the forum security.

Sorry, I was saying that's the obvious thing to check to make sure it's not your browser causing issues, not necessarily the fix.

I do not use 'keepers', as they are the devil.

Security wise a permanent login to the forum is not a difficult feature (it seems to be correctly setup in the cookie and php call that's made when you log in), maybe there's a config issue in Apache or something.

Tying this to your game account (where CC info is stored) is a terrible idea (security wise), and should not be implemented, unless you're going to protect the session (and not just the cookie).

Plus concurrent stale connections that don't drop eventually start causing 'weirdness'.

[Kyle Polulak]

Regardless of speculation of how our internal security will be setup, there is one feature I refuse to implement in regards to keeping your session 'logged-in'. This kind of feature is how Facebook, Google, Yahoo, and many other major sites had their user accounts accessed through another computer on the same physical network; Firesheep anyone? Keeping a cookie that allows access to your account on your browser is not secure, even with IP filtering (same physical NAT network) until we begin to roll out SSL connections. The keep me logged in feature is described in detail here:

http://mwomercs.com/...p-me-logged-in/

[Tactical Advantage]

Kyle Polulak, on 12 January 2012 - 11:11 AM, said:

Regardless of speculation of how our internal security will be setup, there is one feature I refuse to implement in regards to keeping your session 'logged-in'. This kind of feature is how Facebook, Google, Yahoo, and many other major sites had their user accounts accessed through another computer on the same physical network; Firesheep anyone? Keeping a cookie that allows access to your account on your browser is not secure, even with IP filtering (same physical NAT network) until we begin to roll out SSL connections. The keep me logged in feature is described in detail here:

http://mwomercs.com/...p-me-logged-in/

http://www.readwrite...ssfully_hac.php

any thoughts on SSL 1.1/1.2? 1.0 isn't going to last much longer...

[Kyle Polulak]

Kyle Polulak, on 12 January 2012 - 11:11 AM, said:

Regardless of speculation of how our internal security will be setup...

[Tannhauser Gate]

Its never worked for me. I just assumed PGI was still working the bugs out.

[Kaemon]

Kyle Polulak, on 12 January 2012 - 12:32 PM, said:

That's wasn't really speculation, that was a question on protocol usage, if 1.0 is really a compromised (or sunsetting) authentication standard and you mentioned using SSL, I would think it's a valid question.

[Spooky]

@Kyle Polulak: couldn't at least the form be set-up in such a way, that Browsers can use its password saving feature? (Which is then a liability on the users's behalf at least.)

[Kyle Polulak]

@Kaemon: We will not be talking publicly about any of our security measures we put in place for our systems unless they involve the users systems (I.E. Browsers) directly, with one exception. The choice of protocols TLS security will remain internal until we release the system.

@Spooky: This is a browser issue and not a javascript or website issue. I'm working on a fix with Chrome and Firefox currently, or making another choice if we cannot fix the issue.