• Register
Post news Report RSS Site security updates

Site security from cookies through to email has been overhauled, read on to find out whats new.

Posted by on

With Desura soon to launch and begin accepting payments, site security has been totally overhauled to keep your accounts protected. This change affects ModDB, IndieDB and Desura. If you access these site via special applications like browser plugins, RSS readers or via many different browsers you may encounter some login issues, but for everyone else the site should run as per normal. Here what's new:

  • Limited login attempts. To many failures and you will have to wait.
  • To change your email address you will need to provide your password.
  • If your email or password is changed, you will receive an email notification.
  • Use once only tokenized security following best practices in use by sites like Twitter, Facebook etc.

If you are having difficulties logging in or staying logged in please post feedback in the comments, otherwise enjoy browsing the site as per normal! And remember NEVER tell anyone your username and password, not even site staff (we will never ask for it). We shall reset your password if you have forgotten it.

Post comment Comments
Kissaki
Kissaki

What’s “once only tokenized security”?

Reply Good karma Bad karma+4 votes
INtense! Author
INtense!

The best practices I refer to are best explained here: Jaspan.com

Essentially everytime your session is renewed I regenerate a random "persistent" login token. This token is continually changing so if someone copies this token they will only be able to continue using it until the next token in the chain is generated. The old system had no expiry date so multiple people could use the same details to login forever essentially.

Reply Good karma+3 votes
Su[)az][mA
Su[)az][mA

i rather liked the forever login :\
saved me inputting my pw/name the whole time :P

Reply Good karma Bad karma+2 votes
Katana_
Katana_

And it's still possible. It's just that, with each visit the login token changes, and it's reset in your browser.

It's something that the open source bulletin board software phpBB does.

Reply Good karma Bad karma+1 vote
WarlockSyno
WarlockSyno

I think he means that only one person can log in at a time, on the same account.

Reply Good karma Bad karma+2 votes
INtense! Author
INtense!

no multiple logins are permitted - but sharing the same cookies isn't.

Reply Good karma+2 votes
OMON
OMON

By best practices are you referring to OAuth?

Reply Good karma Bad karma+2 votes
INtense! Author
INtense!

OAuth is totally different, OAuth is for allowing 3rd parties / API's and other sites to share login details with your site.

Reply Good karma+2 votes
Jyffeh
Jyffeh

Paranoia is a virtue. Nice work, kiddies.

Reply Good karma Bad karma+2 votes
Katana_
Katana_

Out of curiosity, are you guys now using link-hashes in _GET requests now?
Things such as group membership requests and mod tracking seemed like they could be CSRF'd the way it was before; I'm curious as to whether or not that has been addressed, or not.

Reply Good karma Bad karma+1 vote
Post a comment

Your comment will be anonymous unless you join the community. Or sign in with your social account: