With Desura soon to launch and begin accepting payments, site security has been totally overhauled to keep your accounts protected. This change affects ModDB, IndieDB and Desura. If you access these site via special applications like browser plugins, RSS readers or via many different browsers you may encounter some login issues, but for everyone else the site should run as per normal. Here what's new:
- Limited login attempts. To many failures and you will have to wait.
- To change your email address you will need to provide your password.
- If your email or password is changed, you will receive an email notification.
- Use once only tokenized security following best practices in use by sites like Twitter, Facebook etc.
If you are having difficulties logging in or staying logged in please post feedback in the comments, otherwise enjoy browsing the site as per normal! And remember NEVER tell anyone your username and password, not even site staff (we will never ask for it). We shall reset your password if you have forgotten it.
What’s “once only tokenized security”?
The best practices I refer to are best explained here: Jaspan.com
Essentially everytime your session is renewed I regenerate a random "persistent" login token. This token is continually changing so if someone copies this token they will only be able to continue using it until the next token in the chain is generated. The old system had no expiry date so multiple people could use the same details to login forever essentially.
i rather liked the forever login :\
saved me inputting my pw/name the whole time :P
And it's still possible. It's just that, with each visit the login token changes, and it's reset in your browser.
It's something that the open source bulletin board software phpBB does.
I think he means that only one person can log in at a time, on the same account.
no multiple logins are permitted - but sharing the same cookies isn't.
By best practices are you referring to OAuth?
OAuth is totally different, OAuth is for allowing 3rd parties / API's and other sites to share login details with your site.
Paranoia is a virtue. Nice work, kiddies.
Out of curiosity, are you guys now using link-hashes in _GET requests now?
Things such as group membership requests and mod tracking seemed like they could be CSRF'd the way it was before; I'm curious as to whether or not that has been addressed, or not.