Neowin External Login Tool

By john smith 1924
in Software created by our members

 Share

Recommended Posts

Mentor

Jambooo

Posted
Posted
Well, I have never posted data to another site through a form like that. I'm using the thing right now, and I see how it works. I'm just curious how this method handles an invalid login. What happens? Does it return a false or something? If the login is accepted do you still get to access the returned values?

Ok, sorry if I sounded a bit offending there...

As for invalid logins, it seems to just return to the neowin stylee login form displaying an error. I'd rather the request returning false to be honest - it would give 3rd party sites more control over how errors are handled.

Grand Master

+chorpeac MVC

Posted
  • MVC
Posted

OK I copied that code you posted into a page, and it doesn't do anything for me. Where do the returned values go? How can you access them?

I think I am just confused because I am looking at an example, and it's not complete.

Ah...your login.php has the Method="get" right? So you can access them there?

lol....it's been so long since I have done regular html form crap. I haven't had to do this in .NET for a long time.

Mentor

Jambooo

Posted
Posted

The form's action points to and is authorised by Neowin's script... the results are then passed to another script using the specifified URL. Here is a working version:

http://blueloose.com/misc/neowin_login.html

Edit: the above does not grab your password (check the source)

Edit: results are processed by http://www.sietse.nu

Grand Master

+chorpeac MVC

Posted
  • MVC
Posted

Yeah see...I don't think they are going to allow this. Because you would still be able to capture the persons login credentials. When you log in through their method, the security problem is not going to be present since you will be on their server. I don't think this is going to fly.

Regardless of whether you collect their password or not... I don't think the admins are going to like this. I was doing something very similar to it, and this is why they are performing this side login script.

Mentor

Jambooo

Posted
Posted

The login is still validated fully by Neowin's servers (action="https://www.neowin.net/login/?url=http://www.sietse.nu/neowin/"). The only thing different between the two versions is formatting... neo's has all pretty colours and the variation doesn't.

Still don't think they'd allow it however :(

/heads for the hills

Grand Master

matt74441

Posted
Posted

If they have the login prompt on Neowin's server, there is no chance of your password being stolen. Thats the only reason I can think of that would keep us from doing this from our sites.

Mentor

Sietse Veteran

Posted
  • Veteran
Posted
If they have the login prompt on Neowin's server, there is no chance of your password being stolen. Thats the only reason I can think of that would keep us from doing this from our sites.

I second that, therefore it's not allowed to use your own login form.

Grand Master

+chorpeac MVC

Posted
  • MVC
Posted

Sietse/Timdorr:

Does the Timezone offset that is being returned take into consideration the daylight savings? There is a daylight savings checkbox in the board settings. But for me on the US East coast, it is always -5 in the drop down, and is that what it is always going to return for the timezone offset?

Edit: Sidenote, can you tell me what neowin does when it stores dates? Does it store the UTC date and then converts it to the users timezone when it is shown to a user?

Grand Master

+chorpeac MVC

Posted
  • MVC
Posted

OK I don't think the timezone is taking the daylight checkbox into account. I think it is always return what is in the timezone dropdown. Could the timezone portion of this script be changed to take into account this daylight savings setting?

Grand Master

Tim Dorr Veteran

Posted
  • Veteran
Posted
How about a SOAP webservice for external projects in application form? :D

Nope, we implemented it in this form for a reason. No one can have you enter your password and harvest the result for malicious purposes. How do we know that you're not also having your application send the login data to your own server for collection and future abuse? We just cannot give out automated trust.

I'm also going to change up the code so Lee's example does *not* work. That's a potential area for abuse, and we cannot allow it. However, there is still some XSS stuff that I'm sure could be abused, so this is far from a completely secure system.

Mentor

Jambooo

Posted
Posted
Nope, we implemented it in this form for a reason. No one can have you enter your password and harvest the result for malicious purposes. How do we know that you're not also having your application send the login data to your own server for collection and future abuse? We just cannot give out automated trust.

I'm also going to change up the code so Lee's example does *not* work. That's a potential area for abuse, and we cannot allow it. However, there is still some XSS stuff that I'm sure could be abused, so this is far from a completely secure system.

Sounds good.. soon we'll have .NET Passport type system.

Grand Master

matt74441

Posted
Posted

I guess the only thing that Lee really wanted was the login form to be dressed up a little. Maybe if you added some information to the form, such as how Neowin sponsored projects use it or such, and explain the security. I don't know, I'm talking out of my ass.

Grand Master

+chorpeac MVC

Posted
  • MVC
Posted
I guess the only thing that Lee really wanted was the login form to be dressed up a little. Maybe if you added some information to the form, such as how Neowin sponsored projects use it or such, and explain the security. I don't know, I'm talking out of my ass.

Yeah I could see it being a help for users to know what applications are using the Neowin Side door.

Good work Timdorr, let us know what kind of change might be done when you get an idea. Also, when you modify it could you tweak the timezone part to take into consideration the daylight savings time? :) Thanks bro!

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.