Neowin External Login Tool

By john smith 1924
in Software created by our members

 Share

Recommended Posts

Mentor

Jambooo

Posted
Posted
Well, I have never posted data to another site through a form like that. I'm using the thing right now, and I see how it works. I'm just curious how this method handles an invalid login. What happens? Does it return a false or something? If the login is accepted do you still get to access the returned values?

Ok, sorry if I sounded a bit offending there...

As for invalid logins, it seems to just return to the neowin stylee login form displaying an error. I'd rather the request returning false to be honest - it would give 3rd party sites more control over how errors are handled.

Grand Master

+chorpeac MVC

Posted
  • MVC
Posted

OK I copied that code you posted into a page, and it doesn't do anything for me. Where do the returned values go? How can you access them?

I think I am just confused because I am looking at an example, and it's not complete.

Ah...your login.php has the Method="get" right? So you can access them there?

lol....it's been so long since I have done regular html form crap. I haven't had to do this in .NET for a long time.

Mentor

Jambooo

Posted
Posted

The form's action points to and is authorised by Neowin's script... the results are then passed to another script using the specifified URL. Here is a working version:

http://blueloose.com/misc/neowin_login.html

Edit: the above does not grab your password (check the source)

Edit: results are processed by http://www.sietse.nu

Grand Master

+chorpeac MVC

Posted
  • MVC
Posted

Yeah see...I don't think they are going to allow this. Because you would still be able to capture the persons login credentials. When you log in through their method, the security problem is not going to be present since you will be on their server. I don't think this is going to fly.

Regardless of whether you collect their password or not... I don't think the admins are going to like this. I was doing something very similar to it, and this is why they are performing this side login script.

Mentor

Jambooo

Posted
Posted

The login is still validated fully by Neowin's servers (action="https://www.neowin.net/login/?url=http://www.sietse.nu/neowin/"). The only thing different between the two versions is formatting... neo's has all pretty colours and the variation doesn't.

Still don't think they'd allow it however :(

/heads for the hills

Grand Master

matt74441

Posted
Posted

If they have the login prompt on Neowin's server, there is no chance of your password being stolen. Thats the only reason I can think of that would keep us from doing this from our sites.

Mentor

Sietse Veteran

Posted
  • Veteran
Posted
If they have the login prompt on Neowin's server, there is no chance of your password being stolen. Thats the only reason I can think of that would keep us from doing this from our sites.

I second that, therefore it's not allowed to use your own login form.

Grand Master

+chorpeac MVC

Posted
  • MVC
Posted

Sietse/Timdorr:

Does the Timezone offset that is being returned take into consideration the daylight savings? There is a daylight savings checkbox in the board settings. But for me on the US East coast, it is always -5 in the drop down, and is that what it is always going to return for the timezone offset?

Edit: Sidenote, can you tell me what neowin does when it stores dates? Does it store the UTC date and then converts it to the users timezone when it is shown to a user?

Grand Master

+chorpeac MVC

Posted
  • MVC
Posted

OK I don't think the timezone is taking the daylight checkbox into account. I think it is always return what is in the timezone dropdown. Could the timezone portion of this script be changed to take into account this daylight savings setting?

Grand Master

Tim Dorr Veteran

Posted
  • Veteran
Posted
How about a SOAP webservice for external projects in application form? :D

Nope, we implemented it in this form for a reason. No one can have you enter your password and harvest the result for malicious purposes. How do we know that you're not also having your application send the login data to your own server for collection and future abuse? We just cannot give out automated trust.

I'm also going to change up the code so Lee's example does *not* work. That's a potential area for abuse, and we cannot allow it. However, there is still some XSS stuff that I'm sure could be abused, so this is far from a completely secure system.

Mentor

Jambooo

Posted
Posted
Nope, we implemented it in this form for a reason. No one can have you enter your password and harvest the result for malicious purposes. How do we know that you're not also having your application send the login data to your own server for collection and future abuse? We just cannot give out automated trust.

I'm also going to change up the code so Lee's example does *not* work. That's a potential area for abuse, and we cannot allow it. However, there is still some XSS stuff that I'm sure could be abused, so this is far from a completely secure system.

Sounds good.. soon we'll have .NET Passport type system.

Grand Master

matt74441

Posted
Posted

I guess the only thing that Lee really wanted was the login form to be dressed up a little. Maybe if you added some information to the form, such as how Neowin sponsored projects use it or such, and explain the security. I don't know, I'm talking out of my ass.

Grand Master

+chorpeac MVC

Posted
  • MVC
Posted
I guess the only thing that Lee really wanted was the login form to be dressed up a little. Maybe if you added some information to the form, such as how Neowin sponsored projects use it or such, and explain the security. I don't know, I'm talking out of my ass.

Yeah I could see it being a help for users to know what applications are using the Neowin Side door.

Good work Timdorr, let us know what kind of change might be done when you get an idea. Also, when you modify it could you tweak the timezone part to take into consideration the daylight savings time? :) Thanks bro!

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Windows Server gets DNS over HTTPS (DoH) support

      By Legend20 · Posted

      Microsoft is busy. Lots of changes to be released imminently for Windows server or soon. Also, lots happening for next version as well. Third party virus scanning software is being moved out of Kernel mode to avoid repeat of Crowdstrike incident. Windows Protected Mode and Windows Ready Print no longer require third party print drivers to be installed. New storage stack being developed. New NVME drivers now available for Windows Server 2025 to improve local NVME drive performance by 60+ percent. NVME-Of of fabric being worked on for next release to improve network access to NVME drives. ReFs (next file system) now has ability to boot and will become default file system in next release of Windows Server. ReFs improves on NTFS in several areas including resiliency and reliability and scalability. New update stack is being worked on to unify Windows updates, and updates for drivers and first party/3rd party application software. A stricter and more robust third-party driver certification program (ODI) is being worked on to improve performance, thermals, battery life, and reliability on modern Windows hardware by tightening how OEMs and IHVs (Intel, AMD, Qualcomm, NVIDIA, etc.) build and ship drivers. There is a tone more but too numerous to mention.
    • Windows 11 gets better widgets, new Screen Tint feature, and more in the latest build

      By ZipZapRap · Posted

      Now disable that stupid OneDrive backup request when Windows starts please. So unbelievably frustrating to only have “remind me later” instead of “no and never ask me again”
    • Microsoft releases new Windows 11 Media Creation Tool with the latest updates

      By goretsky · Posted

      Hello, The Media Creation Tool is still at v10.0.26100.7019 from October 2025. Just looks like the backend has been updated. Regards, Aryeh Goretsky
    • Microsoft releases major feature updates for stock Windows 11 apps

      By skinnyJM · Posted

      Since they open sourced the calculator in Win 10/11 it is much better and can do a lot, I love it.
    • Using Windows 10 past its end of support date, is it really that bad?

      By +Edouard · Posted

      That's just silly imo. The lengths that man goes to just to avoid W11 is just nuts. Very, very few home users would do that. I will say this though, he is committed. Btw, I note on askwoody that Woody Leonhard passed away March, 2025 aged 73. His site was one of my favorites back in the day. Belated yes but RIP Woody.

  • Recent Achievements

    • One Month Later
      Markus94287 earned a badge
      One Month Later
    • Week One Done
      Markus94287 earned a badge
      Week One Done
    • One Year In
      Markus94287 earned a badge
      One Year In
    • Dedicated
      truespursfan earned a badge
      Dedicated
    • Rookie
      restore went up a rank
      Rookie

  • Popular Contributors

    1. 1
      +primortal
      508
    2. 2
      +Edouard
      168
    3. 3
      PsYcHoKiLLa
      154
    4. 4
      ATLien_0
      90
    5. 5
      Steven P.
      79
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!