Please turn on javascript in your browser to play chess.
Help Forum

Help Forum

  1. Donation maggoteer
    The MAKIA
    14 Nov '02 23:16
    O' Mighty and Benificent Lords of RHP:
    Given Harri/Luck's problem with someone making moves for him, I think I'll ask
    you guys for a clarification.
    If one has forgotten to log out of a computer that one can't necessarily go
    back to, is there anyway to ensure that folks won't be able to gain access
    from that computer? Such as by changing password?


  2. 16 Nov '02 20:35
    I believe that if you log off from any computer, you are logged off
    from RHP totally (i.e. any other instances on multiple computers).
    Correct? The important thing is that you shouldn't save the password
    (Internet Explorer has a pop up box to ask you if you want to do this).
    If you have saved the password on a public computer, changing to a
    new password would obviously make the saved password invalid.

    Russ, Chris, anyone else who knows, am I right?

    Rein
  3. Donation maggoteer
    The MAKIA
    16 Nov '02 23:26
    I'm not sure that's right.
    I stay logged on at home, and log off each session at work (um...I'm mean...I would log off each
    session at work IF I played at work. Of course I don't. Yeah, yeah, th at's the ticket, I never play
    chess at work. But if I did.....). Logging off at work doesn't end my session at home.
    This is not due to saving passwords, since I never ever ever do that, even at home....

    What I don't know - and was hoping the Benificent Gods of RHP would clarify, is whether each
    transaction between RHP and a given client/computer/user includes password info.

    My crude understanding of how all this works, is:
    1) You go to RHP on a given machine. If there is no information in an RHP-specific cookie on that
    machine about who was last logged in (generally you), RHP asks you to login in. So you login, and
    RHP saves a cookie on your machine with at least info to identify who you are, possibly encrypted
    so others can't look at what information they are saving.

    2) each time you make a transaction with RHP (making up lingo here...), ie visit a game, make a
    move, etc, ie each time you send and recieve info from RHP, info from the cookie is sent to RHP to
    Id who wants what. Make a move, and hit the move button, and my browser sends a message to
    RHP that is essentially "Hi, I'm so-and-so (info from the saved cookie), and make this move in this
    game."

    3) IF and WHEN you log off of RHP on that machine, the cookie is destroyed, wiping out the info
    THAT machine. But if you just quit the browser, without logging out of RHP, the cookie is saved. If
    you don't log off of RHP, then next time you, or anyone else using THAT machine goes to RHP, the
    identity from the stored cookie is sent to RHP.

    OK, now this is where my question comes in:
    If the info sent by the cookie each transaction is just "who I am" - ie the verification of the of the
    password only occurs during login, then I don't see how one can ever kill off a login from a lost
    machine.
    If on the other hand, the cookie sends "who I am" AND "my password is" each transaction, THEN
    changing passwords from another machine WOULD make make transactions from the old machine
    invalide - essentially RHP would recieve a wrong password, and reply back "whoops, that password
    doesn't match - try again".

    So the question is - which does RHP do?

    Of course, all this blathering depends on whether or not I have ANY idea about how the info in
    cookies is used. All the above may just be BS.

    I'd be curious if any who ACTUALLY know can clarify.

    MAG
  4. 19 Nov '02 04:15
    You're right, of course. Logging off one computer doesn't log you off
    of another one. Momentary lapse of reason, there.

    Rein
  5. Standard member gotti2000
    The winemaker
    19 Nov '02 07:09
    To answer your questions:

    1) You go to RHP on a given machine. If there is no information in an
    RHP-specific cookie on that
    machine about who was last logged in (generally you), RHP asks you
    to login in. So you login, and
    RHP saves a cookie on your machine with at least info to identify who
    you are, possibly encrypted
    so others can't look at what information they are saving.

    [gg] Not totally true. Your email address is not encrypted. There is spy
    software out there that can download and trace cookies for email
    address information. That's how you get spam mail...

    2) each time you make a transaction with RHP (making up lingo
    here...), ie visit a game, make a
    move, etc, ie each time you send and recieve info from RHP, info from
    the cookie is sent to RHP to
    Id who wants what. Make a move, and hit the move button, and my
    browser sends a message to
    RHP that is essentially "Hi, I'm so-and-so (info from the saved
    cookie), and make this move in this
    game."

    [gg] not sure what cookie information gets transferred during sessions
    but authentification check is only done once in a session i.e. when you
    first call redhotpawn.com. You can delete your cookie during a session
    but you will still be able to make moves.

    3) IF and WHEN you log off of RHP on that machine, the cookie is
    destroyed, wiping out the info
    THAT machine. But if you just quit the browser, without logging out of
    RHP, the cookie is saved. If
    you don't log off of RHP, then next time you, or anyone else using
    THAT machine goes to RHP, the
    identity from the stored cookie is sent to RHP.

    [gg] true. The bad thing is that even if you change password from
    another machine. The 'old' cookie on the first machine will identify you
    as a valid user! i.e. If you forgot to logoff from an internet café and
    there is no mechanism to destroy your cookie information the next
    user can play your games or even change your password. That would
    answer your two questions below.

    OK, now this is where my question comes in:
    If the info sent by the cookie each transaction is just "who I am" - ie
    the verification of the of the
    password only occurs during login, then I don't see how one can ever
    kill off a login from a lost
    machine.
    If on the other hand, the cookie sends "who I am" AND "my password
    is" each transaction, THEN
    changing passwords from another machine WOULD make make
    transactions from the old machine
    invalide - essentially RHP would recieve a wrong password, and reply
    back "whoops, that password
    doesn't match - try again".

    [gg] There is one last remark I'd like to add. Yes, you can save your
    user ID together with your password in Internet Explorer so the next
    time you login your password will be filled in automatically but this is
    not so much of a security issue because this information is tied to
    your WinNT login. i.e. a different WinNT user on the same machine
    won't be able to get your ID or password information. However in an
    internet cafe with a weak set up WinNT user won't change so you
    should never activate that setting on public PCs.
    Anyway as long as you log out after each session you are save.

    Gotti
  6. Donation maggoteer
    The MAKIA
    19 Nov '02 18:26
    Thanks for the info!
  7. Subscriber Chris
    Site Admin
    01 Dec '02 04:39
    O' Mighty and Benificent Lords of RHP:
    Given Harri/Luck's problem with someone making moves for him, I
    think I'll ask
    you guys for a clarification.
    If one has forgotten to log out of a computer that one can't
    necessarily go
    back to, is there anyway to ensure that folks won't be able to gain
    access
    from that computer? Such as by...
    This is a good question. The way the cookies are handled and
    verified by the site means that we can effectively log someone out of
    every computer at which they have logged on.

    There is no user-option to do this, but there is no reason why we
    couldn't add one. In fact, probably the best thing to do would be for
    the "log out" command to mean "log out of ALL machines"... this is
    possible.

    -Chris
  8. 02 Dec '02 22:44
    That would be great.
  9. Donation maggoteer
    The MAKIA
    02 Dec '02 22:56
    Originally posted by Chrismo

    There is no user-option to do this, but there is no reason why we
    couldn't add one. In fact, probably the best thing to do would be for
    the "log out" command to mean "log out of ALL machines"... this is
    possible.
    That would be great. I bet Harri/Luck would be VERY happy!
  10. Donation maggoteer
    The MAKIA
    02 Dec '02 23:43
    There is no user-option to do this, but there is no reason why we
    couldn't add one. In fact, probably the best thing to do would be for
    the "log out" command to mean "log out of ALL machines"... this is
    possible.
    Ah, I should have read your response a bit more closely!
    My personal preference would be for the system to NOT automatically log one
    off ALL machines. As stated, I always log off public computers, but prefer to
    stay logged on at home.
    It would be nice, of course to have some method of choosing to log off ALL
    machines too, if necessary. Perhaps (yet another) setting in our personal
    options that would choose between the two methods?

    Actually that would work well, because at any time I could change my setting
    from single machine logout to all machine logout, to kill off all logins, then
    switch back...

    Thanks Chris, for repsonding!
    Michael
  11. 03 Dec '02 07:08
    Maybe we could make a "Log off ALL Machines" button that you have
    to lift up the cover, or break the glass... like the button that launches
    the nuclear weapons that will kill us all. Maybe we could hide it
    somewhere. Either that, or it could be a big red one on the homepage
    with the text "Will explode if pushed". Actually, it sounds like a great
    idea. Maybe instead of having the option to switch between the two as
    a setting, we could just have a link in settings that would do it,
    a "special" log off option.

    Rein
  12. Subscriber Chris
    Site Admin
    05 Dec '02 12:08 / 1 edit
    Originally posted by gotti2000
    To answer your questions:

    OK, now this is where my question comes in:
    If the info sent by the cookie each transaction is just "who I am" - ie
    the verification of the of the password only occurs during login, then I
    don't see h ...[text shortened]... ly
    back "whoops, that password doesn't match - try again".
    This is how we do it...

    The cookie information is simply your user id and a string of
    characters that uniquely identifies you to RHP (otherwise, anyone
    could fudge a cookie and pretend to be you).

    We check the unique id against the database before alowing you to
    continue. This saves having to store your password on your machine -
    therefore allowing people to look at it if they are so inclined (it could
    easily be your password for a number of other sites or systems).

    If, when you logged off, we were to generate a new unique ID for you
    on the database, then the next time you visited your "other" computer
    on which your cookie still exists, it would be seen as invalid by the
    database. And when you logged backon, the cookie would contain the
    new id information.

    Hope I explained that reasonably ok...