Chris and Russ - a cookie question

O' Mighty and Benificent Lords of RHP:
Given Harri/Luck's problem with someone making moves for him, I think I'll ask
you guys for a clarification.
If one has forgotten to log out of a computer that one can't necessarily go
back to, is there anyway to ensure that folks won't be able to gain access
from that computer? Such as by changing password?

I believe that if you log off from any computer, you are logged off
from RHP totally (i.e. any other instances on multiple computers).
Correct? The important thing is that you shouldn't save the password
(Internet Explorer has a pop up box to ask you if you want to do this).
If you have saved the password on a public computer, changing to a
new password would obviously make the saved password invalid.

Russ, Chris, anyone else who knows, am I right?

Rein

I'm not sure that's right.
I stay logged on at home, and log off each session at work (um...I'm mean...I would log off each
session at work IF I played at work. Of course I don't. Yeah, yeah, th at's the ticket, I never play
chess at work. But if I did.....). Logging off at work doesn't end my session at home.
This is not due to saving passwords, since I never ever ever do that, even at home....

What I don't know - and was hoping the Benificent Gods of RHP would clarify, is whether each
transaction between RHP and a given client/computer/user includes password info.

My crude understanding of how all this works, is:
1) You go to RHP on a given machine. If there is no information in an RHP-specific cookie on that
machine about who was last logged in (generally you), RHP asks you to login in. So you login, and
RHP saves a cookie on your machine with at least info to identify who you are, possibly encrypted
so others can't look at what information they are saving.

2) each time you make a transaction with RHP (making up lingo here...), ie visit a game, make a
move, etc, ie each time you send and recieve info from RHP, info from the cookie is sent to RHP to
Id who wants what. Make a move, and hit the move button, and my browser sends a message to
RHP that is essentially "Hi, I'm so-and-so (info from the saved cookie), and make this move in this
game."

3) IF and WHEN you log off of RHP on that machine, the cookie is destroyed, wiping out the info
THAT machine. But if you just quit the browser, without logging out of RHP, the cookie is saved. If
you don't log off of RHP, then next time you, or anyone else using THAT machine goes to RHP, the
identity from the stored cookie is sent to RHP.

OK, now this is where my question comes in:
If the info sent by the cookie each transaction is just "who I am" - ie the verification of the of the
password only occurs during login, then I don't see how one can ever kill off a login from a lost
machine.
If on the other hand, the cookie sends "who I am" AND "my password is" each transaction, THEN
changing passwords from another machine WOULD make make transactions from the old machine
invalide - essentially RHP would recieve a wrong password, and reply back "whoops, that password
doesn't match - try again".

So the question is - which does RHP do?

Of course, all this blathering depends on whether or not I have ANY idea about how the info in
cookies is used. All the above may just be BS.

I'd be curious if any who ACTUALLY know can clarify.

MAG

You're right, of course. Logging off one computer doesn't log you off
of another one. Momentary lapse of reason, there.

Rein

To answer your questions:

1) You go to RHP on a given machine. If there is no information in an
RHP-specific cookie on that
machine about who was last logged in (generally you), RHP asks you
to login in. So you login, and
RHP saves a cookie on your machine with at least info to identify who
you are, possibly encrypted
so others can't look at what information they are saving.

[gg] Not totally true. Your email address is not encrypted. There is spy
software out there that can download and trace cookies for email
address information. That's how you get spam mail...

2) each time you make a transaction with RHP (making up lingo
here...), ie visit a game, make a
move, etc, ie each time you send and recieve info from RHP, info from
the cookie is sent to RHP to
Id who wants what. Make a move, and hit the move button, and my
browser sends a message to
RHP that is essentially "Hi, I'm so-and-so (info from the saved
cookie), and make this move in this
game."

[gg] not sure what cookie information gets transferred during sessions
but authentification check is only done once in a session i.e. when you
first call redhotpawn.com. You can delete your cookie during a session
but you will still be able to make moves.

3) IF and WHEN you log off of RHP on that machine, the cookie is
destroyed, wiping out the info
THAT machine. But if you just quit the browser, without logging out of
RHP, the cookie is saved. If
you don't log off of RHP, then next time you, or anyone else using
THAT machine goes to RHP, the
identity from the stored cookie is sent to RHP.

[gg] true. The bad thing is that even if you change password from
another machine. The 'old' cookie on the first machine will identify you
as a valid user! i.e. If you forgot to logoff from an internet café and
there is no mechanism to destroy your cookie information the next
user can play your games or even change your password. That would
answer your two questions below.

OK, now this is where my question comes in:
If the info sent by the cookie each transaction is just "who I am" - ie
the verification of the of the
password only occurs during login, then I don't see how one can ever
kill off a login from a lost
machine.
If on the other hand, the cookie sends "who I am" AND "my password
is" each transaction, THEN
changing passwords from another machine WOULD make make
transactions from the old machine
invalide - essentially RHP would recieve a wrong password, and reply
back "whoops, that password
doesn't match - try again".

[gg] There is one last remark I'd like to add. Yes, you can save your
user ID together with your password in Internet Explorer so the next
time you login your password will be filled in automatically but this is
not so much of a security issue because this information is tied to
your WinNT login. i.e. a different WinNT user on the same machine
won't be able to get your ID or password information. However in an
internet cafe with a weak set up WinNT user won't change so you
should never activate that setting on public PCs.
Anyway as long as you log out after each session you are save.

Gotti

Thanks for the info!

O' Mighty and Benificent Lords of RHP:
Given Harri/Luck's problem with someone making moves for him, I
think I'll ask
you guys for a clarification.
If one has forgotten to log out of a computer that one can't
necessarily go
back to, is there anyway to ensure that folks won't be able to gain
access
from that computer? Such as by...

This is a good question. The way the cookies are handled and
verified by the site means that we can effectively log someone out of
every computer at which they have logged on.

There is no user-option to do this, but there is no reason why we
couldn't add one. In fact, probably the best thing to do would be for
the "log out" command to mean "log out of ALL machines"... this is
possible.

-Chris

That would be great.

Originally posted by Chrismo

There is no user-option to do this, but there is no reason why we
couldn't add one. In fact, probably the best thing to do would be for
the "log out" command to mean "log out of ALL machines"... this is
possible.

That would be great. I bet Harri/Luck would be VERY happy!

There is no user-option to do this, but there is no reason why we
couldn't add one. In fact, probably the best thing to do would be for
the "log out" command to mean "log out of ALL machines"... this is
possible.

Ah, I should have read your response a bit more closely!
My personal preference would be for the system to NOT automatically log one
off ALL machines. As stated, I always log off public computers, but prefer to
stay logged on at home.
It would be nice, of course to have some method of choosing to log off ALL
machines too, if necessary. Perhaps (yet another) setting in our personal
options that would choose between the two methods?

Actually that would work well, because at any time I could change my setting
from single machine logout to all machine logout, to kill off all logins, then
switch back...

Thanks Chris, for repsonding!
Michael

Maybe we could make a "Log off ALL Machines" button that you have
to lift up the cover, or break the glass... like the button that launches
the nuclear weapons that will kill us all. Maybe we could hide it
somewhere. Either that, or it could be a big red one on the homepage
with the text "Will explode if pushed". Actually, it sounds like a great
idea. Maybe instead of having the option to switch between the two as
a setting, we could just have a link in settings that would do it,
a "special" log off option.

Rein

Originally posted by gotti2000
To answer your questions:

OK, now this is where my question comes in:
If the info sent by the cookie each transaction is just "who I am" - ie
the verification of the of the password only occurs during login, then I
don't see h ...[text shortened]... ly
back "whoops, that password doesn't match - try again".

This is how we do it...

The cookie information is simply your user id and a string of
characters that uniquely identifies you to RHP (otherwise, anyone
could fudge a cookie and pretend to be you).

We check the unique id against the database before alowing you to
continue. This saves having to store your password on your machine -
therefore allowing people to look at it if they are so inclined (it could
easily be your password for a number of other sites or systems).

If, when you logged off, we were to generate a new unique ID for you
on the database, then the next time you visited your "other" computer
on which your cookie still exists, it would be seen as invalid by the
database. And when you logged backon, the cookie would contain the
new id information.

Hope I explained that reasonably ok...