Auth Question

[Gighalen]

Alright, so in the past I have based all my auth methods for user logins based on a session. Like userlevel = 9, etc.

 

I noticed, however, that MySpace uses a little widget called MyToken in the url which looks very similar to a random md5 hash and upon further research I learned that this randonly generated alpha-numeric combination is generated based on the time, ip address, and a few other things and is used to authenticate users to view certain features on the site, for instance, viewing a private profile.

 

Does anyone have any ideas as to why they did this? Why not just have the authentication stuff embedded into the login session? I'm just wondering which is safer/more reliable and which method would you use?

 

Thanks in advance,

Gig

[rarebit]

You can embed the session id in the url's GET, but it is frowned upon because people can store and publish the links, which 'can' pose a security risk. However MySpace might be using sessions and then an addition an associated url id as well... dunno?

[Gighalen]

Yes, I was really confussed about it, because having their auth stuff means a user can just replace random digits in the token

[kratsg]

How sure are you that the token is really for that sort of stuff xD

 

It was added for some reasons (correct me if I'm wrong):

 

With the latest release of newer versions of IE, this gave the users the option to disable cookies and sessions... and MySpace, being the size of a country, can't guarantee that EVERY SINGLE PERSON who uses it enables cookies or sessions (or javascript for that fact) so they added an encoded string into the auth (which is supposedly decodable but they dedicated a whole server for encoding the damn thing, alledgedly) so that they can determine who that user is. Honestly, don't mess with big sites like MySpace, Facebook, Google, Yahoo, AOL.. they've got kickass programmers who are genius in their own rights.

[rarebit]

they've got kickass programmers who are genius in their own rights.

 

Well it'd be a security flaw to allow the sole use of an url encoded session id. And to support the fact, try to log in without accepting any cookies, even session cookies.

 

See this

 

 

P.S. Even geniuses can be fallible...

[Gighalen]

So what happens if a user disables sessions and tries to view a page that requires one? like an admin page or something? Will it have the same effect as a user being logged in and not having the appropriate privlidges?

 

I'm have IE 8.0 installed and looked for that feature, but couldn't find it

[kratsg]

Sessions can be disabled by disabling cookies. A session is created by making a cookie for that session.

[Zane]

Probably isn't meant to be understood on our end of understanding things....in the MySpace world.

 

but if I had to make a guess on it.  I'm sure that the MySpace administrators have their own custom built administration panel/portal that reads and decrypts these "tokens" as was already mentioned.  Most likely it makes it much easier for them to pinpoint who is doing what and why.  And if it's good or bad.  They probably have a good banning system in place and yada yada.

 

Most likely the session id is part of the token as well.  MySpace is probably the most sensitive of all big sites I've seen, with the COPPA and what not.