Report article RSS Feed Site security updates

Site security from cookies through to email has been overhauled, read on to find out whats new.

Posted by INtense! on Oct 7th, 2010

With Desura soon to launch and begin accepting payments, site security has been totally overhauled to keep your accounts protected. This change affects ModDB, IndieDB and Desura. If you access these site via special applications like browser plugins, RSS readers or via many different browsers you may encounter some login issues, but for everyone else the site should run as per normal. Here what's new:

  • Limited login attempts. To many failures and you will have to wait.
  • To change your email address you will need to provide your password.
  • If your email or password is changed, you will receive an email notification.
  • Use once only tokenized security following best practices in use by sites like Twitter, Facebook etc.

If you are having difficulties logging in or staying logged in please post feedback in the comments, otherwise enjoy browsing the site as per normal! And remember NEVER tell anyone your username and password, not even site staff (we will never ask for it). We shall reset your password if you have forgotten it.

Post comment Comments
Kissaki Oct 7 2010, 12:02pm says:

What’s “once only tokenized security”?

+4 votes     reply to comment
INtense! Author
INtense! Oct 7 2010, 4:26pm replied:

The best practices I refer to are best explained here:

Essentially everytime your session is renewed I regenerate a random "persistent" login token. This token is continually changing so if someone copies this token they will only be able to continue using it until the next token in the chain is generated. The old system had no expiry date so multiple people could use the same details to login forever essentially.

+3 votes   reply to comment
Su[)az][mA Oct 8 2010, 4:45am replied:

i rather liked the forever login :\
saved me inputting my pw/name the whole time :P

+2 votes     reply to comment
Katana_ Oct 10 2010, 9:55am replied:

And it's still possible. It's just that, with each visit the login token changes, and it's reset in your browser.

It's something that the open source bulletin board software phpBB does.

+1 vote     reply to comment
WarlockSyno Oct 7 2010, 5:03pm replied:

I think he means that only one person can log in at a time, on the same account.

+2 votes     reply to comment
INtense! Author
INtense! Oct 8 2010, 2:09am replied:

no multiple logins are permitted - but sharing the same cookies isn't.

+2 votes   reply to comment
OMON Oct 7 2010, 4:06pm says:

By best practices are you referring to OAuth?

+2 votes     reply to comment
INtense! Author
INtense! Oct 7 2010, 4:27pm replied:

OAuth is totally different, OAuth is for allowing 3rd parties / API's and other sites to share login details with your site.

+2 votes   reply to comment
Jyffeh Oct 8 2010, 8:26pm says:

Paranoia is a virtue. Nice work, kiddies.

+2 votes     reply to comment
Katana_ Oct 10 2010, 9:58am says:

Out of curiosity, are you guys now using link-hashes in _GET requests now?
Things such as group membership requests and mod tracking seemed like they could be CSRF'd the way it was before; I'm curious as to whether or not that has been addressed, or not.

+1 vote     reply to comment
Post a Comment
click to sign in

You are not logged in, your comment will be anonymous unless you join the community today (totally free - or sign in with your social account on the right) which we encourage all contributors to do.

2000 characters limit; HTML formatting and smileys are not supported - text only

Report Abuse
Report article
Related Groups
Desura Official group with 10,107 members
IndieDB Official group with 2,075 members
ModDB Official group with 3,893 members