Post news Report content RSS feed Site security updates

Site security from cookies through to email has been overhauled, read on to find out whats new.

Posted by INtense! on Oct 7th, 2010

With Desura soon to launch and begin accepting payments, site security has been totally overhauled to keep your accounts protected. This change affects ModDB, IndieDB and Desura. If you access these site via special applications like browser plugins, RSS readers or via many different browsers you may encounter some login issues, but for everyone else the site should run as per normal. Here what's new:

  • Limited login attempts. To many failures and you will have to wait.
  • To change your email address you will need to provide your password.
  • If your email or password is changed, you will receive an email notification.
  • Use once only tokenized security following best practices in use by sites like Twitter, Facebook etc.

If you are having difficulties logging in or staying logged in please post feedback in the comments, otherwise enjoy browsing the site as per normal! And remember NEVER tell anyone your username and password, not even site staff (we will never ask for it). We shall reset your password if you have forgotten it.

Post comment Comments
Kissaki Oct 7 2010 says:

What’s “once only tokenized security”?

+4 votes     reply to comment
INtense! Author
INtense! Oct 7 2010 replied:

The best practices I refer to are best explained here:

Essentially everytime your session is renewed I regenerate a random "persistent" login token. This token is continually changing so if someone copies this token they will only be able to continue using it until the next token in the chain is generated. The old system had no expiry date so multiple people could use the same details to login forever essentially.

+3 votes   reply to comment
Su[)az][mA Oct 8 2010 replied:

i rather liked the forever login :\
saved me inputting my pw/name the whole time :P

+2 votes     reply to comment
Katana_ Oct 10 2010 replied:

And it's still possible. It's just that, with each visit the login token changes, and it's reset in your browser.

It's something that the open source bulletin board software phpBB does.

+1 vote     reply to comment
WarlockSyno Oct 7 2010 replied:

I think he means that only one person can log in at a time, on the same account.

+2 votes     reply to comment
INtense! Author
INtense! Oct 8 2010 replied:

no multiple logins are permitted - but sharing the same cookies isn't.

+2 votes   reply to comment
OMON Oct 7 2010 says:

By best practices are you referring to OAuth?

+2 votes     reply to comment
INtense! Author
INtense! Oct 7 2010 replied:

OAuth is totally different, OAuth is for allowing 3rd parties / API's and other sites to share login details with your site.

+2 votes   reply to comment
Jyffeh Oct 8 2010 says:

Paranoia is a virtue. Nice work, kiddies.

+2 votes     reply to comment
Katana_ Oct 10 2010 says:

Out of curiosity, are you guys now using link-hashes in _GET requests now?
Things such as group membership requests and mod tracking seemed like they could be CSRF'd the way it was before; I'm curious as to whether or not that has been addressed, or not.

+1 vote     reply to comment
Post a comment

You are not logged in, your comment will be anonymous unless you join the community. Or sign in with your social account:

Post news
Related Groups
Desura Entertainment & Press with 10,127 members
Indie DB
Indie DB Official with 2,239 members
Mod DB
Mod DB Official with 4,013 members