04-29-2021, 09:27 AM
(04-29-2021, 06:17 AM)Shannon Wrote:It may have been logical, but the user/pass are visible on login submission regardless. A packet trace on my network interface confirms it. You're using a session token thereafter for the life of its cookie, though, so there's no re-sending of the password throughout the rest of the browser session, at least.(04-28-2021, 05:53 PM)myth Wrote: But, no, it's the Subliminal Shop logins that we perform in order to purchase or download that still needs the https around. With only http, we're sending plaintext usernames and passwords, which, if sniffed by a middle man (I could describe in more detail, but I'd rather not), might allow that middle man access to download the compromised user's files, redistribute them, and activate the anti-piracy scripting that we've all spent years listening to. That's what I'm concerned about, not billing security.Andrew had a good logical response to this as well, and of course I don't remember what it was because it's been years.
(04-29-2021, 06:17 AM)Shannon Wrote: This "issue" - I don't really know and remember enough about the technical details to know if it is actually an issue - will not be around for much longer, but the time frame is out of my hands to some degree.Noted, hence my aforementioned login attempt. If there's no choice, there's no choice.
(04-29-2021, 06:17 AM)Shannon Wrote: In the case that someone intercepted and stole your login details, and then started pirating your purchases, the anti-piracy code would not trigger for you unless you had committed piracy.Suspected, as already mentioned, but it seemed like an afterthought worthy of clarification. Thanks.
