| Login issue isn't fixed for me :'// I keep being logged out !!!!!! + Okk Password will be changed now :) |
koleare said: Prequel said: The IP block isn't for the malicious person. Well, blocking isn't really the best word either. Mostly and in simpler terms, your IP is used in the authentication process and session, so when your IP changes, the previous session isn't valid anymore and you have to authenticate/log in again. This pretty much prevents your session from being hijacked (http://en.wikipedia.org/wiki/Session_hijacking) like it happened two years ago.Now, I don't understand how forced log-outs can be related to IP block to a malicious person. It must be possible to block an IP without applying IP sensivity to whole site. Why exactly do we have to re-login when we change our IPs? Ah, and the forced log outs aren't related to the IPs. As I said, those were incompatibilities with the new security updates which fight DDoSes. Ah, glad you explain the log out issue. |
| The most important things in life is the people that you care about |
| @koleare , Okay, how can someone "hijack session"s with only DDoS? I guess there were at least two malicious behaviours then. (I wasn't here 2 years ago.) So I'm assuming there are/were security flaws? If those flaws are fixed, shouldn't you let us stay logged in when we change our IPs? If not, then isn't this a bigger issue that needs to be dealt with? And how can the site in such a situation be working almost flawlessly if such a mindlessly obsessed "hacker" is messing with MAL? I'm sorry if "session hijacking" is something of an inevitability, but with so many sites letting people to use their sites flawlessly with or without IP changes, I can't help but think there is a better way. |
RememberTheCantSep 13, 2013 5:27 AM
| Open to chat about any storytelling related subject as long as it's clever and respectful. Myanimelist |
Prequel said: I never linked the DDoS to hijacking and forced log outs to the IP sessions (like you did in your last post); it's only you who's doing that -_-'Okay, how can someone "hijack session"s with only DDoS? I guess there were at least two malicious behaviours then. (I wasn't here 2 years ago.) So I'm assuming there are/were security flaws? If those flaws are fixed, shouldn't you let us stay logged in when we change our IPs? If not, then isn't this a bigger issue that needs to be dealt with? And how can the site be working flawlessly if such a mindlessly obsessed "hacker" is messing with MAL? I'm sorry if "session hijacking" is something of an inevitability, but with so many sites letting people to use their sites flawlessly with or without IP changes, I can't help but thing there is a way. These are separate matters. To patch up a clearer timeline (well, maybe I wasn't explaining it that well - but well, I am trying to say as much as I can without revealing too much :P): - there were cases of session hijackings last year, so that 'IP to session' was implemented to prevent them from happening again - the site has been DDoSed two weeks ago (if my memory isn't failing me), so a couple of security updates went live to counter them, but unfortunately, people started getting forced log outs, which were fixed yesterday And yeah, everything should run smoothly without getting logged out every time your IP changes... - but then Xinil said in the opening post that he'd rather improve the improve the security over rolling back accounts, so maybe there's something planned for that. |
koleareSep 13, 2013 5:44 AM
| Password changed and thanks for the hard work! Keep us safe, please :3 |
| Signature removed. Please follow the signature rules, as defined in the Site & Forum Guidelines. |
| Thanks for all your hard work! |
| Thank you !!!!!! |
| Yay ! Thank you very much for your hard work , Xinil & the rest of MAL staff . You guys are the best :) |
| The staying logged in issues seem to be fixed for me. Normally it'd happen every 5-10 minutes but I haven't been logged out since yesterday afternoon. Thank you for your hard work. |
 |
| Glad I've changed my password today NO BODY CAN'T STOP ME! WOOOOOOHOOOOOO. |
  "There is nothing outside of yourself that can ever enable you to get better, stronger, richer, quicker, or smarter. Everything is within. Everything is exists. Seek nothing outside of yourself" - Musashi miyamoto |
| around 1 ~ 2 hour without logout.... Thanks, and the password has been changed ^.^ |
 |
| I'm still having the log-in issue. What the hell? |
TennoujiSep 13, 2013 10:24 AM
 |
| Changed password just now thanks! Been logged in since 10 and its been almost 4 hours with no problems |
"What has two arms, two legs, and is alive? Not your favorite character lol! xD" |
koleare said: - there were cases of session hijackings last year, so that 'IP to session' was implemented to prevent them from happening again There are only two possible ways of session hijacking: 1. The attacker could read session keys from the database, in this case the site has to take actions to prevent database access, and not connect the session to the IP, after this actions are taken invalidate all active sessions once and the problem is solved. 2. The attacker hijacked sessions on user PCs. In this case it's only a problem of a small group of people who aren't capable of keeping their system safe. That can't be prevented and therefore shouldn't even be attempted. (If the attacker can hijack a session he can most likely as well hijack a password) Either way, session hijacking is definitley not a reason to log out a user when he changes his IP. Since this happens to roughly 99% of the users every single night it's mainly annoying and not helpful. |
| I haven't changed my password since I joined.. Oh well, it was time for a new anyway. Now that that is resolved, a little, when do you think the bbcodes will be enabled again? |
    |
| I seem to be staying logged on now. THANK YOU! It was being really irritating... |
| "Starting on September 20, we will no longer be able to restore profiles for users who have not changed their password since August 22. It takes a lot of work to restore hacked profiles, and we would rather put that effort into security improvements that can benefit everyone." Excuse me? So are you saying that I have to change my password for an account that's already been deleted? How the hell am I supposed to do that? I get it that you prioritize security over rolling back people who lost their accounts. Actually no, I really don't get that. Because people have been waiting for WEEKS to have their accounts back. If anything I only want my god damn account back just to export my list and import it somewhere else. What exactly am I supposed to do? If I don't change my password for a deleted account, I won't get my deleted account back? How long do we have to wait for our accounts to be rolled back? Seriously, you think the login thing is frustrating, it's frustrating not having your actual list, ratings, friends, etc. for weeks and weeks on end. This is frustrating as all hell. |
| Yay, hopefully all problems related to the hacking incident are now solved :) I feel bad for those people who lost their accounts though... |
| ~Otaku for 15 years~ |
| If you still struggle with staying logged in I suggest you clear all myanimelist cookies and try again. gettogaara said: Rapha_Lamperouge said: Just changed my pw, interestingly I got DC immediately after that. Same here but it hasn't happened again since then. That's normal. You get logged out when you change your password. I believe it even tells you exactly that on the page you see after changing your password, so eyes open. |
 staff.applications ▼ guidelines.faq ▼ report.abuse ▼ thx.skittles ▼ thx.kina ▼ [H+] ³ ▼ |
| Please explain to me why you think failing to keep your database secure should leak my password? You aren't storing plain text or basic MD5 nowadays surely? |
| thanks!! what about BBcode? |
 |
| how do i change my password on MAL? |
 |
welcome2NHK said: thanks!! what about BBcode? don't think most of them work yet. (at least for me) |
| Changed my password yesterday. Not forced log-out, which is actually good for me. <3 Thanks for your hard work, mods! *thumbs up* |
| Thx, bro. |
| I'm still getting logged out even after changing my password. |
 Kickstarter for Rokujouma is fully funded. Good work everyone. Lets wait for the result of our hard work together. |
Xinil said: We believe we've fixed the majority of login issues. Terribly sorry it took so long to get this under control, but hopefully we can move forward from here. If your IP is changing frequently though, you'll still get logged out on each subsequent change. Also, we've received information that the attacker who has hit MAL before may have compromised other anime sites as well. If you've reused usernames, e-mail addresses, and passwords on these sites, it is likely that the attacker has them, and can log in as you if he or she wants. We highly recommend that you change your password as soon as possible, to ensure that your profile and data aren't compromised. Starting on September 20, we will no longer be able to restore profiles for users who have not changed their password since August 22. It takes a lot of work to restore hacked profiles, and we would rather put that effort into security improvements that can benefit everyone. Thanks everyone! i just changed my password now. |
Akichii said: Considering that I really don't want to lose all my ratings, anime, friends, etc. because of a crappy reason like this, I'd really, REALLY appreciate if a mod replied to me and got back with me on this?"Starting on September 20, we will no longer be able to restore profiles for users who have not changed their password since August 22. It takes a lot of work to restore hacked profiles, and we would rather put that effort into security improvements that can benefit everyone." Excuse me? So are you saying that I have to change my password for an account that's already been deleted? How the hell am I supposed to do that? I get it that you prioritize security over rolling back people who lost their accounts. Actually no, I really don't get that. Because people have been waiting for WEEKS to have their accounts back. If anything I only want my god damn account back just to export my list and import it somewhere else. What exactly am I supposed to do? If I don't change my password for a deleted account, I won't get my deleted account back? How long do we have to wait for our accounts to be rolled back? Seriously, you think the login thing is frustrating, it's frustrating not having your actual list, ratings, friends, etc. for weeks and weeks on end. This is frustrating as all hell. |
| getting tired of log in... -_- |
     |
Akichii said: Akichii said: Considering that I really don't want to lose all my ratings, anime, friends, etc. because of a crappy reason like this, I'd really, REALLY appreciate if a mod replied to me and got back with me on this?"Starting on September 20, we will no longer be able to restore profiles for users who have not changed their password since August 22. It takes a lot of work to restore hacked profiles, and we would rather put that effort into security improvements that can benefit everyone." Excuse me? So are you saying that I have to change my password for an account that's already been deleted? How the hell am I supposed to do that? I get it that you prioritize security over rolling back people who lost their accounts. Actually no, I really don't get that. Because people have been waiting for WEEKS to have their accounts back. If anything I only want my god damn account back just to export my list and import it somewhere else. What exactly am I supposed to do? If I don't change my password for a deleted account, I won't get my deleted account back? How long do we have to wait for our accounts to be rolled back? Seriously, you think the login thing is frustrating, it's frustrating not having your actual list, ratings, friends, etc. for weeks and weeks on end. This is frustrating as all hell. try PMing Kineta since she is the database administrator |
| I'm still getting randomly logged out at times but it's happening much less often now. |
| this is the only anime site i have an account on so it's all good ;D |
| so I can login with my phone again ~SUGOI |
| I'm still having the random login issue. |
| I've not been getting logged out!! Thanks for all the hard work ~ |
| Changing my password now. Thank you |
tsubasalover said: Thank you for your extremely hard work. |
"Wait for the signal, and I'll meet you after dark" |
| Changed my password here and also on Hummingbird to be safe, does anyone know of any other sites that might have been effected? |
| I haven't been logged out for a few hours now, so I think it's safe to say that it won't happen anymore. Thanks for fixing this! :) |
  |
| Hmm, it still logs me out though after an hour of logging on. |
PrOxAnto said: I can log-in, even though I get randomly logged out at times ryshin said: getting tired of log in... -_- me too.. Xinil said: We highly recommend that you change your password as soon as possible, to ensure that your profile and data aren't compromised. Starting on September 20, we will no longer be able to restore profiles for users who have not changed their password since August 22. It takes a lot of work to restore hacked profiles, and we would rather put that effort into security improvements that can benefit everyone. ok, I'll change my password.. Thanks.. |
 |
| I still keep getting logged out but it's slower now. Changed my password. Thanks for trying to keep our profiles safe. |
 |
| I keep logging out every ten minutes, I clear the cookies but nothing changes. location:. Istanbul / Turkey Browser: Chrome |
| finally i was able to login after 2 weeks of waiting. change my password, will back up my list ASAP! thanks for the updates, though i suggest you should have put this announcements as part of news since i can't see them if i'm not logged in. |
| thanks it worked for me too :-p |
 |
| I would love it if MAL supported SSL, even a self-signed certificate would be fine. Of course it would be optional to prevent everyone's browser from crying, but one could just add an exception. A lot of IRC servers do the same with self-signed SSL certificates. Is that an option at all or are we going to send password unencrypted for eternity? |
I almost never read discussions after I made my post, if you want to reply PM me or post on my profile page. |
More topics from this board
» [Challenge] You Should Read This Manga 2024 ( 1 2 3 4 5 )Kineta - Feb 23 |
206 |
by Aerixo
»»
2 minutes ago |
|
» Try MAL's New Mobile Site! ( 1 2 3 4 5 ... Last Page )Xinil - Feb 15, 2015 |
422 |
by Hayukoo
»»
Today, 8:30 AM |
|
» Planned 5hr Maintenance, Thursday April 25 @ 1am-6am PTKineta - Yesterday |
0 |
by Kineta
»»
Yesterday, 8:10 PM |
|
» New Site Update: Peak Anime 🗻 ( 1 2 3 4 5 )Kineta - Mar 31 |
213 |
by Lancelot73
»»
Apr 21, 4:28 AM |
|
» Heavenly Easter Delusion: Devil and Dolce ( 1 2 3 4 5 ... Last Page )Kineta - Mar 27 |
3332 |
by Terra_strong
»»
Apr 17, 8:26 PM |