| I thought it was just me who had that problem. |
| Oh, no wonder that message comes out more often now. |
I ♥ Two Syaorans from Tsubasa RESERVoir CHRoNiCLE and TRC!!! |
zlood said: what kind of attack exactly the server experiencing? I think https only works for attack within request packets. And I think hardly any packets within MAL contain sensitive information. By the way, mine works just fine. Conected from Indonesia and uses firefox. only got logged out once yesterday or two days ago (I forgot). I don't know what kind of attacks the MAL server is experiencing. Anyway HTTPS helps secure data sent over a connection so other parties can't just read or modify it. It is recommended to use HTTPS because of this. Many sites of the past few years have shifted to using HTTPS. Gmail used to be easy to hack when it was on HTTP. Cookies store user passwords and login information so I could hijack a MAL cookie, get someone's info, and use it to login. There are other ways to prevent attacks. HTTPS is not the only option. |
 |
xuezhi said: Cookies store user passwords and login information so I could hijack a MAL cookie, get someone's info, and use it to login. I wonder how you can use cookie information if the password and the ident are crypted with something like sha512+salt. Or maybe people still use retarded and useless md5 crypt ? |
 |
| I'd rather have an inconvenient login system than an insecure one. Thanks. |
xuezhi said: I don't know what kind of attacks the MAL server is experiencing. Anyway HTTPS helps secure data sent over a connection so other parties can't just read or modify it. It is recommended to use HTTPS because of this. Many sites of the past few years have shifted to using HTTPS. Gmail used to be easy to hack when it was on HTTP. Cookies store user passwords and login information so I could hijack a MAL cookie, get someone's info, and use it to login. There are other ways to prevent attacks. HTTPS is not the only option. JaoShingan said: I wonder how you can use cookie information if the password and the ident are crypted with something like sha512+salt. Or maybe people still use retarded and useless md5 crypt ? true to that, If the objective is to only secure cookies there are a lot of option available. I hope MAL team could make better action in the future, so that any countermeasure against attack won't hurt users at the same time. |
| This has actually been happening to me for months, and now I know why. Glad to know it wasn't just my computer derping out. 8[ Hopefully all the security issues can be resolved soon! c: Read more at http://myanimelist.net/forum/?topicid=613857&show=40#m0D2LRqOPK2V9EB2.99 xuezhi said: I repeat again, I haven't seen a SINGLE (non-retarded) website on earth that is attacked and they found solution in screwing up cookies and f***ing their members' life up. Clearly someone doesn't know sites any more than 10. Wow. Stop being a lazy butt and just log in again omg. LOL Yeah it's annoying, but you just have to deal with it until they fix it. Since you're so smart, why not go and make your own anime listing website? After all, MAL is ruining your life. xD |
TachiiJun 18, 2013 1:33 PM
| Actually, I don't see the point to link cookies to IP. This is redundant. If we use cookies, it's because almost every IP are dynamics and you can't use it to remember actions to do for an user. If you want to use IP, just delete these cookies and do it with a database but this is not reliable at all. The only easy and reliable way to secure cookies is hashing. Just hashing, rest is bullshit. (and not md5 hash plz) |
JaoShinganJun 19, 2013 2:25 AM
|
| Thanks for keeping our MAL save :D |
 |
xuezhi said: Prequel said: I repeat again, I haven't seen a SINGLE (non-retarded) website on earth that is attacked and they found solution in screwing up cookies and f***ing their members' life up. Clearly someone doesn't know sites any more than 10. Ok, buddy whatever you say. I am not gonna bother getting in a heated debate with you, especially someone who says a cookie problem messes up their life. That was a figure of speech, "buddy". Suuji said: Wow. Stop being a lazy butt and just log in again omg. LOL Yeah it's annoying, but you just have to deal with it until they fix it. Since you're so smart, why not go and make your own anime listing website? After all, MAL is ruining your life. xD "Lazy butt"? Why should I log-in ten times a day to use a site, when no other site whether paid or free, weather a crapfest one-guy administrated site or a huge company's, or anything in between, doesn't have such a ridiculous problem? When you look at the comments you can see there are at least more than one easy solutions probably that can be impelented in couple of days, if not in couple of hours. What elso do you do that is under a certain humane standart which makes you lose time and effort but you still don't feel like so? Not to mention sometimes you lose "information" when you make changes on a previously opened page if you don't realize you're actually logged out at then. And why we don't even see an explanation after all the suggestions or an ETA? Because they don't give a crap. He just said "I don't have an ETA" and just like that. Like it's nothing important. Like there aren't tens of thousands of users facing this issue! As I understand they're not having this issue because of their location, so they don't feel like fixing it. Because they're not facing the consequences. Simply "revert the removal of cookie IP restriction". Without alternatives. They should've "revert"ed AFTER finding an alternative and implementing it. So we wouldn't even face this. But why is it important if thousands are having it but not you? Even tough this isn't a paid service, this is completely irresponsible behaviour against tens of thousands of users. And this site is nothing without user-base. I just asked my friend to register couple of days ago, and now he's facing this in day-1. How long do you think will it pass until he gives up on this site? How long do you think anyone will give up on this site? I've already seen people switching to AniDB. I'm just trying to stay here because of the ease of interface but we're not getting the same treatment when we try to be loyal. Instead of trying to defend the real lazy side here, start reacting. So maybe THIS TIME maybe we won't get to wait FOR MONTHS. OK? |
| Open to chat about any storytelling related subject as long as it's clever and respectful. Myanimelist |
TaquishaJohnson said: I'm from the USA, and everything is fine on my computer (with Firefox), but on my iPhone (with Safari) I get logged out constantly. As long as your unknown 3G/4G/5G IP isn't banned, everything it's okay. I think those IPs are shared and explains why I'm banned whenever i used my iPhone outside of a Wi-Fi connection. ._. As for being logged out constantly, I randomly get logged back in after a while. :3 |
 |
| Thank you for working on the security and always improving the site. Why anyone whould want to attack the site is beyond me but whatever. Thank you either way and keep us posted~ |
  |
Prequel said: xuezhi said: Prequel said: I repeat again, I haven't seen a SINGLE (non-retarded) website on earth that is attacked and they found solution in screwing up cookies and f***ing their members' life up. Clearly someone doesn't know sites any more than 10. Ok, buddy whatever you say. I am not gonna bother getting in a heated debate with you, especially someone who says a cookie problem messes up their life. That was a figure of speech, "buddy". Suuji said: Wow. Stop being a lazy butt and just log in again omg. LOL Yeah it's annoying, but you just have to deal with it until they fix it. Since you're so smart, why not go and make your own anime listing website? After all, MAL is ruining your life. xD "Lazy butt"? Why should I log-in ten times a day to use a site, when no other site whether paid or free, weather a crapfest one-guy administrated site or a huge company's, or anything in between, doesn't have such a ridiculous problem? When you look at the comments you can see there are at least more than one easy solutions probably that can be impelented in couple of days, if not in couple of hours. What elso do you do that is under a certain humane standart which makes you lose time and effort but you still don't feel like so? Not to mention sometimes you lose "information" when you make changes on a previously opened page if you don't realize you're actually logged out at then. And why we don't even see an explanation after all the suggestions or an ETA? Because they don't give a crap. He just said "I don't have an ETA" and just like that. Like it's nothing important. Like there aren't tens of thousands of users facing this issue! As I understand they're not having this issue because of their location, so they don't feel like fixing it. Because they're not facing the consequences. Simply "revert the removal of cookie IP restriction". Without alternatives. They should've "revert"ed AFTER finding an alternative and implementing it. So we wouldn't even face this. But why is it important if thousands are having it but not you? Even tough this isn't a paid service, this is completely irresponsible behaviour against tens of thousands of users. And this site is nothing without user-base. I just asked my friend to register couple of days ago, and now he's facing this in day-1. How long do you think will it pass until he gives up on this site? How long do you think anyone will give up on this site? I've already seen people switching to AniDB. I'm just trying to stay here because of the ease of interface but we're not getting the same treatment when we try to be loyal. Instead of trying to defend the real lazy side here, start reacting. So maybe THIS TIME maybe we won't get to wait FOR MONTHS. OK? I already stated that I personally have this problem and have had it for months. There are many sites that log you out after a certain timed session, and it's really not a big deal. It isn't difficult to type my username and password in once again. I'm not saying that they are right either with the issue, but you're making this into a huge problem for no particular reason whatsoever. If it's such a bother, then migrate over to another anime listing site. :T It will be fixed since there are other users who feel the same, I am sure, but at the same time it seems silly to make such an angry sounding comment over a service you don't even pay for. ._. Let them deal with the problem if people leave-- sometimes you have to learn the hard way. |
Suuji said: I'm not saying that they are right either with the issue, but you're making this into a huge problem for no particular reason whatsoever. If it's such a bother, then migrate over to another anime listing site. :T It will be fixed since there are other users who feel the same, I am sure, but at the same time it seems silly to make such an angry sounding comment over a service you don't even pay for. ._. Let them deal with the problem if people leave-- sometimes you have to learn the hard way. I just don't want it to take months, again. That's why. I wish I didn't have to write these, but I had to. I don't feel comfortable either. Maybe I'm even risking my account here. I'm scared of the thought of waiting for months for it and I feel no one is listening, or even if they're listening, acting. Anyway I feel like I said all I can say, hope it makes a change. |
| Open to chat about any storytelling related subject as long as it's clever and respectful. Myanimelist |
JaoShingan said: I wonder how you can use cookie information if the password and the ident are crypted with something like sha512+salt. Or maybe people still use retarded and useless md5 crypt ? Who encrypts with MD5?? That isn't even an encryption algorithm. MD5 is used for hashing not encrypting, plus it has been cracked so don't use it at all. Hashing is different from encrypting. Salting is also different from encrypting. SHA512? I have no idea what you are talking about...unless you are talking about SHA-1. |
|
xuezhi said: JaoShingan said: I wonder how you can use cookie informations if the password and the ident are crypted with something like sha512+salt. Or maybe people still use retarded and useless md5 crypt ? Who encrypts with MD5?? That isn't even an encryption algorithm. MD5 is used for hashing not encrypting, plus it has been cracked so don't use it at all. Hashing is different from encrypting. Salting is also different from encrypting. SHA512? I have no idea what you are talking about...unless you are talking about SHA-1. Well, hash and crypt, I understand myself. This was not my question and you didn't answered it. "How can you use cookie information if the password and the ident are hashed with something like sha512+salt ?" And for sha512 : http://en.wikipedia.org/wiki/SHA-2 sha1 isn't well secured anymore. Since there is no sensible personnal informations on this website, I don't think using https is a good choice. MAL is already slow enough without it. Hashed cookies will do the job and its easy to implement. Because now if you want to stay loged you have to use a fixed IP/proxy in addition to the cookies. It's not reliable at all, it's annoying and... It does not protect anything. |
JaoShinganJun 19, 2013 8:18 AM
|
JaoShingan said: JaoShingan said: I wonder how you can use cookie informations if the password and the ident are crypted with something like sha512+salt. Or maybe people still use retarded and useless md5 crypt ? Well, hash and crypt, I understand myself. This was not my question and you didn't answered it. "How can you use cookie information if the password and the ident are hashed with something like sha512+salt ?" Since there is no sensible personnal informations on this website, I don't think using https is a good choice. MAL is already slow enough without it. Hashed cookies will do the job and its easy to implement. Because now if you want to stay loged you have to use a fixed IP/proxy in addition to the cookies. It's not reliable at all, it's annoying and... It does not protect anything. I know what SHA-1 is. Your use of SHA512 threw me off cause it is called SHA-1. The bolded is a clear contradiction of hashing and encrypting. From what I am reading you are saying hashing and encrypting is the same AND it is encrypting not crypting. No one here is dead in a crypt sir. Please, use the correct word. A person's account here on MAL IS personal. If you can't see that then I don't know what to say. I am pretty sure MAL users want their information on here safe and secure. As for your question, cookies in HTTP can be hijacked and the information from them extracted. I have already said this. There is something called a computer than hackers can use to go through a bunch of user names with the same hashing algorithm to figure out the original user name. This is because a hashing algorithm is supposed to produce the same result every time for the original word. Besides not all cookies store information that has been hashed, some are only in plaintext. Encrypting is the best way to ensure confidentiality; I never said HTTPS is the only choice. It is one of the options available for security. Hashing is NOT an option for security. I think in the end this basically comes down to convenience and not needing to enter in your user name and password to log in every time. Is it really that hard to type in your user name and password to log-in when you visit the site? It takes like 2 seconds, 10 seconds at most. |
|
| SHA-512 is not SHA-1, It's part of the SHA-2 set. Did you read my link ? For encrypt and crypt, here is the PHP function : http://www.php.net/manual/en/function.crypt.php. That's why I use "crypt" (note that I didn't used "crypting", english isn't my first language but I know the real word, thanks) And actually you understood me. I didn't said hashing and encrypting are the same. I just said that I understand me but this was a mistake. And actually you understood me too. A person's account on MAL is maybe personnal but come on, there is no hidden or sensible information, everything you put on MAL is accessible on your profile. It's not like you can pay something with credit card etc. Hashing is an option for security, I mean a good hashing. What you are saying is impossible with salting. You maybe know the algorithm, but you don't know the salt. However, if someone has a cookies sniffer on his computer, encrypting the communication would be useless but not hashing the cookies content. And in the end, "it's not hard to log everytime you enter the website", yes maybe. Actually, it doesn't bother me, there's a lot of website without cookies (like bank, webhoster) but as you said, it comes down to convenience for a site like MAL. It's a comfort and when it's not comfortable, it's annoying. |
|
| Maybe I understood you, maybe I didn't. It is still better to use the correct terms and words. Other people might not know what you are saying. Hashing no matter how good only ensures integrity on the security side. A cookie sniffer can do nothing with an encrypted cookie. Why? He doesn't know the secret to properly decrypt it. With a hashed cookie is possible to unhash it and extract the information wanted. For MAL, if a hacker took a user's cookie and logged in he can gain access to their email address. Is that not sensitive information? There are many things that a black hat can do with an email address. Phishing attacks, signing up the email to other websites, etc etc. |
|
xuezhi said: For MAL, if a hacker took a user's cookie and logged in he can gain access to their email address. Is that not sensitive information? There are many things that a black hat can do with an email address. Phishing attacks, signing up the email to other websites, etc etc. So I have to log in 5 times a day just to protect my e-mail address? The e-mail address I also use on forums where it is visible by default? Fuck you. Just... fuck you. |
| huh on Opera this actually FIXED login for me couldn't stay logged in for like 3-6 months today whole day i can. |
| I got problems as well. I keep getting log out at some moment in time. I'm using Chrome. |
| same here. whatever i turnoff my interet when i using exployer (dont ask why) i keep getting relog every time, but with opera there is no problem (Lithuania) |
| I didn't know a problem like this existed until I checked the MAL Home a few minutes ago...I have no problem with regards to login, but (I don't know if this is a side effect) the info chart (or stats, whatever you call it) takes weeks to update when it usually change asap before. Not that it's a hassle, I just noticed. |
 |
spiels said: I didn't know a problem like this existed until I checked the MAL Home a few minutes ago...I have no problem with regards to login, but (I don't know if this is a side effect) the info chart (or stats, whatever you call it) takes weeks to update when it usually change asap before. Not that it's a hassle, I just noticed. That's actually an issue for almost majority of the people on MAL including myself. |
| HTTPS doesn't fix this issue. Targeting the IP is not the answer either, some people use mobile phones to connect to MAL (there are cases when the IP of the mobile connection could change with every request). HTTPS is a protocol which encrypts the data before they are transferred from you to the server and vice versa, it's meant to prevent people from sniffing the transmitted data. The cookies are already transmitted data, so anyone can steal your cookie and use it in another pc and hijack your session which gives him access to your account without the need to login. Using SSL session ids combined with the cookies, could generate an almost decent fingerprint but it's still not safe enough. Maybe instead of saving an IP for each user, you save user arrays for each IP. I know this doesn't fix it either (at least not ideally) but it's 7am, I'm going to sleep :( |
SenseiBanzaiJun 30, 2013 1:08 AM
| User from Greece here. It is kind of annoying but for me I stay logged for a whole day so I only need to log in the next day I turn on my PC. Ofc, it would be much better if it was like before but I can wait. |
 |
SenseiBanzai said: HTTPS doesn't fix this issue. Targeting the IP is not the answer either, some people use mobile phones to connect to MAL (there are cases when the IP of the mobile connection could change with every request). HTTPS is a protocol which encrypts the data before they are transferred from you to the server and vice versa, it's meant to prevent people from sniffing the transmitted data. The cookies are already transmitted data, so anyone can steal your cookie and use it in another pc and hijack your session which gives him access to your account without the need to login. Using SSL session ids combined with the cookies, could generate an almost decent fingerprint but it's still not safe enough. Maybe instead of saving an IP for each user, you save user arrays for each IP. I know this doesn't fix it either (at least not ideally) but it's 7am, I'm going to sleep :( The problem of cookie sniffing was when the site only had the login page as HTTPS and the rest of the session was in normal HTTP. This problem is solved if the entire session is in HTTPS. I agree storing and using IPs for each user is not ideal b/c some IPs are dynamic and not static. Using the MAC address would be better imo. I need to stop coming to this thread and talking about stuff related to work when I am not at work. T__T |
|
| My situation is a little odd. My password and username are not accepted if I check the 'remember me' box, but I can login fine otherwise. I'm in the UK. |
| Is there no other options/choices for the Singapore users? I dont like the idea of having to use proxy every single time. This problem has been bugging me for almost 6 months, I have tried to be patient but I think its been too long. Its too hard for me to be faithful to a site which hasnt been operational for myself and other users. Please pardon if I sound harsh, but the frustrations of failing to log in is really vexing. Please solve the problem for SG users w/o the use of proxy. Thanks. |
| Does anyone know a way to fix the delay Anime stats update. It takes about 1 or 2 weeks for MAL to update my stats >_> This have probably already been mentioned 1000 times. :P |
 |
| Same problem here (Morocco !) anyways it is okay we can live with that hahaha ! |
| I'm still having problems with login. Everyday I access the site I have to reconnect, even leaving the reminder option checked and cleaned my cookies. I am suffering with this same case for months, I believe that since last year. I'm in Brazil and use Google Chrome and Internet Explorer. I hope it is resolved soon, it is very annoying to have to log in every time. |
 |
| I still come across this problem. I'm only limited to updating my list. I live in Miami, Florida. |
 |
| Since yesterday there's a problem with MAL, if I want to access my profile or any other site on MAL, even this forum page, I get a 403 forbidden Error. The Message: Forbidden You don't have permission to access /animelist/klose91 on this server. or this Forbidden You don't have permission to access /forum/ on this server. |
 |
| I don't know about anybody else, but: - My lists update instantly - I face no "login problem" - The site is working very fast for me (btw, I'm using MAL Updater most of the time) Just letting the Admin know. |
klose91 said: Try reseting your router.Since yesterday there's a problem with MAL, if I want to access my profile or any other site on MAL, even this forum page, I get a 403 forbidden Error. The Message: Forbidden You don't have permission to access /animelist/klose91 on this server. or this Forbidden You don't have permission to access /forum/ on this server. |
| Will this problem ever be fixed? It was literally fine just for a few days. now it's returning again. |
|
| well, it's still bothering me but it's not that big problem, i have no choice ;) |
 |
| Is this ever going to be fixed? The website doesn't work for me anymore; it doesn't even load. I reset my router, one time out of ten I might get lucky. But wait, oh... it's not loading again the next day. I have to use a proxy to even access the site anymore. Seriously, is this going to be fixed? Because I'm about to give up. I understand most of the members on here are probably from the US, but you can't leave the website half-broken (and in my case, completely dismantled) for so many users. |
More topics from this board
» [Challenge] You Should Read This Manga 2024 ( 1 2 3 4 5 )Kineta - Feb 23 |
211 |
by niladribarua
»»
5 hours ago |
|
» Moderators Wanted! Accepting applications for all positionsKineta - Yesterday |
0 |
by Kineta
»»
Yesterday, 6:46 PM |
|
» Try MAL's New Mobile Site! ( 1 2 3 4 5 ... Last Page )Xinil - Feb 15, 2015 |
423 |
by RED-clover12
»»
Apr 24, 10:19 AM |
|
» Planned 5hr Maintenance, Thursday April 25 @ 1am-6am PTKineta - Apr 22 |
0 |
by Kineta
»»
Apr 22, 8:10 PM |
|
» New Site Update: Peak Anime 🗻 ( 1 2 3 4 5 )Kineta - Mar 31 |
213 |
by Lancelot73
»»
Apr 21, 4:28 AM |