Comments | lj_dev: Release 86 and Cookie Handling

vanya_elda in lj_dev

Release 86 and Cookie Handling

Oct 26, 2011 13:45

Release 86 is out and those who use certain browser extensions to log into Livejournal are finding themselves unable to do so. Also, several users are finding that they are logged out randomly between redirect screens on the site. I'm guessing that these are related. A staff member commented in the release 86 post that something was changed in the ( Read more... )

client, client: ljlogin, *fixed, client: sessions, client: flat

Comments 34

pauamma October 26 2011, 20:30:07 UTC

I understand the LJLogin dev (slarti) is now aware of the problem. If you wish to help implementing or testing a fix, you should probably talk to them directly. Only thing I can say is that the fix will probably be on the ugly side, see http://dw-maintenance.dreamwidth.org/38097.html?thread=921553#cmt921553.

vanya_elda October 26 2011, 20:43:31 UTC

Thanks. I'll contact them once I'm out of class and see if they need a hand figuring this out. From the looks of the discussion at that link, it's not going to be pretty.

Do you know the essence of the change? born_on_earth October 26 2011, 23:57:55 UTC

Where can I see what has changed in the handling of cookies - maybe I could work around that?

Re: Do you know the essence of the change? pauamma October 27 2011, 19:16:46 UTC

http://code.livejournal.org/ is your best bet.

Thread 8

(The comment has been removed)

vanya_elda October 27 2011, 15:35:54 UTC

Thanks, Yuri! And yes, I would like to know what changes were made because none of the backup applications are working right now.

pauamma October 27 2011, 19:28:58 UTC

Flat protocol refers to flat vs. XMLRPC, not the authentication specifics.

Also, http://pastie.org/private/oltvmio30cpusx5angmdyw says ljuniq may not longer be needed., FWIW

vanya_elda October 28 2011, 15:31:48 UTC

Take a look at the original post for a helpful hint.

pbristow October 27 2011, 15:14:02 UTC

Does this also explain the *VERY SERIOUS* security breaches that people are reporting? As in, people finding themselves apparently logged in as someone else entirely, with complete access to someone else's journal, i.e. the ability to read their locked and *private* posts, and to edit them, and potentially make fake entries as that person?

Also, the fact that people are unable to use any export-based backup utilities to protect their journals against whatever screw-up happens next?

(as it happens, my own PC is in a stae right now where I can't run an LJ backup anyway, otherwise that is *exactly* what I would desperately trying to do right now!)

vanya_elda October 27 2011, 15:30:38 UTC

Have you checked out lj_releases in the past 24 hours? It's a BIG problem and Release 86 is to blame. I don't know if the redirection problem (i.e. people being sent to someone else's journal) or the default language settings mixups are directly the result of the new cookie handling, but I'm willing to say it is playing a part.

And yes, the cookie handling is why virtually none of the backup and login applications are working. Semagic still partially works. You can at least login and make a post or view ONE previous post by clicking the "last entry" button, however, the calendar view will not work. Basically, if you want to back up your journal, your only option at the moment is to manually save each journal page as webpage or text file.

ETA: Forgot to say, if you have a Dreamwidth account, their LJ importer is currently working, but you have to save your LJ password on their site in order for it work, at the moment. They're trying to fix it so you don't have to save it, but as I understand it, it's a mess right now thanks to Release 86.

slarti October 28 2011, 02:00:15 UTC

At the moment, to the best of my knowledge, the only way to get all the right cookies is to scrape a call to login.bml, which is a really ugly way to do things that I've been trying for years to ever avoid doing. I don't see any update to the client protocol docs talking about this new protocol version, which makes me suspect they haven't actually updated the protocol API itself.

(I wonder just what API the LJ-produced iOS LJ client uses. I'd be rather surprised if they screen-scrape the regular site in all its marvelous myriad of possible styles, but it also doesn't seem likely that they're using the same old creaky protocol. If there is a new one, could the rest of us use that too, please, LJ? With actual documentation and a sense that we've moved up to modern web technologies?)

pw201 October 28 2011, 12:56:41 UTC

My scripts using the challenge/response auth stuff on the XMLRPC interface are still working: doing that avoids cookies completely. However, there isn't a documented comment export interface that works without cookies (there is an undocumented one which the iPhone client uses, I believe).

vanya_elda October 28 2011, 15:33:26 UTC

Dreamwidth is attempting to find a way to do it without cookies, but I don't think they've found a solution, yet.

pw201 October 28 2011, 16:01:32 UTC

Do they know about the new comments API? It's been mentioned here before.

Thread 5

soundwave106 October 28 2011, 15:12:38 UTC

My app LJ-Sec also broke with this release.

For the record, it uses the flat API interface. a challenge / response mechanism (using getchallenge). Everything works right up to the point where the getevents API is invoked. At that point, Livejournal returns an "invalid password".

This is strange because all of the other APIs evoked before (syncitems and login) work fine with the hash routine I use, and the getevents API was working until recently.

XML-RPC does appear to work fine (I tested LJArchive which is XML-RPC and it does not appear to be affected), but converting my app to XML-RPC would be a huge PITA. (I also think many other legacy flat interface apps that are not being maintained would become permanently broken by this.)

If there is anything extra that now needs to be done for this call to work, I would like to know. (And, if this is a bug, I'd like to see it fixed. :) ) Thanks!

soundwave106 October 28 2011, 15:15:55 UTC

(I should also note that I do not use cookies in my application.)

vanya_elda October 28 2011, 15:17:02 UTC

I'm going to update I updated my OP with an e-mail from the LJ Juggler developer that explains what happened. They were able to fix their app.

soundwave106 October 28 2011, 15:52:16 UTC

Thanks.

However, I don't use cookies, I use challenge / response. Still, it's probably related; whatever cookie changes they made also broke the getitems flat call. Sounds like a few other applications like Semagic are in the same boat.

Just now, I was just able to get my application to work by changing over to the less secure auth_method=clear method for *the getitems flat API call only*. Both password and hpassword at least work so I can provide *slight* security (MD5) but argh, thanks Livejournal for forcing me to use a *less* secure protocol. *facepalm*

I think I'll hold off on a full release until I'm sure that Livejournal won't be fixing this. I would far prefer to continue using challenge/response.

Thread 13