?

Log in

No account? Create an account
Suddenly I realized something was wrong... - LiveJournal Client Discussions — LiveJournal [entries|archive|friends|userinfo]
LiveJournal Client Discussions

[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

Suddenly I realized something was wrong... [Jul. 26th, 2004|04:58 pm]
LiveJournal Client Discussions

lj_clients

[fbartho]
[mood |stumped...]

I am stuck... Am working slowly but surely on my plan to interface livejournal with my website via php, and I suddenly realized that the xmlrpc method needs to be told who the viewer is... as of now, it only posts the most recent journal entry on my site: http://digitalsneeze.com/forums/ffb_ljsetup.php?uid=2 and it completely does not check if the reader is authorized to do so... that means if my last post is private, anyone can see it, but what i realize the only method around this is that when a user logs in to my site, it also logs in to livejournal, meaning it needs access to existing livejournal cookies and the ability to make new ones if i need to... Am I mistaken here? and if not, what do i do? Let me know what you guys think...

Thanks,
>>Frederic
linkReply

Comments:
[User Picture]From: fbartho
2004-07-27 01:54 pm (UTC)

hmmmm...

As to your first question, you are very right, I just want to add some functionality to my site that would let my users group together their blogs if they want on a page on my site... They can choose to post to my forums, or to their blog after a single choice of a link, and the site will also have an alternate to having a livejournal account, if they don't have one, they can still post, it will just be stored on my site rather than on livejournal...
Now, with respect to the cookies issue, the fact of the matter is that I knew/know most of the issues, problems, and security concerns with cookies specifically, but what I was hoping was that there was some way to somehow query livejournal as to this computer's users lj name... thereby bypassing the need for a login to the site to determine the user's premissions... My main issues are not too much with cookies... they are more with my inexperience with livejournal and its possible access methods...

I have alot of random ideas sometimes about things i could have done were i to make such and such site, and even though I intellectually know that alot of them would just simply never fly due to them being unreasonable for large scale systems... in this case my hope was for a way to "proxy" the livejournal through to the user's computer, and if they were logged in, read the username from that "proxy" and if they were not logged in, cause a cookie to be formed somehow, ie prompt livejournal to set a cookie on their computer...(of course proxy isn't quite the right term to describe what i was hoping for, but it is some approximation)
Now about that cross-site scripting... I do hope that the only thing that happen is for a user's account to be hijacked and then destroyed, plus spamming from the hijacked accounts...

if there is more I should fear, please let me know, I wouldn't actually want to risk the integrity of livejournal
[Error: Irreparable invalid markup ('<br [...] code,>') in entry. Owner must fix manually. Raw contents below.]

As to your first question, you are very right, I just want to add some functionality to my site that would let my users group together their blogs if they want on a page on my site... They can choose to post to my forums, or to their blog after a single choice of a link, and the site will also have an alternate to having a livejournal account, if they don't have one, they can still post, it will just be stored on my site rather than on livejournal...<hr>Now, with respect to the cookies issue, the fact of the matter is that I knew/know most of the issues, problems, and security concerns with cookies specifically, but what I was hoping was that there was some way to somehow query livejournal as to this computer's users lj name... thereby bypassing the need for a login to the site to determine the user's premissions... My main issues are not too much with cookies... they are more with my inexperience with livejournal and its possible access methods...<br><br>I have alot of random ideas sometimes about things i could have done were i to make such and such site, and even though I intellectually know that alot of them would just simply never fly due to them being unreasonable for large scale systems... in this case my hope was for a way to &quot;proxy&quot; the livejournal through to the user's computer, and if they were logged in, read the username from that &quot;proxy&quot; and if they were not logged in, cause a cookie to be formed somehow, ie prompt livejournal to set a cookie on their computer...(of course proxy isn't quite the right term to describe what i was hoping for, but it is some approximation)<hr>Now about that cross-site scripting... I do hope that the only thing that happen is for a user's account to be hijacked and then destroyed, plus spamming from the hijacked accounts... <br><br>if there is more I should fear, please let me know, I wouldn't actually want to risk the integrity of livejournal<br><br now for the rest, I will of course explain the risks to my users... and they will have to sign off about it... for stuff that accesses my database that will have lj data, I am using phpbb who as a large coding group with an established history of working to prevent vulnerabilities, I generally trust a bit more to test their code, and I am pretty meticulous in the code I add to modify it, so that i don't provide my own vulnerabilities...<hr>This whole project, my whole website in fact is something I enjoy doing... It is not that I see a <i>need</i> for something perse, but rather that I see the possibility for something I, and possibly others could enjoy... and assuming that I don't create horrible hazards to other peoples enjoyment of the internet then it amuses me to slam my head into a brick wall until i get the code up and running... and lol I definitely don't attempt to compare myself to <lj user="bradfitz"> though I wouldn't mind a similar outcome... :D
(Reply) (Parent) (Thread)
From: snej
2004-07-27 02:38 pm (UTC)

Re: hmmmm...

"what I was hoping was that there was some way to somehow query livejournal as to this computer's users lj name"

What's "this computer"? All you know about the machine the browser is running on is its IP address (which is not accurate if it's behind a NAT or proxy) and any cookies it's storing for your website. There's no way LJ could make anything meaningful out of that

"cause a cookie to be formed somehow, ie prompt livejournal to set a cookie on their computer"

But the only way that could happen is if their browser contacted LiveJournal directly. You don't seem to understand that your server being in the middle makes it a fundamentally different situation than the user's browser talking to LJ.

Cross-site authentication like what you're trying to do is, at this point in time, still in the domain of rocket science. Microsoft's Passport tried to do it. The Liberty Alliance has been working for years on a secure way to do it. It's not going to be a simple matter of using some cookies, unfortunately.
(Reply) (Parent) (Thread)
[User Picture]From: fbartho
2004-07-27 04:21 pm (UTC)

heh.

well see what you think i am describing clearly is in the realm of fiction at the moment and your point about the ip, is the reason why I put proxy in quotes, I guess the clearest version of what that whole cookies scenario was trying to accomplish was to somehow route the user to livejournal, have the cookie be set and retrieved by livejournal essentially transparently but my site would get the username data from that exchange and the transparent page would then redirect back to my site... hehehe... hmmmm... like I said its one of those things that i bet could be implemented relatively easily, but there would be little point for livejournal to do so, and it would probably not scale well taking up alot of time/computations for livejournal... So basically I follow exactly what you are saying, that you showed me in probably your first comment that my wishful thinking needed to be brought down to earth, and the rest of this is just me alternately whining/trying to explain what my wishful thinking would have liked... and since I'm wishing, I might as well ask for the cross-site logins to be implemented... :D

Thanks for the answers...
>>Frederic
(Reply) (Parent) (Thread)