Chris "Slarti" Pinard (slarti) wrote in ljlogin,
Chris "Slarti" Pinard

ScrapBook authentication

Okay. One bugaboo that several people, myself included, have grumbled about is that despite LJlogin assuring you that you're logged in, ScrapBook refuses to believe it. Well, I've finally done about as thorough an investigation as I can manage, and the results... are not good, and have me rather annoyed.

Once upon a time, there was the ljsession cookie, which represented the sum totality of authentication and session management. Then a bunch of pwnage happened, and LJ realized how hellaciously insecure that was, so they went to what they referred to as the "2+n cookie scheme". In the 2+n scheme, there're the ljmastersession cookie, which is similar to but more complex than ljsession used to be, and the ljloggedin cookie, which provides a uid/sessionid mapping. Those are the "2", and the "+n" are what they call "domain session cookies", one per user account whose journal you visit. The idea is that the most a person who sets up some malicious JavaScript in their journal layout can manage to thieve is the domain session cookie, which doesn't provide enough info to pwn your account.

So what happened to good ol' ljsession? Well, if you log in via login.bml, it gets set to the value of a domain session cookie that ScrapBook can recognize. Problem is, the creation of a domain session cookie can only happen on LJ's servers, because they require a lookup/generation of a time-based randomized "secret" that's stored in LJ's database. Everything else that goes into a domain session cookie, I can construct, but without that secret, I can't actually create one, and LJ's client interface provides for no such thing.

I could, probably, theoretically, do something involving making requests to login.bml and scraping the results I got, but that would be a much more complex, probably error-prone, and ultimately disgusting procedure, so just so everyone knows, I'm considering "ScrapBook login compatibility" to be way the hell down towards the bottom of the feature pile. If someone wants to find someone at LJ to talk to to add a "generate a domain session cookie based on your existing master session stuff" client protocol call, that'd be awesome, but I really can't be arsed to do the necessary "which comm do I post to, and how can I be sure I talk to an Actual LJ Person and not a Volunteer Who Can Only Pass Things Along To Actual LJ People" investigation myself right now, when I have to worry about getting myself organized to work on the chunks of code I can readily improve myself.

Okay. End of tl;dr rambling and ranting.
Tags: annoyance, scrapbook
Comments for this post were disabled by the author