Comments/Ratings for a Single Item
I logged in using OpenID, filling in 'zzo38computer' in the SREG nickname field and '(zzo38) A. Black' in the SREG real name field. And then it did not say anything about I was logged in (I did not reload the page), but I filled in the normal form with my username 'zzo38computer' and my password. And then it timed out, but then I reload the page and it says I am logged in, including the OpenID. Did I do it correctly? In addition, when I try to view logs in the Game Courier, it always fills in my user ID in the username field and if I change it or blank it, it doesn't work. I want to view all logs, not only my own.
I am unfamiliar with the OpenID provider you used. So I assume you already know what an OpenID is and entered yours in the OpenID field that appears when you click on the OpenID button. It should have reloaded the login page when you signed in. There have been some bugs that have stopped it from reloading, and I have just fixed some. So you could try it again and report back if it works. When you successfully sign in with an OpenID, it should report to you the OpenID you are signed in with. If you saw that reported back to you, then you did it successfully. But the login page should have reloaded and told you of this immediately. Also, I checked if your OpenID is now associated with your CVP UserID, and it is not. If you were logged into both at the same time, this should have happened. I may have to look into this more to make sure it is working both ways.
Yes, thanks, it works now, and now it says the account is linked.
(The username field in the Game Courier logs still fails to work correctly; and I know what is wrong. You use $_REQUEST to access the field and if it has the same name as a cookie, the cookie will override it. You can either change the name of the field, or change the GPC order. So far I deleted that cookie as a workaround, but you should fix it.)
Thanks for mentioning that before I observed the problem. Yes, using $_REQUEST to get the userid will now be a problem with the userid $_COOKIE. I have replaced the use of $_REQUEST with a conditional expression that returns the value of userid from either $_GET or $_POST.
For security reasons, signing in with an OpenID will first sign you out of any accounts you are in. If the OpenID you are signing into matches one linked to an account, it will sign you into the account. If the OpenID does not match any OpenIDs linked to accounts, but its verified email address matches an email address that is used for exactly one account, it will sign you into that account, and it will link the OpenID you signed in with with that account. So if you then sign in with a different OpenID account that has the same verified email address, it will not sign you into your account, and it will not change the OpenID associated with your account.
The security risk is that if you walk away from your computer while signed on, someone else could sign in with an OpenID and gain access to your userid. By signing you out of your account first, this security risk is eliminated. If you want to change the OpenID linked to your account, you will have to do it by first signing in with an OpenID, then signing into your CVP account. As I have time, I'll also add a confirmation on that, so that you cannot change which OpenID is linked to your account by accident.
I have added a script for changing your password to the Login page. If you have lost your password, you can now set a new one. All it requires is that you have an email address or an OpenID associated with your account.
I've been modifying the pages for viewing and editing user information. Instead of displaying your email address, a reCAPTCHA Mailhide is used. This protects your address from robots and spiders while allowing humans to see it. We used to store two email address for users. One was a private email you provided when you signed up, and the other was one you could edit. If you didn't want you email address to show up on your information page, you could delete your public email address, as many people have done. I have now consolidated the two email fields into one. Where the public email field was blank, the private email field got copied to it, and a new field for keeping your address private was set. Otherwise, the public email address was presumed to be more up-to-date and kept as your address.
These changes can be seen in the editmember.php page. The email field has been moved down and disabled. You cannot use that form to change your address. Instead, there is a separate script for changing your email address that sends a confirmation email to the new address and changes it after you confirm the change. There is a new checkbox for keeping your address from appearing on your information page. Since your address always shows up on editmember.php, that page is now accessible only when you are signed in to the account it is for. So you can't peek at the editmember pages of other users. Since your address is now more secure than it used to be, you may want to uncheck the option for keeping it off your information page. As it is now, no one can see it without answering a CAPTCHA.
Additionally, the form for changing your password has been removed from editmember.php, and it has been replaced with a link to a script for changing your password. Besides letting you change your password when you are signed in, it will let you change your password when you have forgotten it.
Ben Reiniger wrote on Thu, Mar 22, 2012 09:47 PM UTC:Ben Reiniger wrote on Fri, Mar 23, 2012 03:31 AM UTC:I have replaced the reCAPTCHA mailhide code on displayperson.php with my own custom CAPTCHA code that displays the email address as a CAPTCHA along with piece images from randomly selected Chess fonts. To get an email mailto link, just solve the CAPTCHA, whose solution happens to be the email address. Click on my name to the left of this message for an example.
The email CAPTCHA should be bot-proof now. Maybe it was already bot-proof, but the latest changes I've made should require AI on a par with human intelligence to solve, or at least something far more sophisticated than I expect to be searching our websites for email addresses. It now uses a variety of randomly generated colors within a range that is dark enough for a white background. After everything gets written, the colors get scattered, such that neighboring pixels rarely have the same color, but not so much that humans will even take much notice of the differences. Finally, it is rendered as a JPG, which is a lossy format. The bottom line is that your email addresses are now safe from bots on this site. If you still want to keep your email address private, all you will gain is privacy from other humans. Privacy from bots is taken care of.
I am having trouble uploading files both by ftp and with the file manager. This has been going on for a few days and is rather frustrating. The result is that there are sometimes delays between spotting a bug and replacing it with working code. Although the problem seems to be on my end, I haven't isolated the cause.
I have now added code to Game Courier for recognizing players who are signed in. So far, it is available for accepting invitations and for moving. My tests so far indicate that it is working properly. I have moved in one game using the new method, and I will test it more as my turn comes around in other games I'm playing. If you're not signed in already, it will ask for your password as usual, then sign you in if it is correct. This is so it doesn't behave too differently from before.
A note to David. I rewrote the pass_okay function in play/pbm/userid.php. Before it checks whether the password is correct, it checks whether the user is already signed in. If the user is not already signed in, and the password is correct, it signs the user in.
Moving while signed in seems to be working well in Game Courier. This morning, I moved the setcookie expression from pass_okay to the header code for play.php. It checks the value of the userid in the session and sets the cvpuser cookie to it if it has a value.
Hey Fergus! Maybe I'm doing it wrong, but I don't think so. I am using an OpenID using my Facebook account. It says to link a CV account using it, I have to then log in with my CV account after getting the OpenID up and running. I go that far. The trouble is that I don't think the CV account is fully linking up with the OpenID. When I try to make a move, it says that I need to be logged in. It says my name up in the top right so I know I'm logged in. Can you please assist? Thank you for your help! Best, Nick
Okay, it should work now. I was using a variable without defining it first. I deleted my OpenID from the database and used the fixed code to put it back. When it works correctly, you will see this message on the Login page near your OpenID: 'This OpenID is linked to your CVP account, such that signing in with it will automatically sign you into your CVP account.' Before showing this message, it checks the database to make sure the OpenID you are signed in with is connected to your account.
25 comments displayed
Permalink to the exact comments currently displayed.
I have put buttons for the Login page in the header for play.chessvariants.org. It is functional, but it is not yet integrated into the rest of the site. This means that you can sign in and out, but signing in won't yet do anything for you. Since I can't access comments for the Login page, I'll describe it here.
You can sign in with either your CVP userid or with an OpenID. Once you sign in, details about you are stored in $_SESSION variables. $_SESSION variables are like cookies but are stored on the server. This will create one cookie that identifies your session id. You can link your CVP account with an OpenID. You do this by signing into one while still signed into the other. Then, once they are linked, you can sign into your CVP account by signing into the OpenID linked to it. This will let you access your account when you forget your password, and it can be used as an alternate way to sign in. When you sign into your CVP account, one more cookie is created. This cookie contains your userid. This cookie will not let anyone sign into your account without your password. Your login session ends when you close your browser, and you will need to sign in next time you come to the site. The userid cookie is meant to persist beyond your session in order to make it easier to sign in again. In the header code I've created, it presents you with a sign in form with your userid already filled in if the userid cookie is set. If your password manager fills in your password, then signing in again is as easy as one click. Without the userid cookie, it just gives you a button to the login page if you are not already signed in.
I expect that site membership will give you more privileges than just signing in with an OpenID. One main use of the OpenID sign in is to expedite registration. By first signing in with your OpenID, you can join the site without email authentication of your identity, and it will also fill in the registration form, as much as it can, with appropriate values, including an available userid that is based on your OpenID userid or your name.
The next step will be to integrate session sign-ins with Game Courier.