Forum Captain'sLog Crewlist CrewWanted BoatForsale Classifieds Boat Sailor


ALL Boards
  616
News And
Events
  68
Regulations
  18
Racing
  14
Cruising &
Liveaboard
  155
Multihulls
  15
Building &
Repairs
  15
Outfitting
& Gear
  22
7knots FAQ
& General
  50
Development
Bug Reports
  22
Misc & Other
  61
Test Posts
  176
ID: 11 Title: 7k Authentication (Login) Procedure Replis: 1 Read: 1598 Author: 1
Name: Tom Yang  Posts: 110    Vancouver Time: 2003-1-29_2:35:6 Quote    Reply
You 7knots password is lower-cased then coded by UNIX encrypt(). Once that's done, there are very few experts in the world can read it back. After Feb 1, 2003, we save your real readable password somewhere else for the password reminder services.

When a visitor surfs around 7k and hit a protected link, e.g. "edit" or "add", or want to see your protected email address. The Apache httpd send a request to your local browser for authentication. A small window pops up asking for her/his User name and password. 7k uses your FULL email address for username. Don't just enter the first part of your email and get frustrated. Why don't we do what ebay or yahoo do and let users choose their own usernames?! Well, if I sign up on eBay or yahoo today, my usual username "tomyang" has been long taken. I have to settle for something like "tomyang975" or "1962tomyang-2". I think I can remember my email address better than the "tomyang975" thing.
Anyway, after s/he enter the full email address and password, Apache grep it and askes MySQL to query his/her (email, password) in the database. Email is not case sensitive, but password is. If they match, Apache let him/her in and proceed to the "edit" or "add" script. At the same time, the underline perl script gets all his/her information from Apache for future use. For example, if s/he wants to add a boat. Once s/he log in, and the boat form pops up with all the default values already filled in. Your name, address, website, ...are all there pre-filled. They are from the authentication processes.

How often you have to do the Authentication, though? The current setup is as long as your browser session lives. Apache writes Cookie Files in your local browser, so the next time you hit a secured area, he knows you're already checked in and won't bother you again. But, say, you edited your sailor profile and changed your password. And, now you want to post a forum reply. Bang, the little window pops up again for password. If you leave your Internet Explorer on all the time, you don't have to do the anthentication again unless you close the browser and relaunch IE again. Is this dangerous? Yes ! If you leave the internet cafe without totally close IE (or Netscape, Mozilla..etc), the next user sits down and start to edit, delete your data without any password. All we can do is shorten the cookie expiration time, but again, there's no way for 7k to know who is sitting in front of the keyboard now.

What if you forgot your password?
Click at the "Forgot Password?" in the homepage area. When a small form pops up, enter you email address twice and we'll send it to you to that address. Most people today have many email addresses. They not only forgot their 7k password, they don't even know what email address they use at 7k. If you enter a new email address and request for your password, we can't find it in the database. Help yourself and search the email you use under the "Sailor" section. Do you remember your name? location? Quickly you can find it and click at your email.. (if you protect your email from the general public, you're dead. Cuz you're the general public, now.).

If you sign up before Jan 31, 2003, for security consideration, we didn't save your password in readable form. You can send an empty (nobody reads it) email to "pwreset@7knots.com" to reset the password. The system scan pwreset's message every 10 min, once it sees your empty letter, it'll verify if this comes from an address that is indeed in the database. It'll reset the password to a new one and send it to you right away.

Name: Tom Yang  Posts: 110    Vancouver Time: 2003-2-3_11:52:44 Quote    Reply
From the server logs, I can see many users simply could not get in. Please pay attenion! I typed in caped letters to use your "FULL" email address as login Username! Do not just key in the front part of your email address. Do not key in your Sailor ID (e.g. 2257), it doesn't work. If you forgot your password, go to the "Forgot Password?" link in the cover page. The whole password reset takes 10 min max. And, once you get in, please DO change your password to a real one so you won't go thru this painful frurstration again, again and again. Nobody can remember those temporary passwords.