[DEV] Roaming profile

A place for MOD Authors to post and receive feedback on MODs still in development. No MODs within this forum should be used within a live environment! No new topics are allowed in this forum.
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

IMPORTANT: MOD Development Forum rules

On February 1, 2009 this forum will be set to read only as part of retiring of phpBB2.
emoporo
Registered User
Posts: 9
Joined: Fri Jul 09, 2004 11:07 am

[DEV] Roaming profile

Post by emoporo »

Hello.

This forum is forbidden of feature requests but I'm not sure if feature suggestions too aren't allowed here. If they aren't allowed, feel free to delete or move this thread.

So, roaming profile = Log into every PHPBB based forum with single login/password. With one click.

You've probably heard of Microsoft's .NET passport? It allows you to login into Hotmail, eBay etc the big corporation sites with one account. The problem is is that it's not free and I think you can only use it on ASP based servers.

Well here's the deal: For months I've been constantly coding this similar system called 'XS Passport'. I haven't posted about it before because it wasn't ready. But now it's working on such manner that support for web applications can be started developing now.

In one night, I hacked a support for my PHPBB test installation to include XS Passport support. The forum is located here: [SPAM]
More specifically, the login procedure is embedded with the login.php ( [SPAM] ). By clicking the picture you can use your XS Passport to log in to the PHPBB, provided that you're registered with XS Passport (at [SPAM] ).

The great things about it:
- You don't have to use it. It's inobtrusive. The only change is in login.php, you can still use the traditional login if you like.
- Easy login procedure. With one account logging in to _EVERY_ XSP supported site!
- Your password is never exposed to PHPBB sites (unlike with the traditional method). = Added security.
- The profile you set up in XSP is transferred to PHPBB when you log in (you will be confirmed if you want to send the data and it tells you what it's going to send, so it's safe).
- This means that you don't have to register anymore to post!!
- When you have to ban someone, he can't come under a different username anymore (in the future, if XSP would be the only login method).

The bad things:
- If the XS Passport server is down you won't be able to log in. This is not a problem because if this is going to be a success I'm moving the server to a big datacenter with lots of bandwith and perhaps create a cluster of servers.

Try it yourself!
Register first at: [SPAM]
Now log in to the PHPBB: [SPAM]

Why am I posting this? I'd like yours opinion if you would like to see this feature in future integrated to every PHPBB?
Perhaps if you people like it the dev team will consider adding it.

[Edited by Draegonis: Links removed by request of MOD Team ]
Last edited by emoporo on Fri Jul 09, 2004 1:29 pm, edited 1 time in total.

User avatar
Draegonis
Former Team Member
Posts: 3950
Joined: Mon Apr 22, 2002 3:12 pm
Location: Kµlt øƒ Ø
Contact:

Post by Draegonis »

Moved from phpBB Discussion.

FYI: This has been tried before, and failed because of the huge security implications...

Cyberpunk
Registered User
Posts: 42
Joined: Sat Jun 26, 2004 12:25 pm
Location: Desert of the Real
Contact:

Post by Cyberpunk »

yep, there is already the phpBB Passport around

emoporo
Registered User
Posts: 9
Joined: Fri Jul 09, 2004 11:07 am

Post by emoporo »

Draegonis wrote: Moved from phpBB Discussion.

FYI: This has been tried before, and failed because of the huge security implications...

I'd like to hear what are the 'security implications', since I am the developer and can't think of any.

Perhaps you'd like to read the documents on how it works here [SPAM]

edit: I looked at the phpbbpassport service. I know what's the security concerns there since the username and password is entered to member sites. In this case the credentials are only entered in the passport server site.
Don't say my system has security flaws if you don't know how it works.

And, the only data that is exposed to member sites are the email address user chose to put to public display and his/hers msn, aim, timezone and webpage. What are the 'security implications'??!

[Edited by Draegonis: Link removed ]

User avatar
Draegonis
Former Team Member
Posts: 3950
Joined: Mon Apr 22, 2002 3:12 pm
Location: Kµlt øƒ Ø
Contact:

Post by Draegonis »

emoporo wrote: Don't say my system has security flaws if you don't know how it works.


Excuse me? If you care to re-read my statement, I made no specifics to your system. In general, a system like this has security and privacy issues, technical and legal. It's really rather obvious what they are. I'd hate to think that you couldn't see them.

Also, moved and de-spammed by request of the MOD Team.

Edit: And this one goes over to the MOD Team now. Have fun. :)
Last edited by Draegonis on Fri Jul 09, 2004 1:33 pm, edited 1 time in total.

emoporo
Registered User
Posts: 9
Joined: Fri Jul 09, 2004 11:07 am

Post by emoporo »

So, I can't be heard and you people just did forbid everyone from hearing my suggestion by editing the links off showcasing the technology.

Why did my post constitute as spam?

emoporo
Registered User
Posts: 9
Joined: Fri Jul 09, 2004 11:07 am

Post by emoporo »

Draegonis wrote:
emoporo wrote:Don't say my system has security flaws if you don't know how it works.

Excuse me? If you care to re-read my statement, I made no specifics to your system. In general, a system like this has security and privacy issues, technical and legal. It's really rather obvious what they are. I'd hate to think that you couldn't see them.

"In general". Well I designed the system from ground up thinking of all the issues and to my knowledge there ain't any.

Legal? What are they. If user wants to use the service why would it be illegal? It's not like it's mandatory to use it.

Who from the MOD team wanted to remove the links and torpedoe my idea?

User avatar
smithy_dll
Former Team Member
Posts: 7630
Joined: Tue Jan 08, 2002 6:27 am
Location: Australia
Name: Lachlan Smith
Contact:

Post by smithy_dll »

There are more legal issues at hand than you appear to be aware of. It may not be illegal for people to use your system, but bare in mind this.

You are legally responsible for keeping the integrity and validaty of the data in the database.
You need to keep the system secure, i.e. you are legally responsible if someone hacks your system and steals everyones e-mail addresses.

There are massive privacy implications which go on into legal implications in most western nations.
How are you going to make sure people can't access the data of a user unless the user says that the site can access their profile data? How are you going to make sure they have got the permission of the user for the site to access their data from the database?

What about legal agreements, and terms-of-service? Is there a registration process which forces board owners to agree to terms, and are there revised registration terms informing users registering at a site their details are being recoreded in a larger database?

There are security issues. How are you going to implement it, SOAP? XML/RDF, a propietry protocol? The safest is likely to be SOAP! How are you going to implement SOAP, are you going to make sure all transmissions happen over SSL?

What about if your site does down, all other boards go down, have you thought about redundancy over multiple sites constantly synchronysing over secure SSL lines? What will happen to boards if your system goes down? What are the legal aspects of board owners going to be if the system goes down?

No-one wants to torpedo your idea, it's just we don't want your idea to torpedo you. But unless you have thought about all the above issues and more then you haven't thought about all the implications. We at phpBB.com strongly recommend that you hire a lawyer with experience in internet data security before releasing such a system.

emoporo
Registered User
Posts: 9
Joined: Fri Jul 09, 2004 11:07 am

Post by emoporo »

Finally someone who understands something. Thank you for paying at least attention.
No-one wants to torpedo your idea

They already did. They removed all of the links explaining what I'm trying! You wouldn't be asking these things if you'd have seen the links!
I have to admit I'm pretty angry that they censor my post without explanation on why they did it!
What about if your site does down

All that happens is that when server being down user isn't able to log in that moment. People already logged in stay logged in and work perfectly fine. Even logging out works when the main server is down.
AND: The server won't be going down (at least I'm keeping it up, I can't promise the hardware doesn't break). The server is protected with UPS so power surges don't take it down. The hard drives are RAIDed so if one breaks the server keeps on rolling with the other HDD that still works.
all other boards go down

No, just logging in doesn't work at that time.
What about legal agreements, and terms-of-service

I'm thinking of it now.
are you going to make sure all transmissions happen over SSL

The SSL is used if the PHP supports it. The documentation says very clearly that SSL would be good for security.
How are you going to implement it

I have already coded the protocol. It supports SSL. The specs are located in the URL a moderator (I'm still waiting for the reason the URL was censored) removed.
How are you going to make sure people can't access the data of a user unless the user says that the site can access their profile data? How are you going to make sure they have got the permission of the user for the site to access their data from the database?

That you would've realized if you saw the link which was removed (see, the moderator completely torpedoed and made this harder).
When user goes to PHPBB login page, he can click an alternate link that takes to XS Passport authentication gateway that asks user for password and confirmation on what data is sent to that site. Then if user agrees he is taken back and ticket is issued that will allow the site to download the data user agreed on sharing. This is very secure provided that the gateway tells what data is being sent. The tickets are tied to server hostname so servers the ticket is not issued cannot access that ticket.
Is there a registration process which forces board owners to agree to terms, and are there revised registration terms informing users registering at a site their details are being recoreded in a larger database?

To boost the usage of XS Pass, the system is open in a way that sites don't have to register. Like I said, user is always asked to confirm the data and told that what site requests it.
Now when you said about it, I'm thinking of having the open sites print a message on the authentication gateway that this site is not completely trustable.
And the sites that have signed up and agreed with the TOS do print message that the site is legally agreed not to record any data.

emoporo
Registered User
Posts: 9
Joined: Fri Jul 09, 2004 11:07 am

Post by emoporo »

Continuation:

I understand the legal issues; when developing this kind of system it's important to have everything planned.
But, just a little note: the data that is shared is not much:

Always shared:
- Just the verification that the user owns an XS Pass account. (numeric ID)
- GMT timezone (really useful for any site dealing with international visitors)

Optional:
- Nickname
- Public email (user has public email and private email. Private is never shared, though the private and public email address can be the same).
- AIM
- ICQ
- MSN
- Yahoo
- Website URL

Password is NEVER SHARED to anyone except my AUTH gateway. There is no way a evil site could log in to user's profile in Passport.

There are of course other data categories like biography which contains your full name etc but they belong to such a category that are not sent to PHPBB sites anyway. The other categories are for 'other category' sites like shopping carts etc (in the future).

emoporo
Registered User
Posts: 9
Joined: Fri Jul 09, 2004 11:07 am

Post by emoporo »

So now that I have cleared a few points and actually made it not look like a lame attempt at do a great idea no-one's interested?

Please answer this question: does anybody honestly think it was right to remove the links? :(

ayusuf
I've Been Banned!
Posts: 917
Joined: Fri Feb 06, 2004 11:00 pm
Location: Orlando,Fl
Contact:

Post by ayusuf »

to tell the truth no becuz i want you make this mod and see if you could do it.

wGEric
Former Team Member
Posts: 8805
Joined: Sun Oct 13, 2002 3:01 am
Location: Friday
Name: Eric Faerber
Contact:

Post by wGEric »

Please provide a link to download your MOD. You can also provide a link to a demo but what you did in your first post was just spam your site and you hid it behind your idea. If you don't provide us code to install this MOD ourselves, this topic will be locked until you can provide us the code.

Also you must make sure all of the legal sides of the MOD are taken care of before we allow you to release it.



Watch yourself, your on the verge of breaking rule 7 b and c.
Eric

emoporo
Registered User
Posts: 9
Joined: Fri Jul 09, 2004 11:07 am

Post by emoporo »

wGEric wrote: Please provide a link to download your MOD. You can also provide a link to a demo but what you did in your first post was just spam your site and you hid it behind your idea. If you don't provide us code to install this MOD ourselves, this topic will be locked until you can provide us the code.

Also you must make sure all of the legal sides of the MOD are taken care of before we allow you to release it.



Watch yourself, your on the verge of breaking rule 7 b and c.

How did I spam my site?

The URLs I provided was (there was 2 URLs, though I probably posted the same URL twice for convenience):
- A link to the registration page for the passport service (you NEED to register to test it)
- URL to the forum you could log in with the passport.

Which one of those URLs would count as spam?
What would make putting the URL up for sample board the mod was implemented on count as spam?

And, to the user who said that I need to code it first. I coded it already, and provided even an example like you asked! My post was cencored.

So, what are the legal issues if I put up a TOS text on signing up that says that the details you enter are shared with the sites you agree to share the details with?

ayusuf
I've Been Banned!
Posts: 917
Joined: Fri Feb 06, 2004 11:00 pm
Location: Orlando,Fl
Contact:

Post by ayusuf »

okay enought with it and let me see ur mod.

Post Reply

Return to “[2.0.x] MODs in Development”