Login Problems with AUTH commands.

kinglink · Post by **kinglink** » Fri Dec 16, 2005 6:15 am

OK here's a toughy and I can't figure it out.

Now I've checked and rechecked my system this is what I pass the UDP:
AUTH user=han&pass=solo&protover=2&client=kinglink&clientver=1
this is NOT my username not my password, and not anything.

Now I can do user k, pass k, user l pass l, and random letters as long as they are lowercase. It ALWAYS gives me a 200.

So let's step up to the next problem. Who am I logged in as? I can't tell you for sure but I do a NOTIFYLIST with the NEW session id it returns my personal info, however I'm not han, my password is not solo. I'm kinglink.

Now i've just messed around with my UDP port tester. it appears I never sent a Logout and after logging out I get 500 Login failed when trying this line. So obviously it's now REQUIRED to logout? But to do that you must LOGOUT with the session key. If you don't it appears that if you have the same IP and the same UDP port (I use 9000) and you try to login with out the last code being logged out you immediatly get logged into the old sesson and it looks like it's a new session. Now again there's no way to test who you are in the program.

However let's think about this? Let's assume computer shuts down, program crashes, or something. We have to assume you don't always log out (yes if you close the program you log out but I personally never log out of some programs, and as I code a notification program this program should NEVER need to be closed until shut down so we have to assume that if anything happens to the puter then the connection gets servered.

My question comes down to this. If I don't have a session id, the only way I can think of making sure no one is falsely logging in is to log in on my side with this problem is that I login, if I get a 200, I log out, and then log back in, if I get a second 200, then I assume I'm clear. The other option is to login as a impossible name (I'll have to use either a given name and password you give me or "kinglink/kinglink" a l/p I'll never use. and see if I get 200. If I do I immediatly log out and login normally.

Both options seem needlessly complicated, and useless, the later has the least error checking, but is there anyway around this problem with out having to issue two commands, such as a universal logout command to make sure you're starting a new session?

Any other developer find this out or am I the first time find a glitch? if so I want to name it the "kinglink false entry"

Post by **epoximator** » Fri Dec 16, 2005 10:42 am

The old server does not check username and pass on AUTH when you already are logged in (ip and client port are used to identify).

You are automatically logged out after some time (of inactivity), so I don't think it is a major issue. However, I have added a check of the password in the new server version.

kinglink · Post by **kinglink** » Fri Dec 16, 2005 6:18 pm

Yes, a password check should work too.

It just seems like a bit of a security flaw as it is currently, I'll write a module to get around this, using my name and a false password (as meantioned kinglink/kinglink) to make sure it cleared out the old data.

kinglink · Post by **kinglink** » Sat Dec 17, 2005 6:44 am

Maybe people are still reading this, don't want to toss a million topics here.

It appears the AniDB is silent? I'm testing out this function, (it hits the server with an AUTH, then a LOGOUT if it's logged in, otherwise it just moves on to step two so it's only 2 simple lines.) It did something odd the first time and then I started to step through it and it did something odder, so I'm trying to figure it out and now it's completely silent with this and a second program I wrote to test UDP connections.

It worked again once or twice and now My program is still having minor issues, but the problem now becomes, why is the API all of a sudden silent. This is making it hard to debug the API I've only sent auth commands a couple times. After the first Login command the system stutters (30 seconds, 2 minutes, 5 minuets) but I seem to hit an invisible lock out? Is something happening?

I happen to know for sure that the code only could have sent the command 2 or 3 times total, that should be below 5 packets and been spread out over a minute or so. I shouldn't be hitting the limiters, and even so wouldn't I get a response ever (left the system up for a couple minutes and sending the commands again like suggested, correct? Or would I get banned and get that message?

This might be interesting to find out so I can prepare for this one.

I am logging in incorrectly (kinglink/kinglink) (on purpose) to clear old logins so It could be seen as me trying to crack the system, don't know if you have something in place for that either?

Post by **epoximator** » Sat Dec 17, 2005 9:42 am

remember that if u keep sending the wrong password you will get banned. it also possible that u are being banned for flooding. the counters won't be reset just by logging out.

the server hangs sometimes too, but i don't think that's the problem here.

anyway, if the server stops responding, wait for at least 15 min before trying again