1 2
Posted: 4/25/2014 3:05 AM
Post subject: Help test authentication technique 2
Quote
Nach
Emulator Coder
Joined: 3/9/2004
Posts: 4588
Location: In his lab studying psychology to find new ways to torture TASers and forumers
Hi guys, I'm building some new web authentication strategy, and I'd appreciate if you can help by posting results with different web browsers. This is an improvement over my previous test. Visit: http://www.nachsoftware.com/verymessyauth/ and report what is posted for each of the six tests. If you have access to a cell phone, tablet, set top box, video game console, please post results with those too. Thank you! Some preliminary results: Firefox 10: 6/6 Success Chrome 36: 6/6 Success QupZilla/1.6.1 Safari/534.34: 6/6 Success Internet Explorer 8: 6/6 Success Chromium 34: First Party Session: Success First Party Long Term: Success First HTTP Authentication:Success Third Party Session: Failure Third Party Long Term: Failure Third HTTP Authentication: Success Opera 12.16 First Party Session: Success First Party Long Term: Success First HTTP Authentication: Failure Third Party Session: Success Third Party Long Term: Success Third HTTP Authentication: Failure Konqueror 3.5.10: First Party Session: Success First Party Long Term: Success First HTTP Authentication: Third Party Session: Success Third Party Long Term: Success Third HTTP Authentication:
Warning: Opinions expressed by Nach or others in this post do not necessarily reflect the views, opinions, or position of Nach himself on the matter(s) being discussed therein.
Posted: 4/25/2014 3:18 AM
(Edited: 4/25/2014 3:24 AM)
Quote
Nach
Emulator Coder
Joined: 3/9/2004
Posts: 4588
Location: In his lab studying psychology to find new ways to torture TASers and forumers
Konqueror 4.8: First Party Session: Success First Party Long Term: Success First HTTP Authentication: Third Party Session: Failure Third Party Long Term: Failure Third HTTP Authentication: Chromium 26: 6/6 Success. Internet Explorer 9: 6/6 Success. Internet Explorer 11: 6/6 Success. Firefox 28: 6/6 Success.
Warning: Opinions expressed by Nach or others in this post do not necessarily reflect the views, opinions, or position of Nach himself on the matter(s) being discussed therein.
Posted: 4/25/2014 3:21 AM
Quote
Bobo_the_King
Player (79)
Joined: 8/5/2007
Posts: 865
Waterfox 28: 6/6 success.
Posted: 4/25/2014 3:30 AM
Quote
uberushaximus
Joined: 4/25/2014
Posts: 1
Firefox + NoScript + RequestPolicy + 3rd party cookie blocking First Party Session: Success First Party Long Term: Success First HTTP Authentication: JavaScript Disabled Enabled requests from .org (RequestPolicy) Third Party Session: Failure Third Party Long Term: Failure Third HTTP Authentication: Success Enabled JS (NoScript) First HTTP Authentication: Success
Posted: 4/25/2014 3:33 AM
Quote
Fog
Experienced player (626)
Joined: 4/5/2014
Posts: 459
Funny TAS of 2015
Browser: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36 First Party Session: Success First Party Long Term: Success First HTTP Authentication: Success Third Party Session: Success Third Party Long Term: Success Third HTTP Authentication: Success
Posted: 4/25/2014 4:22 AM
Quote
Lex
Joined: 6/25/2007
Posts: 732
Location: Vancouver, British Columbia, Canada
Posted: 4/25/2014 5:07 AM
Quote
Cooljay
He/Him
Active player (392)
Joined: 5/1/2012
Posts: 468
Location: Canada
I get success on everything but the 3rd http authentication on the Xbox 360 internet browser
Posted: 4/25/2014 5:19 AM
(Edited: 4/25/2014 5:54 AM)
Quote
Ji-chan
Joined: 7/30/2013
Posts: 79
3DS Browser 1.7567, 2/6. This browser is so terrible lol. Lolifox 0.3.6, 5/6 SlimBrowser 7.0, 6/6 K-Meleon 1.6.0, 4/6 GreenBrowser 6.5.0927, 5/6 Dolphin 11.0.0, 2/3 My poor Android Gingerbread phone's stock browser, 2/3
(◕‿◕)
Posted: 4/25/2014 5:44 AM
Quote
Tub
Joined: 6/25/2005
Posts: 1377
Browser: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0. Setting "Accept third party cookies" set to "never", for privacy reasons. Third Party Session and Third Party Long Term: Failure Note that many browsers are trying to restrict third party cookies by default, using "smart" solutions like accepting third party cookies only from sites you've visited before. IIRC Safari already does that and firefox is working on it. No, I haven't found a way to do reliable authentication inside a third-party iframe yet.
m00
Posted: 4/25/2014 10:07 AM
Quote
Warp
Banned User, Former player
Joined: 3/10/2004
Posts: 7698
Location: Finland
Browser: Mozilla/5.0 (iPad; CPU OS 7_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D167 Safari/9537.53 First Party Session: Success First Party Long Term: Success First HTTP Authentication: Success Third Party Session: Failure Third Party Long Term: Failure Third HTTP Authentication: Success
Posted: 4/25/2014 12:15 PM
Quote
Xyphys
Player (160)
Joined: 11/25/2006
Posts: 22
Browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/537.75.14 First Party Session: Success First Party Long Term: Success First HTTP Authentication: Success Third Party Session: Failure Third Party Long Term: Failure Third HTTP Authentication: Success
Posted: 4/25/2014 12:20 PM
Quote
Nach
Emulator Coder
Joined: 3/9/2004
Posts: 4588
Location: In his lab studying psychology to find new ways to torture TASers and forumers
Tub wrote:
Note that many browsers are trying to restrict third party cookies by default, using "smart" solutions like accepting third party cookies only from sites you've visited before. IIRC Safari already does that and firefox is working on it.
The past two posts suggest you're correct.
Tub wrote:
No, I haven't found a way to do reliable authentication inside a third-party iframe yet.
You only need one method to work to achieve authentication. If the system supports multiple and can switch between them, it should work.
Warning: Opinions expressed by Nach or others in this post do not necessarily reflect the views, opinions, or position of Nach himself on the matter(s) being discussed therein.
Posted: 4/25/2014 12:58 PM
(Edited: 4/25/2014 1:00 PM)
Quote
adelikat
He/Him
Emulator Coder, Site Developer, Site Owner, Expert player (3598)
Joined: 11/3/2004
Posts: 4738
Location: Tennessee
TASer of 2010 NES TASer of 2010 DS TASer of 2010 Arcade TAS of 2010 NES TASer of 2008 NES TAS of 2008 Funny TAS of 2008 TASer of 2007 NES TASer of 2007 Funny TAS of 2007
Iphone 5 (OS 7_1), Safari 9537.53 First Party ession: Success First Party Long Term: Success First Http Authentication: Success Third Party Session: Failure Third Party Long Term: Failure Third Http Authentication: Success
It's hard to look this good. My TAS projects
Posted: 4/25/2014 12:58 PM
(Edited: 4/12/2015 9:30 AM)
Quote
Spikestuff
They/Them
Editor, Publisher, Expert player (2299)
Joined: 10/12/2011
Posts: 6337
Location: The land down under.
Flash TASer of 2022 PSX TASer of 2016
iPhone 4: Browser: Mozilla/5.0 (iPhone; CPU iPhone OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHML, like Gecko) Version/7.0 Mobile/11B554a Safari/9537.53 All Worked Android A500 (acer). Browser: Mozilla/5.0 (Linux;U;Android 4.0.3;en-us;A500 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Failures 2 401's at First and Third Authertication. Prior to failure a message pops up "Sign in to nach.nachsoftware.org:80 "Press Cancel"" They both say this (Til a certain line): 
HTTP Status: 401 Unauthorized
----------
Date: Fri, 25 Apr 2014 13:11:03 GMT
Content-Encoding: gzip
WWW-Authenticate: Basic realm="Press Cancel"
Connection: Keep-Alive
Content-Length:34
Server: Apacje/2.2.22 (Debain)
Vary: Accept-Encoding
Content-Type: text/html
First Authentication: 
Keep Alive: timeout=5, max=48
----------
HTTP 401
----------
Third Authentication: 
Keep Alive: timeout=5, max=50
----------
HTTP 401
----------
iTouch (Gen 1): Browser: Mozilla/5.0 (iPod; CPU iPhone OS 3_1_3 like Mac OS X;en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7E18 Safari/528.16 2 Failures (Third Party Session & Third Party Long Term) 2 Blanks (HTTP Authentication) Note: it says iPhone but it is an iTouch. This was the final update for gen 1 iTouch. Sony Playstation Portable (PSP) 6.60, Model 3002: Browser: Mozilla/4.0 (PSP (PlayStation Portable); 2.00) 2 Failures (Third Party Session & Third Party Long Term) 2 Blanks (HTTP Authentication) (gen 1 does same, not hacked does same) Sony Playstation 3 (PS3) 4.55 (Gen 2 Model/Gen 3 System): Browser: Mozilla/5.0 (PLAYSTATION 3 4.55) AppleWebKit/531.22.8 (KHTML, like Gecko) Similar to the Acer Tablet is came up with a thing telling me to Cancel First and Third HTTP Auth. 
HTTP Status: 0
----------
----------

----------
12th April 2015 Edit: Samsung Galaxy Tab S Chrome Browser: Mozilla/5.0 (Linux; Android 4.4.2; SM-T705Y Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Safari/537.36 All Worked Android Internet Browser: Mozilla/5.0 (Linux; Android 4.4.2; en-au; SAMSUNG SM-T705Y Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36 All Worked
WebNations/Sabih wrote:
+fsvgm777 never censoring anything.
Disables Comments and Ratings for the YouTube account. Something better for yourself and also others.
Posted: 4/25/2014 1:01 PM
Quote
Brushy
Former player
Joined: 11/13/2005
Posts: 1587
Browser: Mozilla/5.0 (Linux; Android 4.4.2; HTC One Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Mobile Safari/537.36 Everything said "Success".
Posted: 4/25/2014 1:03 PM
Quote
Nach
Emulator Coder
Joined: 3/9/2004
Posts: 4588
Location: In his lab studying psychology to find new ways to torture TASers and forumers
Interesting, other people are telling me Android Version/4.0 is getting some failures or even pop ups. Are there multiple browsers that match that description?
Warning: Opinions expressed by Nach or others in this post do not necessarily reflect the views, opinions, or position of Nach himself on the matter(s) being discussed therein.
Posted: 4/25/2014 1:40 PM
Quote
ALAKTORN
He/Him
Player (99)
Joined: 10/19/2009
Posts: 2527
Location: Italy
DS TAS of 2012
Browser: Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0.1 First Party Session: Success First Party Long Term: Success First HTTP Authentication: Success Third Party Session: Success Third Party Long Term: Success Third HTTP Authentication: Success Browser: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E) First Party Session: Success First Party Long Term: Success First HTTP Authentication: Success Third Party Session: Success Third Party Long Term: Success Third HTTP Authentication: Success
Posted: 4/25/2014 5:17 PM
Quote
Tub
Joined: 6/25/2005
Posts: 1377
Android 2.3.6 on a samsung galaxy pocket, default browser: First Party Session: Success First Paty Long Term: Success First HTTP Auth: Failure the other three didn't even appear.
Nach wrote:
Tub wrote:
No, I haven't found a way to do reliable authentication inside a third-party iframe yet.
You only need one method to work to achieve authentication. If the system supports multiple and can switch between them, it should work.
Can you elaborate what you're trying to do? There's a different set of requirements for, say, user tracking vs. user authentication, for whether you control the first party site or not, and how frequent page reloads are in the first and third party pages. The difficult part is obviously to get the client to remember his credentials across page reloads when neither cookies nor local storage work, but depending on the circumstances there are indeed some workarounds. I don't see your scripts testing for page reloads though; especially the HTTP auth example seems contrived: when you're sending ajax requests and you already know the credentials, you may as well pass them as GET or POST parameters instead. If you find a way to reliably allow a third-party site to track their users across sessions in ALL circumstances, even when 3rd party cookies are disabled, that would be considered a bug by the browser vendors.
m00
Posted: 4/25/2014 5:26 PM
Quote
OmnipotentEntity
He/Him
Player (36)
Joined: 9/11/2004
Posts: 2623
Browser: Links (2.8; Linux 3.13.0-24-generic x86_64; GNU C 4.8.2; text) IFrame iframes unsupported Follow link to IFrame => First Party Session: Success First Party Long Term: Success First HTTP Authentication: JavaScript Disabled IFrame iframes unsupported Follow link to IFrame => Third Party Session: IFrame iframes unsupported Third Party Long Term: IFrame iframes unsupported Third HTTP Authentication: JavaScript Disabled Follow first link to IFrame => Success Follow second link to IFrame => Success
Build a man a fire, warm him for a day, Set a man on fire, warm him for the rest of his life.
Posted: 4/25/2014 7:09 PM
Quote
CoolKirby
Editor, Experienced player (608)
Joined: 11/8/2010
Posts: 4012
Exotic platforms TASer of 2014 NES TAS of 2013
Android 4.2.2 Google Chrome: 6/6 Browser: Mozilla/5.0 (Linux; Android 4.2.2; SCH-I435 Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.114 Mobile Safari/537.36 ---- First Party Session: Success First Party Long Term: Success First HTTP Authentication: Success Third Party Session: Success Third Party Long Term: Success Third HTTP Authentication: Success Android 4.2.2 Mozilla Firefox: 6/6 Browser: Mozilla/5.0 (Android; Mobile; rv:28.0) Gecko/28.0 Firefox/28.0 ---- First Party Session: Success First Party Long Term: Success First HTTP Authentication: Success Third Party Session: Success Third Party Long Term: Success Third HTTP Authentication: Success Wii Internet Browser: 4/5? Browser: Opera/9.30 (Nintendo Wii; U; ; 3642; en) ---- First Party Session: Success First Party Long Term: Success First HTTP Authentication: Third Party Session: Success Third Party Long Term: Success
Posted: 4/25/2014 9:51 PM
Quote
KusogeMan
Active player (434)
Joined: 2/5/2012
Posts: 1690
Location: Brasil
Browser: Mozilla/5.0 (Windows NT 5.1; rv:28.0) Gecko/20100101 Firefox/28.0 First Party Session: Success First Party Long Term: Success First HTTP Authentication: Success Third Party Session: Success Third Party Long Term: Success Third HTTP Authentication: Success
TAS i'm interested: megaman series: mmbn1 all chips, mmx3 any% psx glitched fighting games with speed goals in general
Posted: 4/26/2014 12:11 AM
Quote
darkszero
He/Him
Joined: 7/12/2009
Posts: 181
Location: São Paulo, Brazil
Firefox 28 on Android 4.4: All Success
Posted: 4/26/2014 7:17 AM
Quote
Ilari
Emulator Coder, Skilled player (1141)
Joined: 5/1/2010
Posts: 1217
Rookie of 2010 New systems TASer of 2010 New systems TAS of 2010
Tub wrote:
Can you elaborate what you're trying to do? There's a different set of requirements for, say, user tracking vs. user authentication, for whether you control the first party site or not, and how frequent page reloads are in the first and third party pages.
AFAIK, this is for user authentication, and there is little control of first party site (it frames/embeds the third party site).
Posted: 4/27/2014 11:29 AM
Post subject: I disagree with Fabian
Quote
JXQ
Experienced player (750)
Joined: 5/6/2005
Posts: 3132
NES TAS of 2008 Speedy TAS of 2008 SNES TASer of 2007 TAS of 2007 SNES TAS of 2007 Funny TAS of 2007
I am prompted for a login/password, which I left blank cuz I didn't see one listed to use. 

Browser: Mozilla/5.0 (iPod; CPU iPhone OS 6_0_1 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) CriOS/33.0.1750.21 Mobile/10A523 Safari/8536.25



First Party Session:	Success
First Party Long Term:	Success
First HTTP Authentication:	
Failure
Edit: copy-paste isn't working for the third party section on iPod touch (iOS 6 I think). First two are successful, third is 401 unauthorized.
<Swordless> Go hug a tree, you vegetarian (I bet you really are one)
Posted: 4/27/2014 11:42 AM
Quote
BigBoct
He/Him
Editor, Former player
Joined: 8/9/2007
Posts: 1692
Location: Tiffin/Republic, OH
Browser: Mozilla/5.0 (Windows NT 6.1; rv:28.0) Gecko/20100101 Firefox/28.0 First Party Session: Success First Party Long Term: Success First HTTP Authentication: Success Third Party Session: Success Third Party Long Term: Success Third HTTP Authentication: Success
Previous Name: boct1584
1 2