List of updates and changes so far.

[Negative Edge]

As of 2/27/16

Changelog:

• The ability to change your name and save your name change until you change it again. You still can log in with your normal credientials
• Video player has been updated and now supports Facebook Videos
• Admin has been updated and now will allow you to modify your config.php from the admin interface
• Sessions are no longer uses for saving information or identification purposes
  
• Full screen support added, useful when playing videos in BG Mode
• Global Video Broadcasting feature added. Users have the ability to post a video for EVERYONE to watch simultaneously. (Works with YouTube only *for now*)
• Users also have the ability to disable the above feature if they find it annoying
• Forum Bot for when new posts are made by users and the bot will post the link in the chat

Fixes and Adjustments:

• Prevented moderators from making themselves admins
• Removed panel access for moderators
• Only chatroom owner can add and set permissions for channels
• Admins CAN NOT alter other admins user info in the user management section
• OWNER can alter all chatroom members info in the user management system.
• A language file included where users can translate into their native language

Whats left:

• Private messaging system
• Image upload for use with lightbox mod

For more info:
http://negative-edge.net/index.php?/topic/15-a-list-of-changes-and-updates-notes-to-myself/

[Negative Edge]

Global Video player completed

http://negative-edge.net/index.php?/topic/16-global-video-broadcaster/

[Bobby Russ]

How are the vehicles being stored if it's not in the session?  Sounds like a potential security issue...

--
You received this message because you are subscribed to the Google Groups "AJAX-chat" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ajax-chat+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Negative Edge]

LOL not a security issue at all.
There are other ways around doing this rather than relying on php sessions or even javascript sessions

And besides from recent experience from others especially those on a free host or paid host who dont have access to or know or dont have a directory to store sessions, this new way I am having the mods identifying users eliminates that problem.

[Bobby Russ]

How is it being handled?  One of the reasons it is usually tied in the session is security.  Simply a cookie can be manipulated into giving inappropriate access.  Hence the question of how is being done and the concern over security.

On Feb 27, 2016 7:02 PM, "Ninno27" <nin...@gmail.com> wrote:

LOL not a security issue at all.
There are other ways around doing this rather than relying on php sessions or even javascript sessions

And besides from recent experience from others especially those on a free host or paid host who dont have access to dont know or dont have a directory to store sessions, this new way I am hqaving the mods identifiying users eliminates that problem.

[Negative Edge]

When you login to the chat or register with standalone, your login info is stored via mysql(i) and each row created has its id (auto increment), that becomes your chats userID when verified with your login info, your ip is recorded with multiple hashes and stored as another form of id, these two forms of ids is my way of having the chat identifying you. registered people only and everything that I make is called with the $_GET[access'] superglobal variable and in javascript/jquery var access = window.location.search

even when you login in it sets it, that global var is your id.

As a prevention from anyone attempting to access your id, info. etc by simply putting another users id at the end of the url, that id is not the only thing that being checked, that i guess you can call it the super encrypted id is also checked and must match the users account along with their id which is the identification method im now using making it highly impossible to obtain another users info/account

each of my mods and alterations does a check before proceeding. and if it doesn't match the records, you will get a This account does not belong to you and kicked out of the chat.
If I want to make it even more strict, I can automatically place a ban on whoever attempts to access someone else s account.

[Kevin "Ingwie Phoenix" Ingwersen]

Am 28.02.2016 um 01:19 schrieb Negative Edge <s...@clubsyn-x-treme.net>:

For standalone, when you register with my mod, your login info is stored via mysql(i) and each row created has its id (auto increment), that becomes your chats userID when verified with your login info, your ip is recorded with multiple hashes and stored as another form of id, these two forms of ids is my way of having the chat identifying you. registered people only and everything that I make is called with the $_GET[access'] superglobal variable and in javascript/jquery var access = window.location.search

That is known as DB-Based Session Storabe (DBSS) - but using a hash in the URL might be unpractical. Well since the chat is basically an SPA in this regard, I think it can pass. Beware of people with dynamic IPs though - the tokens would invalidate upon change. A friend of mine has his IP change every 4 hours.

even when login in it sets it, that global var is your id.

As a prevention from anyone attempting to access your id, info. etc by simply putting another users id at the end of the url, not that id is not the onlything that being checked, that i guess you can call super encrypted id is also checked and must match the users account along with their id which is the identification method im now using making it highly impossible to obtain another users info/account

So…

HASHALGO(User ID) == $_GET[access]

is basically not the only thing youre performing. It sounds good, but it sounds like a lot of back and forth processing. Computive-heavy hashes might cause performance regressions. If you can express the authentification within pseudo-code, like above, that might help me understand.

It does seem secure, but I feel odd about the "attached to the url" part - since that part can be generated. Since the chat is not a closed-source project, one could look at the algo you used, reproduce it remotely and might be able to regenerate the required hash. Just might.

each of my mods and alterations does a check before proceeding. and if it doesn't match the records, you will get a This account does not belong to you and kicked out of the chat.

Each mod? So you repeat everything? Ouch. Think about using a temporary store (a class with a static property, for instance or a function with a static local.)

If I want to make it even more strict, I can place automatically place a ban on whoever attempts to access someone else s account.

[Negative Edge]

I worded that wrong, not each mod but the few that requires information stored and restricted to registered members

Also im not using a hash in the url.... heavans no...

[Negative Edge]

its simple as http://your-domain/chat/?access=yourID

[Bobby Russ]

Does this mean you'll not be supporting integration with phone?  Or will you be duplicating login checks?

On Feb 27, 2016 7:36 PM, "Negative Edge" <s...@clubsyn-x-treme.net> wrote:

I am not using a hash in the url at all.

Your id is at the end of the url and the id is checking the hash with the matching id to verify you.

[Bobby Russ]

So the ID is the only thing being given to the server to compare besides IP which can be spoofed?  Or did I miss something?

On Feb 27, 2016 7:38 PM, "Negative Edge" <s...@clubsyn-x-treme.net> wrote:

its simple as http://your-domain/chat/?access=yourID

--

[Negative Edge]

Everything takes place before logging in using standalone and integrated  via verify.php.

Everything gets checked in the verify.php also if a different ip is used when logging in, that gets updated and re-hashed. If a user spoofs their ip after logging in, they will be kicked out off the chat and have to re-login to have everything verified and updated.

There is no way someone can match someones hashed ip even though its hashed multiple amount of times and once again its set when going through the verify.php each time..

So if you login and lets say you are not on your normal connection, perhaps a tether or a public wifi, with standalone, that ip gets updated as soon as the verify.php starts its process. Passwords are also hashed multiple amounts of times so its not like someone can obtain your password to login unless you are foolish enough to give it to them.

Integrated packages, mainly forums always have a members table or a session table in mysql(i) where I can compare your current ip to whats stored in the forums table, besides you have to log into the forum/portal in order for the chat to recognize you and again that same procedure I mentioned that takes place in standalone happens with this in the verify.php

Once again, everything happens "before" logging in, not afterwards. and if anything happens with the ip being changed, the chat already has a feature where it will kick you out (invalid ip address).

If a user happens to add your id at the end of the url, Like I said in a previous post, you will see "THIS ACCOUNT DOES NOT BELONG TO YOU!" And forced back to the login page or forum page.

[Bobby Russ]

I haven't had a chance yet to review your message, but on a side note getting these errors when mailing you...

This is an automatically generated Delivery Status Notification

THIS IS A WARNING MESSAGE ONLY.

YOU DO NOT NEED TO RESEND YOUR MESSAGE.

Delivery to the following recipient has been delayed:

     syn@clubsyn-x-treme.net

Message will be retried for 2 more day(s)

Technical details of temporary failure:
The recipient server did not accept our requests to connect. Learn more at https://support.google.com/mail/answer/7720
[clubsyn-x-treme.net141.8.224.124: socket error]

On Feb 28, 2016 7:47 AM, "Negative Edge" <s...@clubsyn-x-treme.net> wrote:

Everything takes place before logging in using standalone and itergrated  via verify.php Everything gets checked in the verify.php also if a different ip is ues when logging in that gets updated and re-hashed. If a use spoofs their ip after logging in, they will be simple kicked out off the chat and have to relogin to have everything updated.

There is no way someone can match someones hashed ip even though its hashed multiple amount of times and once again its set when going through the verify.php each time, its not a one time thing.

so if you login and lets say you are not on your normal connection, perhaps a tether or a public wifi, wifth standalone, that ip gets updated as soon as the verify.php starts its process. Passwords are also hashed multiple amounts of times so its not like someone can obtain your password to login unless you are foolish enough to give it to them.

Integrated packages, mainly forums always have a members table or a session table in mysql(i) where I can compare your current ip to whats stored in the forums table, besides you have to log into the forum/portal in order for the chat to recognize you and again that same procedure I meantioned that takes place in standalone happens with this in the verify.php

Once again, everything happens "before" logging in, not afterwards. and if anything happens with the ip being changes, the chat already has a feature where it will kick you out (invalid ip address)

[Negative Edge]

ad...@negative-edge.net

I just set it up.

[Minako Aino]

He kinda posted his "new" domain like 50x all over the threads now (scroll up)

On Sunday, February 28, 2016 at 1:21:05 PM UTC-7, Bobby Russ wrote:

I haven't had a chance yet to review your message, but on a side note getting these errors when mailing you...

This is an automatically generated Delivery Status Notification

THIS IS A WARNING MESSAGE ONLY.

YOU DO NOT NEED TO RESEND YOUR MESSAGE.

Delivery to the following recipient has been delayed:

     s...@clubsyn-x-treme.net

[Bobby Russ]

He's still sending from the old address via this group.  He might want to change that....  He keeps posting from old address like "50x" times. Lol

[Negative Edge]

everything thats mailed to me from this gmail account is forwarded to my POP3 email on my server

[Bobby Russ]

Your address is bouncing per gmail just so you are aware.  If you don't care,I'll stop trying to help you.  Just say so.

everything thats mailed to me from this gmail account is forwarded to my POP3 email on my server

[Negative Edge]

Ummm ......ok.

"scratches head"


I have work to do anyway.

[Minako Aino]

Or ignore it cuz its going to him, or post to the group cuz he responds, or visit the chat he's posted up so many times... but I can understand where you're coming from, if someone didn't give me the 8th piece of the triforce, or the 3rd medal  I'd never assemble the means to save Hyrule... but if you don't care I'll stop trying to help you. Just say so.

[Negative Edge]

this is what he is talking about

Other recipients: s...@clubsyn-x-treme.net which is really s...@clubsyn-x-treme.net which I changed days ago. Google for some reason isn't updating it.

Its bouncing around because of that and that domain no longer exists


But like Luna said, I can be found at my chat/website I dont see whats stopping you from communicating with me there if you are trying to reach me.

[Bobby Russ]

I've visited the chat to try to communicate with him to no success.  Ignoring these kind of things is something I wouldn't do if it was happening to me, but so be it.

On Feb 28, 2016 7:12 PM, "Minako Aino" <baka...@gmail.com> wrote:

Or ignore it cuz its going to him, or post to the group cuz he responds, or visit the chat he's posted up so many times... but I can understand where you're coming from, if someone didn't give me the 8th piece of the triforce, or the 3rd medal  I'd never assemble the means to save Hyrule...

On Sunday, February 28, 2016 at 4:40:21 PM UTC-7, Bobby Russ wrote:

Your address is bouncing per gmail just so you are aware.  If you don't care,I'll stop trying to help you.  Just say so.

everything thats mailed to me from this gmail account is forwarded to my POP3 email on my server

--
You received this message because you are subscribed to the Google Groups "AJAX-chat" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ajax-chat+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Negative Edge]

You visited the chat and haven't spoke a word, nor did you bother to attempt to change your name indicating who you were or came from google groups nor stated any kind of reason for visiting..

Plenty of people from here came to my chat for information or whatever and If im present, I always respond. No one gets ignored. you're just reaching in your feelings for no reason at all.

Also I have a forum, you had the option of leaving a post there as well.

Your reasoning and excuses are not valid, but if thats how you feel, then so be it. Im not losing sleep over this at all.

Best of luck.

[Negative Edge]

Back to my progress, BG Videos support fixed with a full screen option.

[Bobby Russ]

The fact that you claim I haven't spoken a word in chat is a sign of ignorance on your part.  This isn't the first time that myself and others have had trouble communicating with you, but whatever... Fine, I'm done thing to communicate with you.  Best of luck to you. 

--

[Minako Aino]

Cuz chat logs lie right?

Take a break and calm down, you've obviously made your point that w/e it is that you need to discuss is non chat related and on a personal level so we'll respect that.

[Negative Edge]

all of this over a bad email.


lol.

But w/e, life goes on...

[Negative Edge]

On top of that apparently im active and communicating which means you had another oppertunity to talk to me about whatever it is you wanted to speak to me about. here and in the chat besides this back n forth thing over a silly email error...

[Bobby Russ]

You are funny if you think this all over a bad email.  But I thought we agreed to move on... One final thought.  I was simply trying to help you.  I didn't expect you and your friend there to take it so poorly dishing out insults instead of trying to have a discussion.  While you may feel it's good to be so dismissive when you are the leader of a project, it tends to be poor form.  I have given up on trying to talk to you.  I wish you the best and won't waste either of our time further.

--

[Negative Edge]

Good bye Bobby. Thanks for all of the cancer in my topic.

Ill keep my updates and such at my site. you wont have to worry about me being here anymore.