Printer Friendly Error

Knightfall

Knightfall

World of Kulan DM
Hi all,

Someone on the Gleemax forums pointed out abug in the login procedure for D&d Insider. If you visit WotC's website, don't login, and open up a Dungeon or Dragon article, you can still read the article by scrolling down and clicking the "printer friendly" icon for the article.

I tried it and the article showed up even though I wasn't logged in.

Oops! :uhoh:

Someone at WotC missed that one.
 

log in or register to remove this ad


I also notice another little concern that WotC needs to address. If someone is logged in to D&D Insider, sees a new article, and posts a link to the article here on EN World, then anyone can view the article simply by clicking the link without having to log in. (WotC could simply insist that its D&D Insider clients not post links to articles on other websites, but I doubt they could convince everyone or even enforce it.)

So basically the person who provides the link is giving access to his/her D&D Insider account, which allows anyone who clicks it to login as him/her.

Here's what I mean -- for this to work, make sure you're NOT logged in to D&D Insider...

For example, if you click on the first link below, then you'll end up looking at the latest article for Confessions of a Full-Time Wizard without being logged in, and you won't be able to view the article. (Use this link to check out the Printer Friendly error, as well.)

Confessions... (unauthenticated)
http://www.wizards.com/default.asp?x=dnd/drcw/20080215a

Now, close the window and click on this authenticated link.

Confessions... (authenticated)
http://www.wizards.com/default.asp?x=dnd/drcw/20080215a&authentic=true

You will find that you are logged in and can view the article even though you never logged in using your e-mail and password. That's because you are using MY e-mail and password to view the article. Also, if you re-click on the first link (after closing the second link) you will notice that you stay logged in. (Whoops.) :eek:

The best way to resolve this issue is for D&D Insider users to make sure that when they provide a link that they aren't logged in at the time. Still, it is an issue that WotC will have to resolve before people start paying for their D&D Insider accounts.

Just FYI...
 
Last edited:

They're definitely aware of these things. In fact, I think I've seen WOTC staffers suggesting people use the "authenticate=true" thing when they have issues logging in. Whatever system they're using now is definitely not what they intend for when they're actually charging. (And honestly, I don't know how they think they're gonna avoid people just copy-pasting to forums. Even if ENWorld mods won't let that fly, there are PLENTY of places on the Internet that won't care.)
 

As a web application architect, I'm appalled at how they are handling web app security (authorisation specifically). It looks like all you have to do is add a request parameter to the end of the DDI URL (&authentic=true) and the DDI application regards you as logged in!

I can only hope that this is some sort of stop-gap authorisation solution and that the final product will have something more robust. If not, someone at DDI call me so I can give you a proper method of authorising access to your web app's web resources.
 

I don't think it's YOUR login data there... it's just that their authentification system is completely insecure. Just adding '&authehtic=true' to any link makes you a 'D&D Insider'. ;)

Once you hit such a link, you get a cookie 'dndlogintemp=yes', which is why you 'stay logged in'. When you log out, the cookie is set to 'dndlogintemp=no'.

I suppose, when you log in to the site using your actual DDI login, it changes the links to the '&authentic=true' type, so you can navigate the site without obstruction.

The mechanics they used to implement this kind of 'members only' security seem rather sloppy. I can only hope (for them), that it is just a temporary installation. :p

Bye
Thanee
 

ZombieRoboNinja said:
They're definitely aware of these things. In fact, I think I've seen WOTC staffers suggesting people use the "authenticate=true" thing when they have issues logging in. Whatever system they're using now is definitely not what they intend for when they're actually charging. (And honestly, I don't know how they think they're gonna avoid people just copy-pasting to forums. Even if ENWorld mods won't let that fly, there are PLENTY of places on the Internet that won't care.)
Click to expand...
Well, I HOPE that this won't be the case when WotC is charging for D&D Insider, but I have my doubts as to how secure D&D Insider is going to be. (Personally, I'm not going to sign up for D&D Insider when it becomes time to switch over to paying for it.)

And I'm not sure if they're aware of the Printer Friedly error. That's one that has just come up recently, from what I read on Gleemax. (I did only skim the posts, so I can't say for certain.)
 
Last edited:

Ulorian said:
As a web application architect, I'm appalled at how they are handling web app security (authorisation specifically). It looks like all you have to do is add a request parameter to the end of the DDI URL (&authentic=true) and the DDI application regards you as logged in!

I can only hope that this is some sort of stop-gap authorisation solution and that the final product will have something more robust. If not, someone at DDI call me so I can give you a proper method of authorising access to your web app's web resources.
Click to expand...
QFT.

I have some knowledge of programming and it seems like pretty "weak and poor" programming. And I tried the (&authentic=true) addition that you pointed out and it worked. It went from not logged in to logged in just like that. (Horrible!)

Thanee said:
I don't think it's YOUR login data there... it's just that their authentification system is completely insecure. Just adding '&authehtic=true' to any link makes you a 'D&D Insider'. ;)
Click to expand...
That's probably true but it's still a piss-poor design, IMO. i guess we'll have to wait and see.
 
Last edited:

I noticed this also. Since it's glaring obvious to someone with technical knowledge (or the time to read the link displayed in his browser), I assume that it's just a temporary thing. They use this as long as the DDI doesn't cost anything and is in its Beta-phase. It's the website equivalent of a cheat code, except that this code will probably be disabled in the retail version.

Though there is a caveat - I am not sure if it's wise to not test the authentication security of the website at this time, while failures can't harm anything. And I am not sure if the "Printer Friendly"-version thing should work at all!
 

I'm concerned about the lack of content on D&D Insider... why do we care about the authentication process? That's WotC problem, not ours. ;)
 

Similar Threads

G
D&D General TIME Dungeons & Dragons Special
2
Replies
18
Views
836
Ralif Redhammer
Ralif Redhammer
Morrus
D&D General No, Hasbro Is Not Selling D&D
12 13 14 15 16
Replies
153
Views
33K
CapnZapp
CapnZapp
M.T. Black
D&D General 100 Amazing D&D Links (November '24)
Replies
0
Views
2K
M.T. Black
M.T. Black
GreyLord
How many were abused due to their love of D&D, RPGs, and related items when they were young?
5 6 7 8 9
Replies
81
Views
5K
Ath'kethin
Ath'kethin
Charles Dunwoody
RPG Print News – Yeti Spaghetti & Friends, Troll Lord Games, and More
Replies
4
Views
6K
Wofano Wotanto
W
Remove ads

Top