Post subject: Help test authentication technique 2
Emulator Coder
Joined: 3/9/2004
Posts: 4588
Location: In his lab studying psychology to find new ways to torture TASers and forumers
Hi guys, I'm building some new web authentication strategy, and I'd appreciate if you can help by posting results with different web browsers. This is an improvement over my previous test. Visit: http://www.nachsoftware.com/verymessyauth/ and report what is posted for each of the six tests. If you have access to a cell phone, tablet, set top box, video game console, please post results with those too. Thank you! Some preliminary results: Firefox 10: 6/6 Success Chrome 36: 6/6 Success QupZilla/1.6.1 Safari/534.34: 6/6 Success Internet Explorer 8: 6/6 Success Chromium 34: First Party Session: Success First Party Long Term: Success First HTTP Authentication:Success Third Party Session: Failure Third Party Long Term: Failure Third HTTP Authentication: Success Opera 12.16 First Party Session: Success First Party Long Term: Success First HTTP Authentication: Failure Third Party Session: Success Third Party Long Term: Success Third HTTP Authentication: Failure Konqueror 3.5.10: First Party Session: Success First Party Long Term: Success First HTTP Authentication: Third Party Session: Success Third Party Long Term: Success Third HTTP Authentication:
Warning: Opinions expressed by Nach or others in this post do not necessarily reflect the views, opinions, or position of Nach himself on the matter(s) being discussed therein.
Emulator Coder
Joined: 3/9/2004
Posts: 4588
Location: In his lab studying psychology to find new ways to torture TASers and forumers
Konqueror 4.8: First Party Session: Success First Party Long Term: Success First HTTP Authentication: Third Party Session: Failure Third Party Long Term: Failure Third HTTP Authentication: Chromium 26: 6/6 Success. Internet Explorer 9: 6/6 Success. Internet Explorer 11: 6/6 Success. Firefox 28: 6/6 Success.
Warning: Opinions expressed by Nach or others in this post do not necessarily reflect the views, opinions, or position of Nach himself on the matter(s) being discussed therein.
Player (80)
Joined: 8/5/2007
Posts: 865
Waterfox 28: 6/6 success.
Joined: 4/25/2014
Posts: 1
Firefox + NoScript + RequestPolicy + 3rd party cookie blocking First Party Session: Success First Party Long Term: Success First HTTP Authentication: JavaScript Disabled Enabled requests from .org (RequestPolicy) Third Party Session: Failure Third Party Long Term: Failure Third HTTP Authentication: Success Enabled JS (NoScript) First HTTP Authentication: Success
Fog
Emulator Coder, Experienced player (641)
Joined: 4/5/2014
Posts: 459
Browser: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36 First Party Session: Success First Party Long Term: Success First HTTP Authentication: Success Third Party Session: Success Third Party Long Term: Success Third HTTP Authentication: Success
Lex
Joined: 6/25/2007
Posts: 732
Location: Vancouver, British Columbia, Canada
Cooljay
He/Him
Active player (396)
Joined: 5/1/2012
Posts: 468
Location: Canada
I get success on everything but the 3rd http authentication on the Xbox 360 internet browser
Tub
Joined: 6/25/2005
Posts: 1377
Browser: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0. Setting "Accept third party cookies" set to "never", for privacy reasons. Third Party Session and Third Party Long Term: Failure Note that many browsers are trying to restrict third party cookies by default, using "smart" solutions like accepting third party cookies only from sites you've visited before. IIRC Safari already does that and firefox is working on it. No, I haven't found a way to do reliable authentication inside a third-party iframe yet.
m00
Banned User
Joined: 3/10/2004
Posts: 7698
Location: Finland
Browser: Mozilla/5.0 (iPad; CPU OS 7_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D167 Safari/9537.53 First Party Session: Success First Party Long Term: Success First HTTP Authentication: Success Third Party Session: Failure Third Party Long Term: Failure Third HTTP Authentication: Success
Player (160)
Joined: 11/25/2006
Posts: 22
Browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/537.75.14 First Party Session: Success First Party Long Term: Success First HTTP Authentication: Success Third Party Session: Failure Third Party Long Term: Failure Third HTTP Authentication: Success
Emulator Coder
Joined: 3/9/2004
Posts: 4588
Location: In his lab studying psychology to find new ways to torture TASers and forumers
Tub wrote:
Note that many browsers are trying to restrict third party cookies by default, using "smart" solutions like accepting third party cookies only from sites you've visited before. IIRC Safari already does that and firefox is working on it.
The past two posts suggest you're correct.
Tub wrote:
No, I haven't found a way to do reliable authentication inside a third-party iframe yet.
You only need one method to work to achieve authentication. If the system supports multiple and can switch between them, it should work.
Warning: Opinions expressed by Nach or others in this post do not necessarily reflect the views, opinions, or position of Nach himself on the matter(s) being discussed therein.
adelikat
He/Him
Emulator Coder, Site Developer, Site Owner, Expert player (3573)
Joined: 11/3/2004
Posts: 4754
Location: Tennessee
Iphone 5 (OS 7_1), Safari 9537.53 First Party ession: Success First Party Long Term: Success First Http Authentication: Success Third Party Session: Failure Third Party Long Term: Failure Third Http Authentication: Success
It's hard to look this good. My TAS projects
Spikestuff
They/Them
Editor, Publisher, Expert player (2642)
Joined: 10/12/2011
Posts: 6438
Location: The land down under.
iPhone 4: Browser: Mozilla/5.0 (iPhone; CPU iPhone OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHML, like Gecko) Version/7.0 Mobile/11B554a Safari/9537.53 All Worked Android A500 (acer). Browser: Mozilla/5.0 (Linux;U;Android 4.0.3;en-us;A500 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Failures 2 401's at First and Third Authertication. Prior to failure a message pops up "Sign in to nach.nachsoftware.org:80 "Press Cancel"" They both say this (Til a certain line):
HTTP Status: 401 Unauthorized
----------
Date: Fri, 25 Apr 2014 13:11:03 GMT
Content-Encoding: gzip
WWW-Authenticate: Basic realm="Press Cancel"
Connection: Keep-Alive
Content-Length:34
Server: Apacje/2.2.22 (Debain)
Vary: Accept-Encoding
Content-Type: text/html
First Authentication:
Keep Alive: timeout=5, max=48
----------
HTTP 401
----------
Third Authentication:
Keep Alive: timeout=5, max=50
----------
HTTP 401
----------
iTouch (Gen 1): Browser: Mozilla/5.0 (iPod; CPU iPhone OS 3_1_3 like Mac OS X;en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7E18 Safari/528.16 2 Failures (Third Party Session & Third Party Long Term) 2 Blanks (HTTP Authentication) Note: it says iPhone but it is an iTouch. This was the final update for gen 1 iTouch. Sony Playstation Portable (PSP) 6.60, Model 3002: Browser: Mozilla/4.0 (PSP (PlayStation Portable); 2.00) 2 Failures (Third Party Session & Third Party Long Term) 2 Blanks (HTTP Authentication) (gen 1 does same, not hacked does same) Sony Playstation 3 (PS3) 4.55 (Gen 2 Model/Gen 3 System): Browser: Mozilla/5.0 (PLAYSTATION 3 4.55) AppleWebKit/531.22.8 (KHTML, like Gecko) Similar to the Acer Tablet is came up with a thing telling me to Cancel First and Third HTTP Auth.
HTTP Status: 0
----------
----------

----------
12th April 2015 Edit: Samsung Galaxy Tab S Chrome Browser: Mozilla/5.0 (Linux; Android 4.4.2; SM-T705Y Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Safari/537.36 All Worked Android Internet Browser: Mozilla/5.0 (Linux; Android 4.4.2; en-au; SAMSUNG SM-T705Y Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36 All Worked
WebNations/Sabih wrote:
+fsvgm777 never censoring anything.
Disables Comments and Ratings for the YouTube account. Something better for yourself and also others.
Former player
Joined: 11/13/2005
Posts: 1587
Browser: Mozilla/5.0 (Linux; Android 4.4.2; HTC One Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Mobile Safari/537.36 Everything said "Success".
Emulator Coder
Joined: 3/9/2004
Posts: 4588
Location: In his lab studying psychology to find new ways to torture TASers and forumers
Interesting, other people are telling me Android Version/4.0 is getting some failures or even pop ups. Are there multiple browsers that match that description?
Warning: Opinions expressed by Nach or others in this post do not necessarily reflect the views, opinions, or position of Nach himself on the matter(s) being discussed therein.
ALAKTORN
He/Him
Former player
Joined: 10/19/2009
Posts: 2527
Location: Italy
Browser: Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0.1 First Party Session: Success First Party Long Term: Success First HTTP Authentication: Success Third Party Session: Success Third Party Long Term: Success Third HTTP Authentication: Success Browser: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E) First Party Session: Success First Party Long Term: Success First HTTP Authentication: Success Third Party Session: Success Third Party Long Term: Success Third HTTP Authentication: Success
Tub
Joined: 6/25/2005
Posts: 1377
Android 2.3.6 on a samsung galaxy pocket, default browser: First Party Session: Success First Paty Long Term: Success First HTTP Auth: Failure the other three didn't even appear.
Nach wrote:
Tub wrote:
No, I haven't found a way to do reliable authentication inside a third-party iframe yet.
You only need one method to work to achieve authentication. If the system supports multiple and can switch between them, it should work.
Can you elaborate what you're trying to do? There's a different set of requirements for, say, user tracking vs. user authentication, for whether you control the first party site or not, and how frequent page reloads are in the first and third party pages. The difficult part is obviously to get the client to remember his credentials across page reloads when neither cookies nor local storage work, but depending on the circumstances there are indeed some workarounds. I don't see your scripts testing for page reloads though; especially the HTTP auth example seems contrived: when you're sending ajax requests and you already know the credentials, you may as well pass them as GET or POST parameters instead. If you find a way to reliably allow a third-party site to track their users across sessions in ALL circumstances, even when 3rd party cookies are disabled, that would be considered a bug by the browser vendors.
m00
Player (36)
Joined: 9/11/2004
Posts: 2630
Browser: Links (2.8; Linux 3.13.0-24-generic x86_64; GNU C 4.8.2; text) IFrame iframes unsupported Follow link to IFrame => First Party Session: Success First Party Long Term: Success First HTTP Authentication: JavaScript Disabled IFrame iframes unsupported Follow link to IFrame => Third Party Session: IFrame iframes unsupported Third Party Long Term: IFrame iframes unsupported Third HTTP Authentication: JavaScript Disabled Follow first link to IFrame => Success Follow second link to IFrame => Success
Build a man a fire, warm him for a day, Set a man on fire, warm him for the rest of his life.
Editor, Experienced player (570)
Joined: 11/8/2010
Posts: 4036
Android 4.2.2 Google Chrome: 6/6 Browser: Mozilla/5.0 (Linux; Android 4.2.2; SCH-I435 Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.114 Mobile Safari/537.36 ---- First Party Session: Success First Party Long Term: Success First HTTP Authentication: Success Third Party Session: Success Third Party Long Term: Success Third HTTP Authentication: Success Android 4.2.2 Mozilla Firefox: 6/6 Browser: Mozilla/5.0 (Android; Mobile; rv:28.0) Gecko/28.0 Firefox/28.0 ---- First Party Session: Success First Party Long Term: Success First HTTP Authentication: Success Third Party Session: Success Third Party Long Term: Success Third HTTP Authentication: Success Wii Internet Browser: 4/5? Browser: Opera/9.30 (Nintendo Wii; U; ; 3642; en) ---- First Party Session: Success First Party Long Term: Success First HTTP Authentication: Third Party Session: Success Third Party Long Term: Success
Experienced player (704)
Joined: 2/5/2012
Posts: 1797
Location: Brasil
Browser: Mozilla/5.0 (Windows NT 5.1; rv:28.0) Gecko/20100101 Firefox/28.0 First Party Session: Success First Party Long Term: Success First HTTP Authentication: Success Third Party Session: Success Third Party Long Term: Success Third HTTP Authentication: Success
I want all good TAS inside TASvideos, it's my motto. TAS i'm interested: Megaman series, specially the RPGs! Where is the mmbn1 all chips TAS we deserve? Where is the Command Mission TAS? i'm slowly moving away from TASing fighting games for speed, maybe it's time to start finding some entertainment value in TASing.
darkszero
He/Him
Joined: 7/12/2009
Posts: 181
Location: São Paulo, Brazil
Firefox 28 on Android 4.4: All Success
Emulator Coder, Skilled player (1113)
Joined: 5/1/2010
Posts: 1217
Tub wrote:
Can you elaborate what you're trying to do? There's a different set of requirements for, say, user tracking vs. user authentication, for whether you control the first party site or not, and how frequent page reloads are in the first and third party pages.
AFAIK, this is for user authentication, and there is little control of first party site (it frames/embeds the third party site).
Post subject: I disagree with Fabian
JXQ
Experienced player (761)
Joined: 5/6/2005
Posts: 3132
I am prompted for a login/password, which I left blank cuz I didn't see one listed to use.

Browser: Mozilla/5.0 (iPod; CPU iPhone OS 6_0_1 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) CriOS/33.0.1750.21 Mobile/10A523 Safari/8536.25



First Party Session:	Success
First Party Long Term:	Success
First HTTP Authentication:	
Failure

Edit: copy-paste isn't working for the third party section on iPod touch (iOS 6 I think). First two are successful, third is 401 unauthorized.
<Swordless> Go hug a tree, you vegetarian (I bet you really are one)
BigBoct
He/Him
Editor, Former player
Joined: 8/9/2007
Posts: 1692
Location: Tiffin/Republic, OH
Browser: Mozilla/5.0 (Windows NT 6.1; rv:28.0) Gecko/20100101 Firefox/28.0 First Party Session: Success First Party Long Term: Success First HTTP Authentication: Success Third Party Session: Success Third Party Long Term: Success Third HTTP Authentication: Success
Previous Name: boct1584