657 posts
  • Bought between 1 and 9 items
  • Exclusive Author
  • Has been a member for 2-3 years
  • Referred between 10 and 49 users
  • Sold between 10 000 and 50 000 dollars
  • United States
ZtarrZound says

Good stuff.

177 posts
  • Bought between 10 and 49 items
  • Exclusive Author
  • Has been a member for 3-4 years
  • Referred between 10 and 49 users
  • Sold between 5 000 and 10 000 dollars
xdkd says

https when? I can’t believe such important site still does not have https.

2001 posts
  • Elite Author
  • Author had a Free File of the Month
  • Has been a member for 4-5 years
  • Austria
  • Exclusive Author
  • Interviewed on the Envato Notes blog
  • Microlancer Beta Tester
+3 more
revaxarts says

https when? I can’t believe such important site still does not have https.

+1

701 posts
  • Canada
  • Interviewed on the Envato Notes blog
  • Has been a member for 2-3 years
  • Sold between 1 000 and 5 000 dollars
  • Referred between 10 and 49 users
  • Bought between 1 and 9 items
  • Exclusive Author
EliIsakov says

Good to know :)

8114 posts Community Moderator
  • Attended a Community Meetup
  • Community Moderator
  • Has been a member for 6-7 years
  • United Kingdom
  • Contributed a Tutorial to a Tuts+ Site
  • Won a Competition
  • Contributed a Blog Post
  • Beta Tester
  • Bought between 50 and 99 items
+4 more
MSFX Volunteer moderator says

ah I was wondering why I was logged out :)

3117 posts
  • Sold between 5 000 and 10 000 dollars
  • United States
  • Bought between 10 and 49 items
  • Has been a member for 3-4 years
  • Exclusive Author
chrisakelley says

it was logging me out when I was switching between marketplaces(its not anymore) just a heads up if anyone else was having the issue

3649 posts Community Moderator
  • Has been a member for 5-6 years
  • Contributed a Tutorial to a Tuts+ Site
  • Netherlands
  • Community Moderator
  • Microlancer Beta Tester
  • Sold between 10 000 and 50 000 dollars
  • Repeatedly Helped protect Envato Marketplaces against copyright violations
  • Exclusive Author
+4 more
Joost Volunteer moderator says

oo how do you track that? edit: ah. pulled apart _fd_sesion – hmm wonder if chrome syncs cookies between computers? * end random babbling *

Seems like an edge for cookiethieves :o Then again, I don’t really see the brute-force issue to begin with. As long as the server implements a delay of say 1 or 0.5 second per login attempt (which is hardly noticable for a legitimate user), that would cause as much as a 7 character password to be quite infeasible to crack. Can anyone enlighten me? Or it a parallel request attack that makes this feasible regardless of the millions of required requests? Or would that cause an effect similar to a DDoS and backfire on the attackers?


ah I was wondering why I was logged out :)

Same :P It’s for a good cause though :)

2821 posts
  • Australia
  • Community Moderator
  • Elite Author
  • Author had a Free File of the Month
  • Most Wanted Bounty Winner
  • Author had a File in an Envato Bundle
  • Has been a member for 5-6 years
  • Contributed a Blog Post
  • Repeatedly Helped protect Envato Marketplaces against copyright violations
+10 more
dtbaker Volunteer moderator says

Then again, I don’t really see the brute-force issue to begin with. As long as the server implements a delay of say 1 or 0.5 second per login attempt (which is hardly noticable for a legitimate user)

when you get a bot farm set on cracking a password with brute force, a delay might not do much. you can still fire off multiple requests at once, just have to wait slightly longer for the response.

if there are 10,000 current password guesses getting fired at the server, then the server has to keep those 10,000 requests open while the delay runs. it wouldn’t really achieve anything with the delay other than putting more load on the server. your question actually fired me off for a half hour googling session about the different types of server limits when talking about concurrent connections, quite interesting stuff!

I have put delays on login failures in my little php scripts in the past. Not sure why, never really researched it. Don’t bother any more with it as we have recaptcha and the like :)


Or would that cause an effect similar to a DDoS and backfire on the attackers?

haha probably. set bot farm to crack password. oh noes the datacentre is now off the grid.

2821 posts
  • Australia
  • Community Moderator
  • Elite Author
  • Author had a Free File of the Month
  • Most Wanted Bounty Winner
  • Author had a File in an Envato Bundle
  • Has been a member for 5-6 years
  • Contributed a Blog Post
  • Repeatedly Helped protect Envato Marketplaces against copyright violations
+10 more
dtbaker Volunteer moderator says

@chendo while ur at it, is it hard to make the “Logout” button kill the users session on ALL marketplaces? not just the one they click logout on?

381 posts
  • Author had a Free File of the Month
  • Sold between 5 000 and 10 000 dollars
  • Referred between 10 and 49 users
  • Bought between 1 and 9 items
  • Exclusive Author
  • Has been a member for 2-3 years
starbugsound says

Signing in is so much more comfortable now… Although it is reasonable that it makes things a little safer, but it was sometimes really painful to enter all those captures thousand times a day ;-)

by
by
by
by
by
by