Ally « we were born to be fighters » (vanya_elda) wrote in lj_dev,
Ally « we were born to be fighters »

Release 86 and Cookie Handling

Release 86 is out and those who use certain browser extensions to log into Livejournal are finding themselves unable to do so. Also, several users are finding that they are logged out randomly between redirect screens on the site. I'm guessing that these are related. A staff member commented in the release 86 post that something was changed in the way cookies are handled and that's why the login extensions are no longer working.

I'm using LJ Login to handle my logging into and out of the site, but currently it's not working. I would like to fix this. The problem is that I have no idea what needs to be fixed because release 86 did not state what was changed in the cookie handling, which I'm assuming is the culprit. Does anyone know what was changed?

For reference: LJ Login currently uses the flat protocol for logging into and out of the site. I do not know if that matters, but I thought it might.

ETA: E-mail that sheds some light

I received this VERY helpful e-mail yesterday from the LJ Juggler developer in response to query about a solution since they were able to fix their browser extension.

Andrea Nall sent me:

I am not sure if you need this info, but I feel like I should pass anything I have along to a fellow person bitten by LJ's cookie change.

LJ now requires both 'ljmastersession' and 'ljloggedin' cookies ( ljsession is *not* required )

'ljmastersession' now has a slightly different format ( v2:u#####:s###:a#####:g########//1 )
'ljloggedin' is totally different ( instead of 'u####:s####', it is 'v2:u########:s#######:t#######:g########', where 'g' is a totally different 'g' from above, and the two cannot be used interchangeably ) { the code suggests you can use the old style, but it doesn't work in practice }

And of course, 'sessiongenerate' spits out only ljmastersession, and does not give us an ljloggedin.

The only way I have figured out to get valid cookies ( while still sending the password by challenge/response ) is by first doing a protocol request to 'getchallenge' then doing a POST request to http(s):// with the following "user=$username&chal=$chal&response=$resp" ( add "&remember_me=1" if you want one that persists ) and sucking the cookies out of the header of the response. ( you can just send "user=$un&password=$pw" to that, but bleh )

Basically, "ljmastersession" works the same way, but the old "ljloggedin" cookie, which you used to set using just the user's LJ ID and session number, now requires some sort of internal hashing/signing that isn't public. So there's no way to duplicate what their doing from outside. Which means you have to do the dance with /login.bml directly. Now, LJ Juggler is a Chrome extension, and thus written in Javascript, so it can't parse Cookie headers from the response (Javascript doesn't allow it for security reasons), so I had to find a work-around. But if the code you're working on is in any other language, you should be able to parse the Cookie header just fine. As long as you store the ljmastersession and ljloggedin cookies to send with future requests, you should be good to go!

If that doesn't make sense, or if you need more help, just let me know and I'll see what I can do!

So many kudos to Andrea for figuring it out, though.

You can e-mail the developer, Ana, at rushin.doll *at* gmail *dot* com if you have follow-up questions, which I encourage you to post here, too, since a lot of developers seem to be having issues.
Tags: *fixed, client, client: flat, client: ljlogin, client: sessions
  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded