January 24th, 2006

new cookies, security, manage logins....

So, the new cookie code is live. Details are at:


The code which implements it is entirely in the new LJ::Session module, at cgi-bin/LJ/Session.pm.

You now have separate "www" cookie (your ljmastersession) and per-user cookies, which are per-domain and/or per-path for, say, communities and underscore users.

Also, you can now track your logins:


Eventually we'll do things like let you name IP addresses ("Work", "Home") and show in red things that are out of the ordinary, etc. Also emails on new logins that aren't in your whitelist.

Also, as of last week, you need a password to change your email address, and passwords can't be mailed in cleartext now... only a reset URL.

etc, etc.

David or I will be posting more later, and also as questions come up, we'll be watching these posts.

Update: Sorry, I deleted all comments that were regarding the underscore-in-username bug. That was fixed about in parallel with this post, and I didn't want this thread turning into a support request forum. I also accidentally deleted the thread about cookie /path/ restrictions. :-/

LazyWeb: Asterisk, SIP, IAX2....

Any Asterisk experts out there?

Our current Asterisk implementation we use is old and locked down, only peering with Voicepulse (and Gizmo a bit). It's not available for public incoming IAX2/SIP.

However.... we just put up another Asterisk box, but this one open to the public, happily secured up tight with Xen, and sitting outside LJ's network, so we're not worried if it gets owned by crappy codec or SIP code, etc.

Except we haven't configured it yet, and I haven't stolen David's Asterisk book to re-learn the cryptic configuration. Plus I've never done SIP config.

So, if you want public SIP/IAX2 access to LJ voicepost, please help!

Here's the bulk of our extensions.conf: This is where all incoming IAX2/SIP need to go to:

; short and simple
exten => s,1,Answer
exten => s,2,Wait(1)
exten => s,3,AGI(livejournal)
exten => s,4,Wait(1)
exten => s,5,Background(livejournal/goodbye)
exten => s,6,Hangup

Anybody want to give me everything else. :-) We'll even throw in a permanent account for you or a friend!

Especially lazy today,

cookie changes with export_comments.bml

I've written a livejournal backup program called ljdump that downloads your journal and comments into handy XML files on your local drive. It appears, however, that the recent login/cookie changes have broken ljdump's use of export_comments.bml.

I request an "ljsession" cookie by using the getchallenge/sessiongenerate functions in the flat interface. I get back an "ljsession" value which I save to use later as a cookie. This part still works.

When I call export_comments.bml, setting "Cookie: ljsession=", I get back an HTML page that says I'm not logged in and that I need to do so. This is the part that doesn't work today. It was working fine just a few days ago.

I can't see anything obvious that I'm missing here. I tried using both http://livejournal.com and http://www.livejournal.com, thinking that the subdomain might make a difference. I do note that export_comments.bml works fine in my browser, though the non-www request is redirected to a www.livejournal.com hostname.

Does anybody have any idea what else I might need to do here?