(1) User's password on the server is encrypted by crypt().
(2) Uploaded files can be accessed without authentication by directly indicating their URLs. This problem can be avoided by using fileuploader.cgi. mod_rewrite is required for this purpose.
1. Set HTTP inaccessible path to $datapath in PositLogConfig.pm.
2. Set rewrite rules to .htaccess as follows :
(change the pass of fileloader.cgi according to the server environment)
RewriteRule ^(.*)([0-9]{6}[a-zA-Z]{2})(/Image/.+)$ /fileloader.cgi?page=$2&path=$3 [L]
RewriteRule ^(.*)([0-9]{6}[a-zA-Z]{2})(/File/.+)$ /fileloader.cgi?page=$2&path=$3 [L]
3. Set fileloader.cgi in the same directory of positlog.cgi
4. Set 1 to $filesecure in PositLogConfig.pm
Note that file access through fileuploader.cgi is slower than that by direct access.
PositLog saves Cookie as follows:
One month Cookies
- prof_XXXXXXXXXXXXX: User profile including default sprite color and display settings of author, link, date, and tag.
- colorprof_XXXXXXXXXXXXX: Color palette information
- public_author: Author name of Public User
- public_password: Password of Public User
One month Cookies (if user allows)
- savedloginid: User ID
- savedloginpass: Password of Logged-in User
Temporary (deleted when the browsed is closed)
- loginid: User ID
- loginpass: Password of Logged-in User
- viewposition: View position of the page
Temporary (saved after copying sprites, deleted after pasting them or closing the browser)
- clip: Content of copied sprites
- The communication between a server and a browser is HTTP-based; and not HTTPS-based.
- User Authentication send a User ID and password through Cookie. The password is not encrypted. This will be fixed not later than version 0.65.
Currently, PositLog has some security issues. Do not reveal top-secret information on PositLog. This page describes the current security status for judging where and to what level the security issues are.