No matches on LVS
Feb. 14th, 2003 12:42 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
ciphergothAnyone get a match on the LiveJournal Valentines System? I didn't get a match from any of my five nominations, but that's not unexpected, I chose only people who I wouldn't feel comfortable just sending an email saying "hey, I fancy you, fancy a shag" and that's pretty rare. I don't know if any of the people I nominated even took part...
I got three nominations from people I didn't name. Thanks to those people! I'm guessing at least some of you are people who already know very well I have the hots for you :-)
I'm interested in helping![[livejournal.com profile]](https://www.dreamwidth.org/img/external/lj-userinfo.gif)
skx redesign the system for next year. One issue that's come up is authentication. At the moment you can't take part unless you have an un-munged email address in your profile; the authentication token is mailed to that address. This limits the system somewhat.
I thought of an alternative, but it might have evil consequences. When you sign up, the system gives you a token (eg "951m2oGBiqW") which you must include in a public journal entry. It checks for that token in the journal entry, and accepts that the person to whom it gave the token is the legitimate holder of the account if they find it. This is the potentially evil bit: you then offer the choice of just pasting the token in, or copying-and-pasting some HTML including the token, and an image which links to the LVS saying effectively "sign up, I have!".
Does that sound bad and wrong?
Note that the cookie itself won't be visible in your journal no matter which option you choose - it'll be inside an HTML comment, so it'll only show up in the nohtml view of the journal.
Update: this isn't secure. Supposing the system becomes widely used, and I want to pretend to be you to Steve. I set up my own site and encourage you to sign on; the token I give you is the one you need to paste into your journal to convince Steve that I'm you...
One fix would be to include a sitename in the token, and make sure people know not to paste in tokens that they got from sites that aren't named in the token, but I suspect that there are many ways to persuade people to do it anyway, eg include it in a quiz result.
On to Plan B: persuade LJ to accept a patch that directly allows people to authenticate themselves as particular LJ users to third party websites.
I got three nominations from people I didn't name. Thanks to those people! I'm guessing at least some of you are people who already know very well I have the hots for you :-)
I'm interested in helping
skx redesign the system for next year. One issue that's come up is authentication. At the moment you can't take part unless you have an un-munged email address in your profile; the authentication token is mailed to that address. This limits the system somewhat.I thought of an alternative, but it might have evil consequences. When you sign up, the system gives you a token (eg "951m2oGBiqW") which you must include in a public journal entry. It checks for that token in the journal entry, and accepts that the person to whom it gave the token is the legitimate holder of the account if they find it. This is the potentially evil bit: you then offer the choice of just pasting the token in, or copying-and-pasting some HTML including the token, and an image which links to the LVS saying effectively "sign up, I have!".
Does that sound bad and wrong?
Note that the cookie itself won't be visible in your journal no matter which option you choose - it'll be inside an HTML comment, so it'll only show up in the nohtml view of the journal.
Update: this isn't secure. Supposing the system becomes widely used, and I want to pretend to be you to Steve. I set up my own site and encourage you to sign on; the token I give you is the one you need to paste into your journal to convince Steve that I'm you...
One fix would be to include a sitename in the token, and make sure people know not to paste in tokens that they got from sites that aren't named in the token, but I suspect that there are many ways to persuade people to do it anyway, eg include it in a quiz result.
On to Plan B: persuade LJ to accept a patch that directly allows people to authenticate themselves as particular LJ users to third party websites.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2003-02-14 11:13 am (UTC)