open All Channels
seplocked EVE Technology Lab
blankseplocked Requesting Trust from IGB
 
This thread is older than 90 days and has been locked due to inactivity.


 
Author Topic

bulletdrive
Posted - 2011.02.14 20:36:00 - [1]
 

Hi, i am trying to send the trust request to the user using headers but cant see to do it.

Any reason this is not working?

if ($_SERVER['HTTP_EVE_TRUSTED'] == "No")
{
header('eve.trustMe:http://domain.com/::please allow access.');
}

i get no errors or anything. and i know HTTP_EVE_TRUSTED is "No"

Catari Taga
Centre Of Attention
Middle of Nowhere
Posted - 2011.02.14 21:22:00 - [2]
 

Originally by: bulletdrive
Any reason this is not working?

yes, you didn't read the documentation

PsyKzz
Posted - 2011.02.14 22:05:00 - [3]
 

<body onload="CCPEVE.requestTrust('http://www.mywebsite.com')">

</body>

Easiest way, unless you want to have situations where access is allowed with no trust?

bastilaa
Posted - 2011.02.14 23:02:00 - [4]
 

Edited by: bastilaa on 14/02/2011 23:02:54
Originally by: Catari Taga
Originally by: bulletdrive
Any reason this is not working?

yes, you didn't read the documentation


helpfull reply indeed.

bastilaa
Posted - 2011.02.14 23:05:00 - [5]
 

i didnt find any documentation for this part, all i read was other users experiences.

is this only doable via javascript now?

Johnathan Roark
Caldari
The Graduates
Morsus Mihi
Posted - 2011.02.15 01:01:00 - [6]
 

Originally by: bastilaa
i didnt find any documentation for this part, all i read was other users experiences.

is this only doable via javascript now?


Documentation

Yes, they removed the other methods when the switched to the new browser.

Nikolai Kondratiev
Sphere Design Inc.
Posted - 2011.02.15 01:17:00 - [7]
 

Where did you find the outdated info ? It seems that every now and then someone finds that old documentation and comes here after trying hard to make it work Embarassed So it might be worth emaling the owner, if he's still alive, to get it deleted/updated.

Catari Taga
Centre Of Attention
Middle of Nowhere
Posted - 2011.02.15 02:32:00 - [8]
 

Originally by: PsyKzz
<body onload="CCPEVE.requestTrust('http://www.mywebsite.com')">

</body>

Easiest way, unless you want to have situations where access is allowed with no trust?

Just in case: That code does in no way disallow access to clients which do not trust you, you would have to prevent that server-side. Also you do not need an intrinsic event on the body tag to request trust, invoking the method anywhere on your page works just as well, e.g. add this anywhere:
<script type="text/javascript">CCPEVE.requestTrust('http://www.mywebsite.com')</script>

Johnathan Roark
Caldari
The Graduates
Morsus Mihi
Posted - 2011.02.15 05:23:00 - [9]
 

I really hope your not even considering using the IGB headers as some sort of authentication system, if so, linky and I'll make it think I'm you.

Nikolai Kondratiev
Sphere Design Inc.
Posted - 2011.02.15 14:30:00 - [10]
 

All he seemed to be trying was to send trust request to people that didn't trust the website. But yeah, you shouldn't be relying on the HTTP headers for more than displaying an error message telling people to trust the website or use the character/corporation/solar system headers to fill some forms for the user.

bulletdrive
Posted - 2011.02.15 14:31:00 - [11]
 

Edited by: bulletdrive on 15/02/2011 14:34:37
Originally by: Johnathan Roark
I really hope your not even considering using the IGB headers as some sort of authentication system, if so, linky and I'll make it think I'm you.


humm i am using:

$_SERVER['HTTP_EVE_CHARID'];
$_SERVER['HTTP_EVE_CHARNAME'];

to authenticate you on the site, can this be cheated, is there a more secure way?

ho and this is where i got the info about getting trust via headers.
http://eve.grismar.net/wikka.php?wakka=TrustInformation

Zhou Wuwang
Federal Laboratories
Posted - 2011.02.15 14:38:00 - [12]
 

Originally by: bulletdrive
Edited by: bulletdrive on 15/02/2011 14:34:37
Originally by: Johnathan Roark
I really hope your not even considering using the IGB headers as some sort of authentication system, if so, linky and I'll make it think I'm you.


humm i am using:

$_SERVER['HTTP_EVE_CHARID'];
$_SERVER['HTTP_EVE_CHARNAME'];

to authenticate you on the site, can this be cheated, is there a more secure way?

ho and this is where i got the info about getting trust via headers.
http://eve.grismar.net/wikka.php?wakka=TrustInformation



Yes, you can get trust, but no it should not be treated as gospel for authentication. Headers are very easily manipulated. Look at "Modify Headers" add-on for Firefox for a very simple example.

Catari Taga
Centre Of Attention
Middle of Nowhere
Posted - 2011.02.15 14:40:00 - [13]
 

Edited by: Catari Taga on 15/02/2011 14:40:32
Originally by: bulletdrive
humm i am using:

$_SERVER['HTTP_EVE_CHARID'];
$_SERVER['HTTP_EVE_CHARNAME'];

to authenticate you on the site, can this be cheated, is there a more secure way?

I sure hope you are trolling him? Shocked

PS: just in case: IGB trust is about the client trusting you, not you trusting the client

bulletdrive
Posted - 2011.02.15 14:50:00 - [14]
 

Edited by: bulletdrive on 15/02/2011 14:50:39
i am not allowing the page getting rendered to browsers that are not the IGB, so only the IGB can be used and i guess you cant change the headers there...

could you be so kind to point me to the best way to authenticate someone using the IGB without asking them for a password/email etc?


i am guessing the same is done here: http://biglottery.big-eve.com/LotteryReceipt.aspx and thats what i was doing.

Catari Taga
Centre Of Attention
Middle of Nowhere
Posted - 2011.02.15 14:52:00 - [15]
 

Originally by: bulletdrive
Edited by: bulletdrive on 15/02/2011 14:49:55
i am not allowing the page getting rendered to browsers that are not the IGB, so only the IGB can be used and i guess you cant change the headers there...

Well just link your page publicly then and everyone here will show you how it takes them all of 5 seconds to log in to your site...

Quote:
could you be so kind to point me to the best way to authenticate someone using the IGB without asking them for a password/email etc?

An IGB specific authentication mechanism does not exist. Username/password is where it's at.

Zhou Wuwang
Federal Laboratories
Posted - 2011.02.15 14:55:00 - [16]
 

Edited by: Zhou Wuwang on 15/02/2011 15:13:09
Edited by: Zhou Wuwang on 15/02/2011 15:12:50
Originally by: bulletdrive

i am not allowing the page getting rendered to browsers that are not the IGB, so only the IGB can be used and i guess you cant change the headers there...

could you be so kind to point me to the best way to authenticate someone using the IGB without asking them for a password/email etc?



You can use such a check to encourage people to use the IGB when they visit your site, but it absolutely can be easily spoofed. Emulating the IGB from a normal browser is child's play.

Like taking your shoes and belt off at the airport, it's just eye wash for the masses (i.e. actions intended to conceal the facts of a situation).




bulletdrive
Posted - 2011.02.15 14:57:00 - [17]
 

so i am guessing anyone can see other peoples receipts at http://biglottery.big-eve.com/LotteryReceipt.aspx if they wanted to?

Zhou Wuwang
Federal Laboratories
Posted - 2011.02.15 15:13:00 - [18]
 

Originally by: bulletdrive
so i am guessing anyone can see other peoples receipts at http://biglottery.big-eve.com/LotteryReceipt.aspx if they wanted to?


biglottery doesn't really care about identity in terms of a user viewing the presentation on the website. The "security" behind biglottery identity information is based on the user's isk deposit in their transaction logs (when you send your ISK to "BIG Games"). If you spoof someone's identity at biglottery's site you're not getting access to change anything. You're just viewing the users activity via receipts. The IGB/trust protocol is a simply a way to query the transaction records without asking the user to enter their identity details manually.

bulletdrive
Posted - 2011.02.15 15:30:00 - [19]
 

ok thanks all. Back to the session methods :/

damn it i wanted to create a hassle free authentication method, ho well.

PsyKzz
Posted - 2011.02.16 16:43:00 - [20]
 

The only useful thing the IGB helps with is giving a little extra information about the client at that time.



 

This thread is older than 90 days and has been locked due to inactivity.


 


The new forums are live

Please adjust your bookmarks to https://forums.eveonline.com

These forums are archived and read-only