Don't tell me they're gonna be mandatory here too.
Posted October 14th
by I killed Mufasa
I guess I need a separate checklist for this, not notes.
!!=green Login sessions Framework
* Login sessions are based on cookies so it's unique to the computer.
* There should be an ip-based login -- this will automatically create cookies-based sessions every time you visit the site on that ip address.
* There should also be an "ip-transfer" login -- this one is an ip login that turns into a cookie-based login. Should be useful for temporary remote logins, like the smuggle feature.
* There should be a "ghost" id in there -- this makes way more sense than having an additional login session, with all the nightmares that go along with it. The login handler will check the ghost id before it checks the user id.
!!=green Security beefing
* The session handler should have a "strict" mode where both your ip address and login token have to match. This shouldn't affect posting, saving drafts, etc but should apply for anything that requires permissions. It therefore makes sense to run it through the masks class. I don't like the general concept of session expiration, so this is a good compromise.
* Strict mode should also be generalized so I can hook into the site as a whole during lockdown mode.
* Logins should lock you out if you can't guess the right password the correct number of times. I guess 15-min lockouts per every 3 attempts. I have *something* like this in place but it isn't a full system at the moment.
* Logging out should log out everything assigned to your cookie, ip or user id. I think this is how it works currently but I need to make sure.
Posted October 15th