DGS quick status page accepts user ID and password as arguments
The release of the Dragon Go Server software version 1.0.15 thoroughly broke dgsmonX because DGS no longer accepts unauthenticated game checks via quick_status.php
. While working on a fix for this I happened to notice that quick_status.php
accepts user ID and password as arguments. A corresponding URL looks like this: http://www.dragongoserver.net/quick_status.php?version=2&userid=foo&passwd=secret
.
This is great news because it makes the fix much easier to implement, not the least because quick_status.php
, when invoked with user ID and password arguments, does not set nor evaluate any cookies. Why is that good? A bit of background information: On Mac OS X, the URL loading system of the Cocoa API shares its cookie storage with Safari. Now imagine that the user is logged in to DGS in Safari (i.e. Safari has stored a login cookie), while at the same time dgsmonX initiates a game state check and logs in as well. If dgsmonX were forced to use cookies, it would certainly overwrite Safari's login cookie, thus invalidating the user's login session.
At first I had thought that for logging in dgsmonX would have to go through login.php
, which would have meant - cookies! I had already started to code around this issue (stuff like temporarily stashing away an existing login cookie and restoring it after the dgsmonX game state check), but without much hope to get it to work reliably. Fortunately I can now scrap all this.
And what is the lesson learned? Not sure... maybe this: Stop coding when it starts to look complicated, think, then go look whether there is a simpler API.