π Security / Authentication Update
So instead of adding more tape to the system, we're introducing a centralized authentication site that'll handle logging you in across Subeta. Clicking on any login or logout button from this site or new Subeta should redirect you to https://auth.subeta.net, where you can log in.
I want to talk through a few of the benefits directly, and we'll be discussing this more in the coming days. As part of this change, we will be removing PIN protection but will be offering 2FA (getting a code sent to your email or phone) as soon as possible.
Benefits
#1 Central source of truth
[auth.subeta.net](notion://auth.subeta.net/) has one mission: account management. That's it! We're going to move registration there as soon as possible, with an avatar builder and pet creation, but its only job is account management.
You've probably noticed when clicking on a link to login with Google that you're taken to a non-google domain (sometimes youtube) where you log in, and it redirects you. That is the centralized account management service, doing the important work behind the scenes and then sending you to the website you're trying to use and saying "This user is all good, I've verified them!".
#2 2022 Encryption Method
The method used to encrypt Subeta passwords in our database is from PHP 5.7. We're now using PHP 8.1 on all of our servers. We have to include a special package in our PHP installation to have access to the 5.7 hashing methods.
We encrypt your cookie and decrypt it on the server, and the key is what tells the site that you're valid and not using some fake credentials.
This new management system uses modern hashing which are impossible (as much as anything is impossible) to crack. And they give us the benefit of...
#3 User-based Keys
Each cookie (what we set in your browser to say who you are) is salted with a special key that is unique to your account. We're going to be able to provide a button that allows you to reset that special key, which will log you out on all devices. It's also hashed with your account password, meaning if you change your password everyone will be logged out of your account immediately.
Finally, it's hashed with a top secret Subeta key, that we will rotate on a secret basis.
Password Update
As part of all of these changes, the encrypted password for your account on Subeta is woefully out of date. We've been able to implement this system in a way that it takes priority over the former system, which means we don't need to rotate every password on Subeta immediately. You can still log in with your current password, and we will alert you through the news before we require passwords to be rotated.
Login Update
You'll get a very annoying notice at the top of the page letting you know that you're logged in through the old method (with an old cookie), and that we'd appreciate it if you went over to auth.subeta.net and log in. It'll still read that old cookie, but we aren't going to be supporting this old system for long. This is different than needing to update your password, this is the temporary cookie that stores your account information in your browser. Very easy to fix by just logging in on auth.subeta.net. Remember to put in the email address for your account, not your username! You can check which email address you have set for Subeta at https://subeta.net/preferences.php?act=profile.
Thank you π
Thank you for your patience while the authentication system crumbles and you're constantly being asked to log in to an account you're logged in to. I'm hopeful that this is the last major change we need to make to accounts (π€), since we've made the hard choice to build it up from the ground instead of adding more duct-tape.
Posted by Keith
Load this on Kumos site
- 1
- 2
- 3
- 4
- 5
- 6
- Next
Hello, I know this is an old post but I've just been asked for my pin while trying to log back in on Subeta Legacy, obviously whatever I tried to enter didn't work and it was a bit of a scary moment π
Hey, Keith it’s me, Dela.. you know the the person you hate so much that you removed Keith day a long time ago, very sorry about that but Amber banned me and she didn’t even know I didn’t have a alternative account on here!
I can't log in through the new log-in page. I just get constant errors even though I know my information is correct.
Why do I have to keep logging back into it the new way? Seems like every other day, and it's starting to get very annoying.
π You're logged in to Subeta using the old method, and we'd appreciate you switching to the new method. Check out the news post here for more details.
LOL NO, WHY
I have logged into the new method so many times now! I never log out before I get this message, if this helps lol.
LOL NO, WHY
I have logged into the new method so many times now! I never log out before I get this message, if this helps lol.
I get this message every day, sometimes multiple times a day. I log in the new way every time but it never stays. This page keeps taking longer and longer to load as well. Any advice or should I just resign myself to permanently playing with this stupid message on every page?
I appreciate better security but I AM logged in using the new method. I've done it twice now and I just got the message again. Can we get some clarification on why this is happening?
I am also continually getting a message that my username or password is invalid. I know after 25 times I'm entering them correctly. :(
HOW MANY times are we going to have to keep logging in via the link above before it finally sticks? If we've done it once, do we have to keep doing it over and over and over and over...or can we just ignore the notification that we get? This will be the 4th or 5th time I'm doing this. I'm sure people would like to know via an announcement that if you've done it at least once, you don't have to keep doing it (if that is the case).
Trying to use the new method, the site won't even let me log in.... so old method is the only way I seem to be able to access my account.
Given what happened with a certain other petsite recently, I appreciate Subeta's efforts to try and keep things moving forward before anything bad can happen.
I'm gonna continue using the old method until I get told I can't or it gets fixed I'm tired of it changing to You're logged in to Subeta using the old method everytime I open the page back up
I have logged in using the new method as requested every time I have been on the site since the change, at least 5 times. It still says I am logged in the old way when I get on. I cleared the cookies. I don't know what the issue is but it is very annoying having to log in every time and still getting bad gateway messages every other thing I click on.
Today all day the same banner here keeps popping up saying Your logged in to Subeta using the old method not sure how many times I need to do this cuz it seems to not help it still pops up
Like some others on here, I've logged in with the new authorization several times on my phone and my computer. And every so often it tells me I'm logged in the old way and please do the new authorization.... Do I really need to keep doing it every time that notice shows up?
I log in via the new method, but it takes me to the site and I'm still logged out and have to sign in again, and I noticed since I use mobile if i leave the page for more than 15 minutes it logs me out :(
FCoDI hit both logins every time I come on here. First is the old way and then it automatically takes me o the new way.
i'm getting a notice at the top of the page saying i'm logged in under the old system and need to sign in through the new system. i already did, a week ago. do i have to do it again?:pensive:
@Penemuel @yellowdream
Can you log back out and log back into the new version, making sure to choose the legacy site? Or is this still ongoing as a problem for you?
Can you log back out and log back into the new version, making sure to choose the legacy site? Or is this still ongoing as a problem for you?
I logged in using the new auth method when it was first announced - now it's asking me to do it again because I'm not on the new method.
:?
:?
@Itachi_Siller Past this point please put it in Problems and Bugs, although here's hoping it's been ironed out. There is also likely going to be a news post announcing when we're no longer supporting the old auth system.
Y'all have been champs dealing with the new process as Keith makes changes, and we appreciate it,!
Y'all have been champs dealing with the new process as Keith makes changes, and we appreciate it,!
Im still trying to log in by new method ..changed email address, password and browser .I have made a ticket also but still left behind its making me very worried how much longer before I cant log into subeta at all ,
I’m on mobile & trapped in the new version, and can’t find the link to dailies or to the map. Help! Comments also don’t work.
I’m on mobile & trapped in the new version, and can’t find the link to dailies or to the map. Help! Comments also don’t work.
I’m on mobile & trapped in the new version, and can’t find the link to dailies or to the map. Help! Comments also don’t work.
I’m on mobile & trapped in the new version, and can’t find the link to dailies or to the map. Help! Comments also don’t work.
I’m on mobile & trapped in the new version, and can’t find the link to dailies or to the map. Help! Comments also don’t work.
I’m on mobile & trapped in the new version, and can’t find the link to dailies or to the map. Help !
I’m on mobile & trapped in the new version, and can’t find the link to dailies or to the map. Help !
Seeing people still describing the process as very buggy, I'm reluctant to try the "new way" just yet. Occasionally I'll check back to see if people are still having trouble, but until it seems clear or is absolutely required, I'm not sure if I'm willing to rush into this new change.
Also, I kept getting 504 errors trying to access these comments, specifically for this news post. Not sure if that's related.
Also, I kept getting 504 errors trying to access these comments, specifically for this news post. Not sure if that's related.
oops...I logged in using my username instead of email (old habits die hard) is this going to cause a problem and if so how can I correct it? Thanks in advance.
I’m on mobile & logged in the new way, I think, but now all the links to daily things are gone, the sidebars are gone, and all the holiday stuff is stuck on Masquerade. I can’t use the site like this. I can’t even find where to go for the map or my pets.
I’m on mobile & logged in the new way, I think, but now all the links to daily things are gone, the sidebars are gone, and all the holiday stuff is stuck on Masquerade. I can’t use the site like this. I can’t even find where to go for the map or my pets.
I’m on mobile & logged in the new way, I think, but now all the links to daily things are gone, the sidebars are gone, and all the holiday stuff is stuck on Masquerade. I can’t use the site like this. I can’t even find where to go for the map or my pets.
I’m on mobile & logged in the new way, I think, but now all the links to daily things are gone, the sidebars are gone, and all the holiday stuff is stuck on Masquerade. I can’t use the site like this. I can’t even find where to go for the map or my pets.
@teacup132
It should be there now, the database hiccup was being addressed!
@Magic
Please try the 'forgot password' link. If you don't get the email or the one on https://subeta.net/preferences.php?act=profile isn't accurate for you, email support @ subeta.net!
@Itachi_Siller
Are you still getting this today?
It should be there now, the database hiccup was being addressed!
@Magic
Please try the 'forgot password' link. If you don't get the email or the one on https://subeta.net/preferences.php?act=profile isn't accurate for you, email support @ subeta.net!
@Itachi_Siller
Are you still getting this today?
Totally locked out of my account on mobile now. I absolutely am entering in my correct username/email and PW beyond any shadow of a doubt and it literally will not let me log in AT ALL. It keeps saying everything is wrong. And the link on that log in page to what I'm assuming is this news post doesn't even work because you need to be logged in to view it...which you can't.