I've removed the contents of this thread, because there was hardly anything constructive.
Also, LFS cannot help you protect your host. A bandwith flood is something that can happen to anyone and is software agnostic. The proper way to handle this I think is to contact your ISP who may be willing and able to help you more. After all attacks may have a negative impact on their network as well so there is incentive for them to help you.
As for evidence gathering regarding attacks, you should log as much (network) information as possible, if you are capable of doing so. That way you can gain more information about the attack, like the kind of attack (there are many different types, from not-so-intelligent attacks that send the attacker's IP address, to more advanced ones that hide their originating IP). But knowing more is always better and logs that contain such information are more useful than anything that was posted in this thread because they contain the facts and can be analysed.
This is an unfortunate period for us LFS'ers. Someone or some people find it funny to disrupt our services, including your hosts. And I do not know why. If we have hurt someone in any way, why not tell us? Because these attacks are not going to solve anything.
But now I'm not sure if LFS checked the skin's timestamp on the webserver, or the LFS client. I think it should be the latter.
You load the new skin on your car in the game, the host is told that you use that skin with XXX timestamp and passes that on to the clients who check the new timestamp with the one on their drive. If newer, re-download the skin.
Or something like that.
So if that doesn't work, then it should be classified as a bug.
Maybe that's the problem, you all sound way too serious.
Remember what I said on irc the other day about you being childish?
If you ever want my help, don't talk like that.
Let the bickering stop here. The next one to even so much hint at an insult gets the red card.
If you really feel the need to continue, take it elsewhere.
It's not that you cannot discuss disputes on this forum, but the way its done is not acceptable. It's ridiculous even and makes everyone look like a clown, not to mention bring down the overall tone on this forum.
As you mention mixed content and DNSSEC in one sentence, I must ask how do they relate?
I've never understood DNSSEC (although I've never took the time to understand it properly).
The mixed content is a concern yeah. In ie8 (higher ie's as well? don't know) you get a whole popup warning, which annoying. And it's not _really_ secure anymore then (although afaik not less secure than no ssl).
The certificate is 12 pounds or so. Hardly a burdon!
You can also drag and drop skins onto the skins window now, to upload them. There is no limit on the number of skins you can upload with drag and drop in one go (apart from your skin-slots limit of course).
Well there are some downsides. It can also give a false sense of security. There will be mixed content (when people link to external non https sites) and potentially malicious external sites can still access your browser's contents. Of course that is a plain http problem as well, but people may think that because they load a https site, it's all safe. Then again, I don't think that's a big problem here. Making things https only certainly wouldn't add to that problem, so yeah I think I'll make the switch then.
meh ok i see. I was wrong about the cookies only caring about the domain.
Euhmm... this is an easy fix. I can make the cookies be valid on both http and https. But I see the point in https-only cookies. But then I should indeed force https on all requests.
Thinking for a bit .. over dinner ..
The site was always redirecting via php from lfsforum.net to www.lfsforum.net . I guess that is related. I've now made the webserver redirect instead which I think should help in cases like these.
that .. is very strange. I really don't see how a new AND old password can log you in. Maybe those cookies were messed up a bit and were finally reset when the password value changed. And they were not removed properly before .. but then how would you be logged out .. erh, weird.
At least I'm pretty damn sure noone can 'just login'.
actually if you don't check the box, the bbpassword cookie shouldn't exist (which is the point of the remember me box, to not store the password in a cookie if you don't want that).
But yeah, strange expiration date. At least that explains why those cookies are removed after closing the browser. But of course the new questions is, why the faulty expiration date? hummm no idea atm.