What you see above, if you see anything, are your Antville credentials. Instead of displaying them to you, I could have sent them to myself without you noticing anything strange. Owning these keys, I could have logged in to your antville.org account and do everything you are allowed to do on antville, writing under your name and editing and deleting everything you are able to edit and delete. Until last week's fix, that is. As Robert explained, we fixed this very real vulnerability by making your cookies work only with the IP address they originally come from.

Unfortunately some people decided to go mad when they lost a story or comment while we were converting to the new scheme, or due to login problems with the new scheme. I'd like to remind these people that outages like these are bound to happen here on antville.org due to its evolutionary nature, and if they can't accept this fact they should start looking for a different hosting opportunity. For all the others, we are making an effort to make Helma and Antville more secure and comfortable. Everybody's help and comments are welcome. I know the frustration of losing a well-crafted text, but whining is not a long-term option and will generally not do very much good.

Is there a feature that lists all weblogs I wrote a comment to ? I usually end up with the same weblogs some other people read (gHack, katatonik cloud) and would like to play with this.

Auf deutsch, weil es sonst nicht genau rüberkommt: Die Änderung im Anmelde-Procedere, die durch ein nicht zweckdienliches Publizieren von theoretischen Sicherheits-Lecks provoziert wurde, ist untauglich. Mehrere Ameisen haben mittlerweile berichtet, daß a) eine Anmeldung per Cookie nicht mehr möglich ist b)bestimmte Browser gar nicht reinkommen c)wahrscheinlich auch Kontaktaufnahmen von Angemeldeten ohne Cookie auf IP überprüft werden, was angesichts von Short-Hold und Anonymisierern völlig zum Scheitern führt. So wie es aussieht, wird damit das Arbeiten mit Antville ziemlich unmöglich. Ich bitte hiermit eindringlich um eine andere, akzeptable Lösung für die Anmeldung und um mehr Umsicht bei der Erörterung von Sicherheitsproblemen.

just a proposal: I don't know, if this would be technically difficult and I know, it is not really important, but: could you at antville, maybe during the next update of the software, implement the option (preferences), to set the date and time according to DIN EN 28601 (yyyy-mm-dd , with daches instead of dots between the digits; the time-format like it is, with colons between the digits) ? There are good reasons to use this format. [sorry, I seem to be a kind of obsessive-compulsive disordered neurotic ;-)]

When I'm creating a story, I often have been "timed out" and logged out without warning. When I finally go to "save" I am told I must log in and when I do all of my unsaved story is gone. Is there an auto-save feature I might activate? Or at least some warning to save before I'm kicked off?

to fix a security-hole in antville we had to change the cookie-creation and -handling three days ago. as some of you already noticed the "remember me"-feature seems to work differently. this is because of our fix, and unfortunatly it seems to be the only possible solution:

from now on the "remember me"-feature will only work for those who have a static ip-address, for most modem/adsl-users it won't resp. just as long as they they keep their ip-address. this is because we're now using the client-ip as part of the key that is stored in one of the cookies used by the "remember me"-feature.

those who have antville installed somewhere should update their installations (the fix is already in cvs, in both the main- and the need_for_speed-branch). to give you a brief description: before it was possible for a weblog-owner to retrieve the "remember-me"-cookies of visitors and use them to log in as a differnt user. this has never happened (afaik), but of course we had to fix the hole.

sorry for the inconvenience.

first of all: sorry for the outage of antville.org between 0:15 and 1:00. i had to do alot of maintenance tonight, and it wasn't possible without switching antville off. here's what i did:

• switched to apache 1.3.26 (compiled from sources), restructured apache-config. the home-directory of apache has changed too (and more important: the config is not anymore where it used to be on suse-systems)
• compiled and installed mod_jk 1.2 from sources (for some hidden reasons apache was pretty unwilling to start with the precompiled binary ...)
• cleaned and optimized accesslog-table in database
• switched to helma-snapshot compiled on 20021120

and btw.: anybody knows why the f*** j2sdk1.4.1 needs a hidden directory /etc/.java/? obviously it leads to timeouts in image-upload if this directory is not existing (thanks kris for your report, but you deleted your story before i was able to comment ;-)

so now for the more interesting things: due to the switch to a new helma-version the following problems are solved:

1. there are no problems anymore with spaces encoded as '+' in urls.
2. since hns changed the gif-encoder used in helma (big thanks!) the problems with uploading gifs (some of them would throw a lengthy error) are gone too.

if any of the above problems still occur please report them here.