DeviantART update February 2011

From Botdom Wiki
Jump to: navigation, search
The correct title of this article is deviantART update February 2011. The initial letter is capitalized due to technical limitations.

First update

On February 8th 2011, deviantART made some changes to the structure of their cookies. This affects the authtoken-resolving mechanism in all dAmn bots. The authtoken is no longer contained in a serialized array, but is now in a separate part of the cookie.

It appears that these fixes were made for security reasons, as there appear to be two authtokens now: one for common interactions with dA that require an authtoken, and one for secure interactions over HTTPS urls. The headers that set these cookies also use the httponly flag, making it so client-side scripts aren't able to access these cookies. This may be a reaction to cookie-stealing and authtoken-stealing scripts that have been used in the past to compromise users' accounts.

New authtoken

 auth=__a1b2c3d4e5f6a7b8c9d0;"a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5";

Fixes

  • Change authtoken resolving code.
  • Fixes for specific programming languages can be found here.

Fixed bots and libraries

All bots that don't grab their own authtokens are unaffected, and not listed here.

Second update

On February 18th 2011, another change was made. It appears that the authtoken contained in the cookie isn't used for connecting to dAmn anymore.

Instead, it appears that you need to use the cookies obtained from logging in to request the official dAmn client (i.e, http://chat.deviantart.com/chat/), then grab the proper authtoken from the "dAmn_Login" function call in the JavaScript used to initiate the client. In the page source, you should see something like this: <javascript> dAmn_Login( "deviant-garde", "b3e34b8a71fc22156f67642ddfbf32e3" ); </javascript> The second argument is the authtoken used for authentication on dAmn.

In addition, a change to the login form was made. The reusetoken field has been renamed to remember_me. As before, this attribute is used to keep the authtoken from changing when you log in, potentially keeping you from getting logged out of other browsers.

Fixes

  • Change authtoken resolving code.

Fixed bots and libraries

All bots that don't grab their own authtokens are unaffected, and not listed here.