Old cookie format:
*.$LJ::DOMAIN = ws:<user>:<sessid>:<auth>:<flags>
Own one cookie, own an account.
But, still used if $LJ::ONLY_USER_VHOSTS is not enabled.
New cookie format:
2 + n cookies
The 2 cookies work like this:
Master session cookie. We control this one tightly.
Bound to: www.$LJ::DOMAIN. No user content is on www.*
version number is a code-wise version number.
uid is used now, now instead of
flags all work as before.
generation/poetry is free-form text/poetry, so you can write a haiku and
go after people for subverting security to steal copyrighted, perhaps poetic, material.
The “I'm logged in!” cookie. This one advertised to all subdomains that the user is logged in. If it is stolen, it does not matter. It is only used to bridge the two cookies. It is useless by itself.
Form: not present (not logged in), or:
n cookies work like this:
The “n” cookies are 1-per-user account. They are bound to <subdomain>.$LJ::DOMAIN optionally with a path=/username/ restriction when <subdomain> is not a username, and is actually “users” or “communities”.
“ljdomsess.<subdomain>” or ljdomsess.bob “ljdomsess.<subdomain>.<user>” or ljdomsess.community.knitting ljdomsess.users._underscoreman
The format of this cookie is:
Unix timestamp updated from LJ::get_secret(),
LiveJournal's rolling server-secret that is updated every 30/60 minutes.
t value is the key into which server secret we are using.
g= HMAC-SHA1(key = server-secret(t), value = JOIN("-", session-auth(u, sessid), domain, uid, sessid, time))
So, cookie is valid if:
v is supported version
gen/poetry is current generation/poetry in
session(uid, sessid) is still valid/logged in
g is correct signature
t is not older than
$N hours (48?)
The cookie should expire every 24 hours.
Future: cookies are bound to first two octets of IP address.
Procedure 13.1. Cookie re-direction
If cookie is not present, but ljloggedin=1 cookie is present, then redirect user to:
which will make a “ljdomsess_*” cookie, then redirect them to:
which will then redirect them to <source_url>.
Mapping to Paths. LJ::get_remote() needs to be modified to respect the right cookie based on the current hostname.
talkscreen.bml or any XMLHTTPRequest that
goes to a userdomain, that endpoint has to make sure it only operates on data
owned by the current hostname/path.
does malicious style.
, gets ljdomsess stolen.
Attacker should not be able to use
goodguy's ljdomsess cookie to manipulate goodguy's data using, say,
delcomment.bml with args
delcomment.bml and other endpoints should verify that
user=<user> argument matches the
do XMLHTTPRequests not to
<sub>.lj.com/<user>/endpoint.bml (otherwise ambiguous).