Skip to main content

Forums » Suggestions & Development Discussion » Simultaneous Log-Ins/Mobile App?

Hey,

As some of you already know, I have an iPad. I visit RPR very frequently on both my iPad and my laptop, and constantly logging in every time I go onto a new device can be tedious. The "remember me" button is kinda useless, thanks to my browser cookies, and I'm logged out regardless when I log in on a new device.

So, perhaps we could start developing a mobile app? Or implement some sort of simultaneous log-in feature?

The mobile app would spare a lot of our mobile users the pain of slow browsers, logging in over and over again, and could actually improve the RPR experience! (Mobile Image Uploading, Being able to drag widgets around our character's pages, etc.)

Sorry if this has already been suggested before, I just thought it was a good idea when it hit me. :P

I have no experience with developing applications for mobile devices, so I probably am not the best candidate to make an app right now.

(This is mostly due to lack of funding to actually purchase some good software, and partially due to personal laziness busy-ness.)

Thanks for looking at my idea!

Cheers and improvement,

~Oaky
Sanne Moderator

As for being logged out. Kim replied on the security issues with that:
Kim wrote:
Requiring only one device to be logged in at a time is a minor security measure to try and keep forgetful people in control of their account -- I recall during finals week in college being so exhausted I forgot to log out of my Neopets account at the school library, and finding out later that someone else started using it there and looted everything before I realized I'd left my account open on a computer other than my own and subsequently changed my password.

I understand this is inconvenient as often as it is bacon-saving. We need some kind of (OBVIOUS) interface that lets people choose when and what to log out, without confusing people who just want to type their username and hit go. It's sort of been bubbling in the back of my mind how best to address this.

As for an app, I don't know of anyone who has any experience with coding apps. It might also be a potential security risk depending on the way the user's login information is collected and stored. I'd LOVE an RPR app, but it would need to be made by someone who:

- puts security up front and is knowledgeable about it
- will keep up to date with new features that will need editing or additions to the app
- will keep up to date with any other changes in terms of layouts

Then there's the question of how character profiles are displayed. Will the templates be the same? If they do, how do they fit into the app and are properly viewed without breaking the template? Or will all characters use a default template that's bland, boring and potentially ruins highly customized profiles?

There's a lot to be taken into consideration, and likely the creator would be doing this for free as a fan-project. It might also require API access on RPR's side, and I've no idea if Kim knows anything about it. <.<
Kim Site Admin

*adminly faint* I am being crushed under the weight of maintaining and developing a website of this size on my own (at least as the only programmer). Until that changes, there just won't be an app. I'm really sorry. I just can't do it. It is another thing that would need debugging and constant updating every time there was a new OS or mobile device -- and we'd need at least two versions, each of which would need its own maintenance, to cope with android and apple competition. D:

That said, logging in on my ipad all the time is super annoying, and I reiterate that we need some kind of (OBVIOUS) interface that lets people choose when and what to log out, without confusing people who just want to type their username and hit go, and it continues to bubble in my mind (quite a bit these days, actually!) how best to address this.

I may just make it so that logging in does't log out other devices, but you can log all other devices out except the one you're on by hitting something in your settings(?). This issue has gotten more and more annoying to more and more people as multi-device behaviors become a more frequent fact of life every month.
Sanne Moderator

Call me crazy, but I'm actually really fond of the way it works right now. Can we keep that option too or would that be complicated?
Kim Site Admin

For similar "oh god so many things to maintain" reasons, I'd prefer we pick and stick with one method of login maintenance. I assume your objection has to do with you being a stickler for security?
Sanne Moderator

Pretty much. I'd probably not login anywhere but my own devices anymore if I was logged in everywhere at the same time, or really abuse the logout all other devices option out of paranoia.
Kim Site Admin

I'm not sure there'd actually be a way to abuse the logout other devices option, from a server resource perspective. But I think that's not what you mean?
Sanne Moderator

Kim wrote:
I'm not sure there'd actually be a way to abuse the logout other devices option, from a server resource perspective. But I think that's not what you mean?

It means I'd press the button/link 50 times a day. Right now, if I suddenly get logged out there's a big red flag popping up for me and I log back in and change my password. I'll be missing that if the way logins are handled are changed. I also generally don't logout from other people's devices because I'll login to my own shortly after and the session on their device is invalid at that point.

I'm really used to places using the system we have now or alerting me when I login from a new/unknown device I never used before, but I imagine that's not just a possibility and too much work.

However, if the general consensus is to allow multiple devices to be logged in with a logout other devices option, I'll adapt to that. I'm probably a minority with this.
Couldn't your "red flag" be replaced by a notification? Or something else that shows you who and what is logged in to your account at all times? Maybe just show a list of devices. I know a few websites who use such a system, but they all have slightly more than one Kim working on their sites.
I'm constantly going back and forth between RPR on my laptop and RPR on my Samsung phone and have no complaints.

It appears to remember my user and password the second I touch the boxes, and then it's just a click to log in. I like this, and think it's good enough.

I admit it might be a bother to have to zoom and type them in constantly, but I haven't encountered that personally.
Kim Site Admin

Can you give examples of such sites, Earendill?

We have no method of detecting who is logged in or from what at the moment. The login blank that occurs on login is achieved by generating a random key that is assigned to the account and given to the device upon login. A new login means a new key, so old keys that previous devices are holding stop having access.
Kim Site Admin

nuttermonk wrote:
I'm constantly going back and forth between RPR on my laptop and RPR on my Samsung phone and have no complaints.

It appears to remember my user and password the second I touch the boxes, and then it's just a click to log in. I like this, and think it's good enough.

I admit it might be a bother to have to zoom and type them in constantly, but I haven't encountered that personally.

If you're seeing your username and password appear in the boxes, that's your browser, not us. :) My browser in my desktop does this, and it's just grand.
Kim wrote:
Can you give examples of such sites, Earendill?

We have no method of detecting who is logged in or from what at the moment. The login blank that occurs on login is achieved by generating a random key that is assigned to the account and given to the device upon login. A new login means a new key, so old keys that previous devices are holding stop having access.

Well, Facebook e-mails me every time I log in from a new device, unless I've specifically added it to a list of safe devices (apparently it also doesn't let you log in with a new device without having you enter captchas and identify your friends through pictures but that'd be too much for RPR XD)

I'm looking around for more examples but I can't seem to find any. I could swear I've seen more before.

And Kim, I don't know if RPR is capable of such a thing, but according to my network classes a lot of big websites give every user a unique id (which is stored both server-based and client-based, I believe. It's been a while.). Whenever someone logs on they send their id which is basically going "HEY SERVER I'M HERE, MISS ME?" which the server looks up so they know who and what that id belongs to. Server could use that to update a list in the user's data that holds info of when said user logged in (and possibly more. I don't know just how much info we'd be able to get from logging in without violating privacy here and there). That way the user can check if there were any logins that weren't theirs by just checking the list. If a user attempts to log in and the device doesn't own the id, you could be asked to authorize some other way (for example through a link in an e-mail linked to the RPR account) after which the server can give the id to said device for future reference.
Then again I'm just throwing stuff in here because I have no idea how RPR works and what Server is capable of.
Sanne Moderator

Earendill wrote:
I'm looking around for more examples but I can't seem to find any. I could swear I've seen more before.

Steam uses something similar. If I try to login from an unknown computer (site and program), it asks for a code that was sent to my registered email address. I have to enter this code before I can proceed. Devices from which I login are from that moment on registered as 'known devices' and I can login from them without problem in the future.

Inkbunny.net uses an IP lock system, but if you don't know what you're doing (and have a dynamic IP address) you're locked out of your account, which is bad.
While I would love this so so much, I do have a concern. Because of the nature of mobile browsers wouldn't you still have to continuously log on? Since they do not hold cookies the same way? I just don't want us to do amazing coding and the problem not really be affect at all. :( cause that's no fun and a lot of work.
Sanne Moderator

Rubix wrote:
While I would love this so so much, I do have a concern. Because of the nature of mobile browsers wouldn't you still have to continuously log on? Since they do not hold cookies the same way? I just don't want us to do amazing coding and the problem not really be affect at all. :( cause that's no fun and a lot of work.

I'm not entirely sure what you mean. My mobile browser keeps me logged in until I log-in on another device. o.O If a browser doesn't then it was poorly designed or you'd need to adjust its settings if possible. Mobile browsers work the same way as desktop browsers as far as cookies, caching and sessions go!
Sanne wrote:
Rubix wrote:
While I would love this so so much, I do have a concern. Because of the nature of mobile browsers wouldn't you still have to continuously log on? Since they do not hold cookies the same way? I just don't want us to do amazing coding and the problem not really be affect at all. :( cause that's no fun and a lot of work.

I'm not entirely sure what you mean. My mobile browser keeps me logged in until I log-in on another device. o.O If a browser doesn't then it was poorly designed or you'd need to adjust its settings if possible. Mobile browsers work the same way as desktop browsers as far as cookies, caching and sessions go!

I suppose it's probably the way I use mine actually lol. I've had it where I change windows (Safari Iphone OS) and it logs me out, or just going to a different app than back in. Perhaps it is my settings, but I've never had it keep me logged in. Maybe I should play with my settings then!
Sanne Moderator

Rubix wrote:
Sanne wrote:
Rubix wrote:
While I would love this so so much, I do have a concern. Because of the nature of mobile browsers wouldn't you still have to continuously log on? Since they do not hold cookies the same way? I just don't want us to do amazing coding and the problem not really be affect at all. :( cause that's no fun and a lot of work.

I'm not entirely sure what you mean. My mobile browser keeps me logged in until I log-in on another device. o.O If a browser doesn't then it was poorly designed or you'd need to adjust its settings if possible. Mobile browsers work the same way as desktop browsers as far as cookies, caching and sessions go!

I suppose it's probably the way I use mine actually lol. I've had it where I change windows (Safari Iphone OS) and it logs me out, or just going to a different app than back in. Perhaps it is my settings, but I've never had it keep me logged in. Maybe I should play with my settings then!

That's really weird! I don't have an iPhone/iPad, so I don't know if this is default. Opera Mobile is pretty good about cookies though. :) If it's available for iOS it might be worth checking it out. Dolphin Browser is also good!
Sanne wrote:
That's really weird! I don't have an iPhone/iPad, so I don't know if this is default. Opera Mobile is pretty good about cookies though. :) If it's available for iOS it might be worth checking it out. Dolphin Browser is also good!

Sanne, silly, I'm a cube so anything I do is really weird!
Kim Site Admin

Earendill wrote:
Well, Facebook e-mails me every time I log in from a new device, unless I've specifically added it to a list of safe devices (apparently it also doesn't let you log in with a new device without having you enter captchas and identify your friends through pictures but that'd be too much for RPR XD)

Wow! Facebook has never ever done this to me.

...Okay, looked it up, apparently that's an optional feature you need to know about and turn on to get. That they have it available makes sense, though -- Facebook is the largest site on the web and now used as the login mechanism for hundreds of other sites, so it's a prime candidate for identity theft and the like. If I were Facebook I might put resources into such a system as well, just to cut down on the number of tech support requests I got. Do you know what names it gives to your devices? My issue is that with our current technologies, I can (unreliably) detect what browser you're using. What actual device is even more unreliable, so I just bet you'd see some pretty darn fishy looking logins in that kind of log.

Around here, dealing with a stolen account can take days, during which I'm handicapped in trying to deal with any other site issues. So far, however, every incidence of account theft has originated from someone losing access to their email account, and the person just went through and used their email access to steal and/or delete every site they could find in the victim's email. Oh, and then there was that one time someone was using one of the top ten most common passwords and it was guessed.
Earendill wrote:
And Kim, I don't know if RPR is capable of such a thing, but according to my network classes a lot of big websites give every user a unique id (which is stored both server-based and client-based, I believe. It's been a while.). Whenever someone logs on they send their id which is basically going "HEY SERVER I'M HERE, MISS ME?" which the server looks up so they know who and what that id belongs to.

This is how logins work right now, except the id is not device specific. It's good for one login, however long that login is. I could let it keep all the IDs on file, but then we're back to list of unreliable device names and a "log other devices out" button.
Earendill wrote:
If a user attempts to log in and the device doesn't own the id, you could be asked to authorize some other way (for example through a link in an e-mail linked to the RPR account) after which the server can give the id to said device for future reference.

Making people validate per device feels like mega overkill to me for a site this size that stores the kind of fictional info that it does. >.>
Sanne wrote:
Steam uses something similar. If I try to login from an unknown computer (site and program), it asks for a code that was sent to my registered email address. I have to enter this code before I can proceed. Devices from which I login are from that moment on registered as 'known devices' and I can login from them without problem in the future.

Steam was my first thought as an example, but it's built on a way different set of technologies so I wasn't sure it was a good programming role model. I HATE this about steam, it makes me bananas, but I understand that steam accounts typically store games that cost $30-60 a pop, sometimes dozens of them, so they have serious security concerns and a lot of theft issues.

You are on: Forums » Suggestions & Development Discussion » Simultaneous Log-Ins/Mobile App?

Moderators: Mina, Keke, Cass, Auberon, Claine, Ilmarinen, Ben, Darth_Angelus