The new TOS (Terms of Service) are now live. They contain new legal rules, new rules for the Flame Forum and expansion / clarification of lots of the old rules. Please read them in full as they are now in full effect. They can be found at the following link.

TOS : http://portal.legacy-game.net/tos.php

We may revise them in the coming days if any issues arise, but they have been checked by staff and elders already. Ignorance to these rules is not an excuse for breaking them.

I'm going to a LAN party this week-end so will not be around much, I'll still be available though should anything explode. The source code for the exploit I fixed has been posted on the main forum, my god some people get confused by dynamically generated images. That image shows the session ID and account name of the person viewing it, it is not a static image.

I think I got everything done from LegCon, was quite productive if stressful to try and control at the time. Make sure you check out the Ability thread in the Suggestions forum. I'll need to add some new abilities to the game in a couple of weeks and that is where I'll be getting them from.

With the new combat system I really wanted to add some healing abilities but it hurts my head trying to work out how to balance them.

All these error messages suck, I'm going to tone back the CSRF protection a bit to fix them. Right now the key changes constantly as you cycle through pages, this seems a little overkill for the problem. As long as you don't go entering the "key=value" from your URL in to any other sites it should be pretty secure with a more static key. I think I'll try just changing it on logins for now, then see if I can write an exploit that will get around it.

I'll be waiting a few days before releasing the source code for the exploit, sorry for the inconvenience of all these error messages. They will be fixed shortly.

If you're wondering where I've been recently in terms of updates, that will all become apparent tomorrow as my 100+ script update syncs over from the development server. Sadly none of these updates are interesting, just a mass security update for CSRF exploits. In the end the original idea of monitoring what scripts people came from fell through as it could be bypassed with the clever use of frames and javascript.

Instead this update will use unique tokens generated on scripts that are about to do something, then passed to the scripts that actually perform the action and checked. This change will mean that you cannot use the back button and then perform most actions. I'll be monitoring how much of an impact this has on players and how often this error occurs over the coming days.

This security fix has required me to manually edit pretty much every script in the game that performs any action. It was very boring, involved thousands of lines of copying and pasting but now it is done. As a result image tags will be re-enabled on forums after this update goes live, I'll also be posting proof of concept code of this exploit to anyone interested or worried that it may effect other sites.