what I can tell you for sure is that bloard is using response headers to set amazon cloud front cookies on every page you load, regardless of auth status. it's also using the _newbload_session cookie to set a likely base64 + MD5 encoded string to act as your login token. if I could stop drinking on Tuesday nights maybe I could figure this shit out and finally make one of my posts the top uploarded of all time hmmmm..... https://github.com/search?q=bloard&type=Code