Forum login failures
Frederick Bambrough (1372) 817 posts |
Nor does mobile Chrome though it does offer to preserve the few ‘it’ thinks you might want. It does, however, seem to maintain the login so here I am! |
Steve Pampling (1551) 7931 posts |
As ever, there’s ‘an app for that’ or more accurately a Cookie Manager add-on I think the root of the problem is the Tracking changes Mozilla have been making. “It’s easy to disable blocking on sites you trust.” say Mozilla. This is based on you using the options page for Privacy “about:preferences#privacy” which has a nice button to give you access to your list of site exceptions. |
Clive Semmens (2335) 3129 posts |
Except that Safari is also affected – on Mojave but not on High Sierra in my experience. Oh, and thanks for the link to the Cookie Manager. |
Rick Murray (539) 13401 posts |
Okay, I think I can narrow it down to
I disagree. Same issue on my phone with Firefox 62.0.2 (which worked fine last week), Chrome 72.0.3625.105 (on my phone), and also with the embedded browser in my ebook reader, with firmware from 2017. This doesn’t seem to be limited to a specific browser. Looks more like a failure to correctly set a necessary cookie… |
Clive Semmens (2335) 3129 posts |
What is |
Rick Murray (539) 13401 posts |
https://www.riscosopen.org/content/documents/privacy/cookies |
Rick Murray (539) 13401 posts |
Looks like it’s unique to us ;-) |
Clive Semmens (2335) 3129 posts |
Cheers! Understood. Gives a glimmer of what might be going on then…but only a glimmer, either I’m not thinking hard enough or I’m missing something, but so be it… |
Clive Semmens (2335) 3129 posts |
(Oddly, I got logged out when I was trying to post that, but just logged back in without having to delete cookies… |
David Pitt (3386) 1248 posts |
Confirming the Ensure the Safari Develop menu is enabled in Preferences, Advanced. Quit Safari to provoke the fault. Open a ROOL forum page and confirm login failure. Goto Develop, Show Web Inspector. Click Storage in the Inspector window at the bottom of of the main window, then left click on the individual cookie. |
Steve Pampling (1551) 7931 posts |
Now believing Rick is right – not a browser issue per se. The behaviour on this rather like one at work which was a mismatched setup on a pair of servers fronted by a load-balancer. Didn’t think that was the ROOL setup. |
Erich Kraehenbuehl (1634) 176 posts |
I got also this problem. Tried to answer a post in the forum (with mozilla on android 5.1, as allways). Loging in, and going to the forum, i could not post anything, as often i tried to log in and going to forum. But i can report: On NetSurf it works without any problem. |
Steve Pampling (1551) 7931 posts |
Interesting, Netsurf has its own SSL support does it not? As an aside, I note the forum still has an http reference to Gravatar1 in the forum pages. Edit: 1 Being a grumpy anti-social media user I have an add-on blocking that on the page anyway so I wouldn’t grieve over it being removed rather than ‘fixed’ |
Chris Mahoney (1684) 2100 posts |
High Sierra affected here (although as noted above, I’m confident that it’s not a browser issue). |
Andrew Hodgkinson (6) 465 posts |
Catching up on this. Some bits and bobs:
That has been an intermittent fault forever, more or less, and never settled in enough to actually track down except to say that (as noted) clearing cookies usually solves it. Tends to only happen when a significant update occurs in the underlying authorisation framework and there are implications of a timezone issue between different Rails applications, but I’ve never been able to get a concrete diagnosis. I did a significant deployment recently, but that wasn’t the main cause – I found subsequently a few stray background processes related to that framework which were potentially interfering. I shut all those down, restarted everything clean and after clearing my own cookies – since I was at that point then hit by the same issue myself – all is well. Although things were already settling down for most people, killing off those stray processes will hopefully sort it more for the long run though it might mean another brief outbreak of “gotta flush the cookies” to get going properly.
There’s a scheduled daily shut down, backup, log rotate and restart operation which happens at 5:30am UK local time daily. Metrics show it’s our quietest period. This flushes everyone’s logins in passing. If you give it a few minutes & try again it should all be back up, though initial page load times may be slow as caches get repopulated.
The web software herein is quite old and, though maintained, the abandonware nature of Rails makes it hard to jump up to modern equivalents – they’re whole new applications with no database migration path. As a result, most of it dates back to 10 years ago where people like Google weren’t trying to force everyone into the arms of private enterprises who’ll sell you an SSL cert., and don’t force HTTPS. There are probably lots and lots of little edges where HTTP protocols are in use. My strategy for a few months was to try and upgrade things to newest application, or newest equivalent. I put a lot of hours into migration scripts, but they were slow and in some cases of questionable reliability since some of the code bases were large, making it difficult to be sure that I was transforming the source to destination schema accurately, especially in cases where no direct equivalent existed for a particular entity. Lately, I’ve given up on all that and realised I’m going to have to self-maintain every single piece of software here, since the original developers have long gone and moving to another application (some of which have already subsequently also been abandoned!) is clearly a fool’s errand. It’s frustrating but is the nature of open source and web development in particular; new shiny reigns supreme. To this end I prioritised first establishing a server environment with modern underpinnings, which took a while as I had a few false starts on best approaches. Next was manually upgrading some of the easier Rails applications. The CVS viewer was a priority because of GitLab, though in the end we got the Home page feed done via other methods. The next one was Hub, the SSO system and its associated background stuff – that’s the deployment which caused cookie disruption. Unfortunately it transpired that modern Rails won’t talk to our database as it is “too old”, but old Rails won’t talk to a new database – so although I built PostgreSQL 11 and migrated the entire data set to it (if you noticed a ~1h downtime in the very early hours of the morning UK time on Saturday that’ll be why!) I wasn’t then able to get anything other than new applications to run on it. Next strategy will be to try and get the two database versions running side by side. For security reasons our server processes all run internally on Unix domain sockets to avoid any Internet exposure, and the two servers are correctly built and configured to be completely independent – that’s how come I was able to “roll back” to the old database, I simply shut down the new one and restarted the old! – yet nonetheless, the second always refuses to start when the first is already up. Investigation there is ongoing. As applications were rebuilt on new frameworks, I’d migrate their data to the new database until eventually being able to shut all the old stuff down and clean up. Does mean I’m going to be quite unkind in disc and RAM usage to our shared hosting space in the mean time…! Hopefully all this goes some way to explaining what’s been going on behind the scenes & why things that might seem like an easy fix have been so far put at lower priority. That said, given I only have about 30 minutes left in the working window now after doing the forum catchup, I’ll have a look at a quick patch for the Gravatar URLs in the forum on the old code base. |
Andrew Hodgkinson (6) 465 posts |
…OK, Gravatar URL is now always HTTPS. Very simple change. https://www.riscosopen.org/tracker/repository/changesets/474 |
Chris Mahoney (1684) 2100 posts |
That sounds familiar! One of our biggest systems at work was originally an open-source thing written in C# 1.0 which was subsequently abandoned. Naturally we have hundreds of thousands of records in there so we’re self-maintaining it. Even if I do say so myself, after years of tweaks and updates, our internal version is much nicer to use than the final official release! As for the login issue, I had to delete cookies again to post this, but hopefully that’ll be the last time. I’ll post back if I run into the problem again. |
David Pitt (3386) 1248 posts |
Sadly cookies have to be deleted every time Edge on Windows10 on this Lenovo laptop is restarted. |
Steve Pampling (1551) 7931 posts |
Thanks for that one, and all the other work. The 5:30 blips were something I’d put down to backup procedures in quiet periods (for most users) To brighten your day various SSL test sites rate the security at levels between B and A- with the mark downs coming from TLS1.0 still active, some weak ciphers in use and a non-secure cookie. “_radiantapp_session_id” |
Clive Semmens (2335) 3129 posts |
:-) Yup, I’d deduced/guessed all that! :-) And thank you very much for your efforts! Hugely appreciated. |
Rick Murray (539) 13401 posts |
Gravatar – I did say it was simple. ;-) https://www.riscosopen.org/forum/forums/3/topics/6750 Thanks from me too for your work in keeping all of this running. |
Andrew Hodgkinson (6) 465 posts |
Yeah I saw that in your earlier message. We’re coercing connections to HTTPS anyway but it still should be addressed – hopefully I’ll remember to do that when I rebuild the CMS under Rails 5. That’s one of the more difficult ones as the CMS is a surprisingly complex piece of code owing to the way it was originally architected. |
Steve Pampling (1551) 7931 posts |
Testing with another facility gives warnings for the other two cookies listed by Rick, so it isn’t even as simple as a one cookie change and more like a larger change to whatever generates all the cookies. |
Chris Evans (457) 1614 posts |
Thanks Andrew for all your work and the update above. n.b. I’ve not had cookie problems but I’ve only been reading the forum for a few days and haven’t posted since the 23rd. Edit: Interestingly I expected it to fail when I posted the above, but it seems to have worked first time. |
Andrew Hodgkinson (6) 465 posts |
Until “v1” is done on Rails 5 that’ll be way out of date – track current developments at: |