FIX FOR FORUM LOGIN ISSUES! NEW WORKAROUND AND POTENTIAL FIX!

A_Ron_HubbardA_Ron_Hubbard Cincinnati, OH
edited May 14 in General
I tried to merge this into a new thread, and I'm not sure if I was successful. Anyway, JoshTheBlack found out a fix that is working for a lot of people's forum issues of late, since most of them seem to be affected by google chrome. It seems recent updates to chrome's default security policy have caused this issue. See the next comment for details, but the workaround/fix is this:


Type "chrome://flags/#schemeful-same-site" in to the address bar.
Set the "Schemeful Same-Site" flag to disabled.
It will tell you to reload, so press the reload button.
Try to log in.


Jim and I are using this information to see if we can make a simple tweak to our SSL cert on the forum server to make it so you don't have to do this workaround, now that we know what the root cause is. Thanks to all that helped us track this down over the course of the year it has been happening.
Michelleblue_sleeveBenSvcarlos7alina_mac

Comments

  • JoshTheBlackJoshTheBlack Atlanta, GA
    edited May 6
    Is anybody having issues in any browser that is NOT chrome?

    Can we get some folks to post their Chrome version (Menu > Help > About Google Chrome on desktop; Menu > Settings > About on mobile) and whether they are able to successfully log in currently using it?

    I'm on Version 90.0.4430.85 on Ubuntu, 90.0.4430.91 on android.  Can't log in on either.

    EDIT:  I downgraded Chrome to v 81.0.4044.113 (shot in the dark older version) and was able to log in properly without issue.  I'm gonna play around with different versions and see what happens.  Maybe if I find which version breaks it, it will provide better info on what to look for as a solution.

    EDIT2:  It quits allowing log in with version 89.0.4389.90 for me on Ubuntu.  I dug around in the development log of changes and found some possible leads.  On the current version, I am able to reliably* (3 times in a row so far) log in by changing one of the developer flags.  Can anybody else who can't log in try this on desktop and see if they can log in?

    Type "chrome://flags/#schemeful-same-site" in to the address bar.
    Set the "Schemeful Same-Site" flag to disabled.
    It will tell you to reload, so press the reload button.
    Try to log in.

    If that is a reliable solution, it would seem @Jim and @A_Ron_Hubbard could look in to setting up the forums with SSL, possibly with the same certificate as the main site is hosted?  It is out of my realm of knowledge, but this flag appears to control how Chrome calculates same-siteness.  From skimming, it looks like with it enabled, it considers http and https different sites when it is enabled, and the same site when disabled.  
    Since the forums are hosted without SSL (and when trying to browse via SSL, the certificate is invalid being self-signed by plesk) I think this probably causes the break in how chrome now designates same-siteness for cookies. 

    Can we get a few people to test this?
    Scooeykuman07jluzaniaMichelleblue_sleeveDummyGiovanni
  • BenBen Melbourne - Australia
    I'm back in Baby! Thanks for the work around Josh and Aron.
    JoshTheBlack
  • Teresa from ConcordTeresa from Concord Concord, California
    Anyone know if this fix will open the door to sites I would want blocked? Not sure what's going on with Chrome but they have an update about every week. Perhaps I need to remove Chrome as my default? 
    JoshTheBlack
  • jolissajolissa Australia
    Back in, this worked for me.
    JoshTheBlack
  • JoshTheBlackJoshTheBlack Atlanta, GA
    edited May 20
    Anyone know if this fix will open the door to sites I would want blocked? Not sure what's going on with Chrome but they have an update about every week. Perhaps I need to remove Chrome as my default? 
    As I understand it, this flag simply reverts back to the old way (the way every other browser does it) of determining if two urls belong to the same site.  I.e. baldmove.com and forums.baldmove.com.  

    Presumably, this was changed to make it more difficult for a malicious website to to leverage the browser seeing different subdomains (i.e. https vs http) as part of the same site to launch an attack.

    Essentially, the danger this flag is designed to thwart is if an attacker were to impersonate http:// forums.baldmove.com (space to stop auto-link) and man-on-the-middle attack you, they could potentially steal your login cookie, and use that to access your account on https:// forums.baldmove.com.  A MITM attack over http is fairly trivial, if you are on the same network, whereas the same attack on https would require access to forums.baldmove.com's private ssl key, or a compromised certificate signer.  (Or physical administrator access to the machine being attacked, which in this case would make this attack fairly pointless!)

    If you are web-conscious enough that you don't click links in your email from strangers, I would imagine your additional exposure would be negligible.  In reality, it would be the same as it was 3 months ago, as this was only recently flipped on for most people.

    This is not my area of expertise, so I reserve the right to be wrong, should someone more knowledgeable come along and explain it differently, but I wouldn't really worry about it. 

    If BM is able to set their SSO up to be compliant with this flag enabled, I would suggest turning it back on, but until that happens, I really wouldn't worry about it. Just try and stay on https wherever possible.
    Teresa from ConcordDoubleA_Ron
  • Not directly related but not sure where else to report this ...
    I tried to change my profile picture and can't.
    After I try and upload, I get a blank page and nothing has changed.

    - bror.00 AKA JABD

     PS - I would love a forum backend that would allow us to change our user profile names.
  • A_Ron_HubbardA_Ron_Hubbard Cincinnati, OH
    Oh shoot, a return of the dreaded avatar issue. It might be a result of us playing around with the security settings and now people can't upload new avatars. We'll take a look at it.

    As I understand it, the security opening of this flag is negligible, and as people have pointed out, it's basically the way chrome was until recently and the way firefox still is. I actually don't get the reasoning behind it at all. Like, okay, what's the concern, someone doing something rogue with a subdomain without the owner of the domain aiding and abetting them? If the person operating the SSL and DNS registries is in on it, how does this really add any security? They'd just make sure their malware/whatever site was running under a valid SSL, no? Like, this is making scammers dot i's and cross t's or what?

    I used to be pretty good with security, but that was 10 years ago. Having said that, I don't get it.
    bror.00
  • MichelleMichelle California
    edited May 21
    While we're on the topic of things we wish we had individual control over - I wish we could delete our own comments.
    I know this was brought up years ago and the consensus was that we should all be adult enough to post comments that we wouldn't want to delete.  However, that's not always the reason we'd want to delete something - maybe we post in the wrong thread, or change our mind about something we posted and want to remove it, etc.  There can be many reasons aside from posting something lame and immature.  Just a couple of Bald Move pennies' worth.  :)
  • Can't you just edit your comment to be basically blank? 
  • MoonMan13MoonMan13 Northern Kentucky
    INCREDIBLE. probably been over a year since I've been on. Thanks so much!!
    JoshTheBlack
  • I'm having the problem where I can't log in while using Chrome (or MS Edge) any more, and this fix doesn't work as "Schemeful Same-Site" doesn't appear as a flag any more.  Anyone else having this issue?
  • JoshTheBlackJoshTheBlack Atlanta, GA
    edited September 4
    I'm having the problem where I can't log in while using Chrome (or MS Edge) any more, and this fix doesn't work as "Schemeful Same-Site" doesn't appear as a flag any more.  Anyone else having this issue?
    Not so far.  Chrome likes to roll stuff out a little at a time though.  Can you tell me what your version number is?

    EDIT:  Forced an update and it's the same for me now.  I have a workaround, but I CAN'T STRESS THIS ENOUGH.  It is temporary.  It will eventually be removed. Hopefully not until after the forums inevitable demise, but no promises.

    Steps:
    1. chrome://flags/#temporary-unexpire-flags-m92 set to anything that isn't default.  I chose disabled.
    2. relaunch.
    3. chrome://flags/#schemeful-same-site set to disabled.
    4. relaunch.

    EDIT 2:  Alternative workaround without changing flags.  Doesn't work on mobile, but the mobile app hasn't made it to Chrome 94 yet, so shouldn't be needed right now.  This one is ephemeral.  You will need to do it each time you want to log back in, as it doesn't stick around after a logout.

    1.  Go to baldmove.com and login.
    2.  While logged in, press f12 to open the developer console.
    3.  Choose Application from the list of tabs along the top of the dev console.  This may be hidden depending on your window size.  If you don't see it, look for ">>" to pull up the hidden tabs on a context menu.
    4.  Expand Cookies on the left hand side (under storage) by clicking the arrow until it points down.
    5. Locate the cookie with a name beginning with "wordpress_logged_in..." and a value starting with your username.
    6.  Under the column labeled SameSite (should be blank) right click the cookie and choose Edit SameSite.
    7.  Enter the value "None" no quotes.  Capitalization is important.
    8.  Close the dev console, then click the link to the forums.  You should be logged in.

    @Jim @A_Ron_Hubbard If you can modify the cookies being set that begins with "wordpress_logged_in..." to include SameSite=None, that might fix this issue for a while.  No guarantees that Chrome doesn't start ignoring it in the future, but it would remove a lot of headache from the users in the mean time.  Might even outlast the vanilla forums remaining time.
    CretanBull
  • @JoshTheBlack ; Thank you sir, worked like a charm (method #1 on Chrome).
    JoshTheBlack
  • @JoshTheBlack thanks for the workaround. I also did method 1 on chrome for mobile. 
  • I cannot find "Schemeful Same-Site" anywhere on that page. I also cannot find a cookie with a name beginning with "wordpress_logged_in..." So I am only able to log in using an old version of Firefox.
Sign In or Register to comment.