FIX FOR FORUM LOGIN ISSUES! NEW WORKAROUND AND POTENTIAL FIX!
A_Ron_Hubbard
Cincinnati, OH
I tried to merge this into a new thread, and I'm not sure if I was successful. Anyway, JoshTheBlack found out a fix that is working for a lot of people's forum issues of late, since most of them seem to be affected by google chrome. It seems recent updates to chrome's default security policy have caused this issue. See the next comment for details, but the workaround/fix is this:
Type "chrome://flags/#schemeful-same-site" in to the address bar.
Jim and I are using this information to see if we can make a simple tweak to our SSL cert on the forum server to make it so you don't have to do this workaround, now that we know what the root cause is. Thanks to all that helped us track this down over the course of the year it has been happening.
Type "chrome://flags/#schemeful-same-site" in to the address bar.
Set the "Schemeful Same-Site" flag to disabled.
It will tell you to reload, so press the reload button.
Try to log in.
Jim and I are using this information to see if we can make a simple tweak to our SSL cert on the forum server to make it so you don't have to do this workaround, now that we know what the root cause is. Thanks to all that helped us track this down over the course of the year it has been happening.
Comments
Type "chrome://flags/#schemeful-same-site" in to the address bar.
Presumably, this was changed to make it more difficult for a malicious website to to leverage the browser seeing different subdomains (i.e. https vs http) as part of the same site to launch an attack.
Essentially, the danger this flag is designed to thwart is if an attacker were to impersonate http:// forums.baldmove.com (space to stop auto-link) and man-on-the-middle attack you, they could potentially steal your login cookie, and use that to access your account on https:// forums.baldmove.com. A MITM attack over http is fairly trivial, if you are on the same network, whereas the same attack on https would require access to forums.baldmove.com's private ssl key, or a compromised certificate signer. (Or physical administrator access to the machine being attacked, which in this case would make this attack fairly pointless!)
If you are web-conscious enough that you don't click links in your email from strangers, I would imagine your additional exposure would be negligible. In reality, it would be the same as it was 3 months ago, as this was only recently flipped on for most people.
This is not my area of expertise, so I reserve the right to be wrong, should someone more knowledgeable come along and explain it differently, but I wouldn't really worry about it.
If BM is able to set their SSO up to be compliant with this flag enabled, I would suggest turning it back on, but until that happens, I really wouldn't worry about it. Just try and stay on https wherever possible.
I tried to change my profile picture and can't.
After I try and upload, I get a blank page and nothing has changed.
- bror.00 AKA JABD
PS - I would love a forum backend that would allow us to change our user profile names.
I know this was brought up years ago and the consensus was that we should all be adult enough to post comments that we wouldn't want to delete. However, that's not always the reason we'd want to delete something - maybe we post in the wrong thread, or change our mind about something we posted and want to remove it, etc. There can be many reasons aside from posting something lame and immature. Just a couple of Bald Move pennies' worth.
EDIT: Forced an update and it's the same for me now. I have a workaround, but I CAN'T STRESS THIS ENOUGH. It is temporary. It will eventually be removed. Hopefully not until after the forums inevitable demise, but no promises.
Steps:
1. chrome://flags/#temporary-unexpire-flags-m92 set to anything that isn't default. I chose disabled.
2. relaunch.
3. chrome://flags/#schemeful-same-site set to disabled.
4. relaunch.
EDIT 2: Alternative workaround without changing flags. Doesn't work on mobile, but the mobile app hasn't made it to Chrome 94 yet, so shouldn't be needed right now. This one is ephemeral. You will need to do it each time you want to log back in, as it doesn't stick around after a logout.
1. Go to baldmove.com and login.
2. While logged in, press f12 to open the developer console.
3. Choose Application from the list of tabs along the top of the dev console. This may be hidden depending on your window size. If you don't see it, look for ">>" to pull up the hidden tabs on a context menu.
4. Expand Cookies on the left hand side (under storage) by clicking the arrow until it points down.
5. Locate the cookie with a name beginning with "wordpress_logged_in..." and a value starting with your username.
6. Under the column labeled SameSite (should be blank) right click the cookie and choose Edit SameSite.
7. Enter the value "None" no quotes. Capitalization is important.
8. Close the dev console, then click the link to the forums. You should be logged in.
@Jim @A_Ron_Hubbard If you can modify the cookies being set that begins with "wordpress_logged_in..." to include SameSite=None, that might fix this issue for a while. No guarantees that Chrome doesn't start ignoring it in the future, but it would remove a lot of headache from the users in the mean time. Might even outlast the vanilla forums remaining time.