Is anybody having issues in any browser that is NOT chrome?
Can we get some folks to post their Chrome version (Menu > Help > About Google Chrome on desktop; Menu > Settings > About on mobile) and whether they are able to successfully log in currently using it?
I'm on Version 90.0.4430.85 on Ubuntu, 90.0.4430.91 on android. Can't log in on either.
EDIT: I downgraded Chrome to v 81.0.4044.113 (shot in the dark older version) and was able to log in properly without issue. I'm gonna play around with different versions and see what happens. Maybe if I find which version breaks it, it will provide better info on what to look for as a solution.
EDIT2: It quits allowing log in with version 89.0.4389.90 for me on Ubuntu. I dug around in the development log of changes and found some possible leads. On the current version, I am able to reliably* (3 times in a row so far) log in by changing one of the developer flags. Can anybody else who can't log in try this on desktop and see if they can log in?
Type "chrome://flags/#schemeful-same-site" in to the address bar.
Set the "Schemeful Same-Site" flag to disabled.
It will tell you to reload, so press the reload button.
Try to log in.
If that is a reliable solution, it would seem @Jim and @A_Ron_Hubbard could look in to setting up the forums with SSL, possibly with the same certificate as the main site is hosted? It is out of my realm of knowledge, but this flag appears to control how Chrome calculates same-siteness. From skimming, it looks like with it enabled, it considers http and https different sites when it is enabled, and the same site when disabled.
Since the forums are hosted without SSL (and when trying to browse via SSL, the certificate is invalid being self-signed by plesk) I think this probably causes the break in how chrome now designates same-siteness for cookies.
I'm glad this is fixing the issue but I'm pretty uncomfortable turning off security features for something as janky as this forum as been.
I feel that. Rest assured that this particular feature is one that Chrome has devised and implemented, but would not be active on other browsers at this time. It's just a feature that Chrome recently flipped the default from disabled to enabled on.
I don't think it's a long term solution. Chrome tends to implement features, slowly add more users defaulted on, then after a short time of little to no issues, removing the ability to turn it off.
Jim and Aron are gonna have to figure out how to comply with that security feature before that happens.
Is anybody having issues in any browser that is NOT chrome?
Can we get some folks to post their Chrome version (Menu > Help > About Google Chrome on desktop; Menu > Settings > About on mobile) and whether they are able to successfully log in currently using it?
I'm on Version 90.0.4430.85 on Ubuntu, 90.0.4430.91 on android. Can't log in on either.
EDIT: I downgraded Chrome to v 81.0.4044.113 (shot in the dark older version) and was able to log in properly without issue. I'm gonna play around with different versions and see what happens. Maybe if I find which version breaks it, it will provide better info on what to look for as a solution.
EDIT2: It quits allowing log in with version 89.0.4389.90 for me on Ubuntu. I dug around in the development log of changes and found some possible leads. On the current version, I am able to reliably* (3 times in a row so far) log in by changing one of the developer flags. Can anybody else who can't log in try this on desktop and see if they can log in?
Type "chrome://flags/#schemeful-same-site" in to the address bar.
Set the "Schemeful Same-Site" flag to disabled.
It will tell you to reload, so press the reload button.
Try to log in.
If that is a reliable solution, it would seem @Jim and @A_Ron_Hubbard could look in to setting up the forums with SSL, possibly with the same certificate as the main site is hosted? It is out of my realm of knowledge, but this flag appears to control how Chrome calculates same-siteness. From skimming, it looks like with it enabled, it considers http and https different sites when it is enabled, and the same site when disabled.
Since the forums are hosted without SSL (and when trying to browse via SSL, the certificate is invalid being self-signed by plesk) I think this probably causes the break in how chrome now designates same-siteness for cookies.
Can we get a few people to test this?
Can confirm that this worked for me.
chrome://flags/#schemeful-same-site
Paste that in the address bar, set it to disabled, hit reload, then try and log in.
I'm glad this is fixing the issue but I'm pretty uncomfortable turning off security features for something as janky as this forum as been.
I feel that. Rest assured that this particular feature is one that Chrome has devised and implemented, but would not be active on other browsers at this time. It's just a feature that Chrome recently flipped the default from disabled to enabled on.
I don't think it's a long term solution. Chrome tends to implement features, slowly add more users defaulted on, then after a short time of little to no issues, removing the ability to turn it off.
Jim and Aron are gonna have to figure out how to comply with that security feature before that happens.
Hey, I appreciate the legwork that you all put into this. Good lord, the hivemind really comes through. I'll go over this with Jim and our developer because if this is indeed a cookie/cert mismatch issue, I think we could get this fixed for minimal cost and time investment.
Comments
I don't think it's a long term solution. Chrome tends to implement features, slowly add more users defaulted on, then after a short time of little to no issues, removing the ability to turn it off.
Jim and Aron are gonna have to figure out how to comply with that security feature before that happens.
chrome://flags/#schemeful-same-site
@JoshTheBlack you are a(n) (inter)national f'ing treasure.