FIX FOR FORUM LOGIN ISSUES! NEW WORKAROUND AND POTENTIAL FIX!

A_Ron_HubbardA_Ron_Hubbard Cincinnati, OH
edited May 14 in General
I tried to merge this into a new thread, and I'm not sure if I was successful. Anyway, JoshTheBlack found out a fix that is working for a lot of people's forum issues of late, since most of them seem to be affected by google chrome. It seems recent updates to chrome's default security policy have caused this issue. See the next comment for details, but the workaround/fix is this:


Type "chrome://flags/#schemeful-same-site" in to the address bar.
Set the "Schemeful Same-Site" flag to disabled.
It will tell you to reload, so press the reload button.
Try to log in.


Jim and I are using this information to see if we can make a simple tweak to our SSL cert on the forum server to make it so you don't have to do this workaround, now that we know what the root cause is. Thanks to all that helped us track this down over the course of the year it has been happening.
Michelleblue_sleeveBenSvcarlos7alina_mac

Comments

  • JoshTheBlackJoshTheBlack Atlanta, GA
    edited May 6
    Is anybody having issues in any browser that is NOT chrome?

    Can we get some folks to post their Chrome version (Menu > Help > About Google Chrome on desktop; Menu > Settings > About on mobile) and whether they are able to successfully log in currently using it?

    I'm on Version 90.0.4430.85 on Ubuntu, 90.0.4430.91 on android.  Can't log in on either.

    EDIT:  I downgraded Chrome to v 81.0.4044.113 (shot in the dark older version) and was able to log in properly without issue.  I'm gonna play around with different versions and see what happens.  Maybe if I find which version breaks it, it will provide better info on what to look for as a solution.

    EDIT2:  It quits allowing log in with version 89.0.4389.90 for me on Ubuntu.  I dug around in the development log of changes and found some possible leads.  On the current version, I am able to reliably* (3 times in a row so far) log in by changing one of the developer flags.  Can anybody else who can't log in try this on desktop and see if they can log in?

    Type "chrome://flags/#schemeful-same-site" in to the address bar.
    Set the "Schemeful Same-Site" flag to disabled.
    It will tell you to reload, so press the reload button.
    Try to log in.

    If that is a reliable solution, it would seem @Jim and @A_Ron_Hubbard could look in to setting up the forums with SSL, possibly with the same certificate as the main site is hosted?  It is out of my realm of knowledge, but this flag appears to control how Chrome calculates same-siteness.  From skimming, it looks like with it enabled, it considers http and https different sites when it is enabled, and the same site when disabled.  
    Since the forums are hosted without SSL (and when trying to browse via SSL, the certificate is invalid being self-signed by plesk) I think this probably causes the break in how chrome now designates same-siteness for cookies. 

    Can we get a few people to test this?
    Scooeykuman07jluzaniaMichelleblue_sleeveDummyGiovanni
  • BenBen Melbourne - Australia
    I'm back in Baby! Thanks for the work around Josh and Aron.
    JoshTheBlack
  • Teresa from ConcordTeresa from Concord Concord, California
    Anyone know if this fix will open the door to sites I would want blocked? Not sure what's going on with Chrome but they have an update about every week. Perhaps I need to remove Chrome as my default? 
    JoshTheBlack
  • jolissajolissa Australia
    Back in, this worked for me.
    JoshTheBlack
  • JoshTheBlackJoshTheBlack Atlanta, GA
    edited May 20
    Anyone know if this fix will open the door to sites I would want blocked? Not sure what's going on with Chrome but they have an update about every week. Perhaps I need to remove Chrome as my default? 
    As I understand it, this flag simply reverts back to the old way (the way every other browser does it) of determining if two urls belong to the same site.  I.e. baldmove.com and forums.baldmove.com.  

    Presumably, this was changed to make it more difficult for a malicious website to to leverage the browser seeing different subdomains (i.e. https vs http) as part of the same site to launch an attack.

    Essentially, the danger this flag is designed to thwart is if an attacker were to impersonate http:// forums.baldmove.com (space to stop auto-link) and man-on-the-middle attack you, they could potentially steal your login cookie, and use that to access your account on https:// forums.baldmove.com.  A MITM attack over http is fairly trivial, if you are on the same network, whereas the same attack on https would require access to forums.baldmove.com's private ssl key, or a compromised certificate signer.  (Or physical administrator access to the machine being attacked, which in this case would make this attack fairly pointless!)

    If you are web-conscious enough that you don't click links in your email from strangers, I would imagine your additional exposure would be negligible.  In reality, it would be the same as it was 3 months ago, as this was only recently flipped on for most people.

    This is not my area of expertise, so I reserve the right to be wrong, should someone more knowledgeable come along and explain it differently, but I wouldn't really worry about it. 

    If BM is able to set their SSO up to be compliant with this flag enabled, I would suggest turning it back on, but until that happens, I really wouldn't worry about it. Just try and stay on https wherever possible.
    Teresa from ConcordDoubleA_Ron
  • Not directly related but not sure where else to report this ...
    I tried to change my profile picture and can't.
    After I try and upload, I get a blank page and nothing has changed.

    - bror.00 AKA JABD

     PS - I would love a forum backend that would allow us to change our user profile names.
  • A_Ron_HubbardA_Ron_Hubbard Cincinnati, OH
    Oh shoot, a return of the dreaded avatar issue. It might be a result of us playing around with the security settings and now people can't upload new avatars. We'll take a look at it.

    As I understand it, the security opening of this flag is negligible, and as people have pointed out, it's basically the way chrome was until recently and the way firefox still is. I actually don't get the reasoning behind it at all. Like, okay, what's the concern, someone doing something rogue with a subdomain without the owner of the domain aiding and abetting them? If the person operating the SSL and DNS registries is in on it, how does this really add any security? They'd just make sure their malware/whatever site was running under a valid SSL, no? Like, this is making scammers dot i's and cross t's or what?

    I used to be pretty good with security, but that was 10 years ago. Having said that, I don't get it.
    bror.00
  • MichelleMichelle California
    edited May 21
    While we're on the topic of things we wish we had individual control over - I wish we could delete our own comments.
    I know this was brought up years ago and the consensus was that we should all be adult enough to post comments that we wouldn't want to delete.  However, that's not always the reason we'd want to delete something - maybe we post in the wrong thread, or change our mind about something we posted and want to remove it, etc.  There can be many reasons aside from posting something lame and immature.  Just a couple of Bald Move pennies' worth.  :)
  • Can't you just edit your comment to be basically blank? 
Sign In or Register to comment.