by Commerce Heights » Thu Oct 23, 2014 5:54 pm
by Indian Empire » Thu Oct 23, 2014 5:59 pm
Commerce Heights wrote:When I set my nation to log in automatically in Safari 8 on OS X Yosemite, I get logged in automatically on the game, but I’m logged out every time I go from the game to the forum, and I have to log in separately through the forum every time. When I get annoyed by this and try to turn off “Log in automatically”, I’m told that the request failed a security check. I have to manually delete the cookie, after which I can log in manually and stay logged in when I go to the forum.
This happens to me only in Safari 8, not in Chrome or in Safari 7.1 on Mavericks. I have extensions and form auto-fill disabled. I also tried turning on auto-login for a different nation, and it does the same thing.
by Commerce Heights » Thu Oct 23, 2014 6:09 pm
Indian Empire wrote:Commerce Heights wrote:When I set my nation to log in automatically in Safari 8 on OS X Yosemite, I get logged in automatically on the game, but I’m logged out every time I go from the game to the forum, and I have to log in separately through the forum every time. When I get annoyed by this and try to turn off “Log in automatically”, I’m told that the request failed a security check. I have to manually delete the cookie, after which I can log in manually and stay logged in when I go to the forum.
This happens to me only in Safari 8, not in Chrome or in Safari 7.1 on Mavericks. I have extensions and form auto-fill disabled. I also tried turning on auto-login for a different nation, and it does the same thing.
I am not having the problem on Internet Explorer. Try IE and see if that works.
by Frisbeeteria » Thu Oct 23, 2014 6:11 pm
by Commerce Heights » Thu Oct 23, 2014 6:14 pm
Frisbeeteria wrote:Secuirty Check failures imply that you have multiple tabs open with different puppets. Try it with just one nation loaded.
by Indian Empire » Thu Oct 23, 2014 6:16 pm
Commerce Heights wrote:Indian Empire wrote:
I am not having the problem on Internet Explorer. Try IE and see if that works.
Excuse me while I go grab my Snow Leopard install disc and wipe my system so I can run IE for Mac 5.2.3 through Rosetta.
Seriously, if you don’t know the solution and aren’t even going to read the problem description thoroughly, there’s no point in posting here.
by Commerce Heights » Thu Oct 23, 2014 6:21 pm
Indian Empire wrote:And I think I know the answer that the problem is only with those browsers.
by The Emerald World » Thu Oct 23, 2014 6:23 pm
by [violet] » Thu Oct 23, 2014 7:18 pm
Commerce Heights wrote:When I set my nation to log in automatically in Safari 8 on OS X Yosemite, I get logged in automatically on the game, but I’m logged out every time I go from the game to the forum, and I have to log in separately through the forum every time. When I get annoyed by this and try to turn off “Log in automatically”, I’m told that the request failed a security check. I have to manually delete the cookie, after which I can log in manually and stay logged in when I go to the forum.
This happens to me only in Safari 8, not in Chrome or in Safari 7.1 on Mavericks. I have extensions and form auto-fill disabled. I also tried turning on auto-login for a different nation, and it does the same thing.
The Emerald World wrote:So use chrome.
by Commerce Heights » Thu Oct 23, 2014 7:34 pm
[violet] wrote:Hmm, interesting! I don't have a Mac handy, so maybe you can do some testing for me.
This security check error message, you get that when you go to Settings and change "Log in automatically" to "No" and click "Update," is that right?
[violet] wrote:Can you see if there's any difference in ticking the "Remember me" box when you log in (on gameside) vs setting "Log in automatically" to "Yes" in your Settings? You may need to manually clear cookies and log out in between.
by Commerce Heights » Thu Oct 23, 2014 10:55 pm
by [violet] » Sun Oct 26, 2014 4:08 pm
Commerce Heights wrote:It looks like this issue is actually triggered when I visit the Settings page with auto-login on, regardless of whether it’s from “Log in automatically” or “Remember me”.
If I’m auto-logged-in and visit the Settings page, then I get logged out of the forum every time for the rest of my session, and attempting to change a setting will fail a security check. (Contrary to what I said before, changing “Log in automatically” to “No” does actually work, even though I get the security check message. I can change actual game settings, like my theme, only if I set “Log in automatically” to “No” beforehand.)
If I log out and log back in (with auto-login still enabled), I can visit the forum properly as long as I haven’t visited the Settings page since logging in. If I have auto-login disabled, then everything’s fine, even if I visit the Settings page.
by Enfaru » Sun Oct 26, 2014 4:33 pm
by Commerce Heights » Sun Oct 26, 2014 8:34 pm
[violet] wrote:It sounds to me as if your browser is discarding cookies in some unusual way. The first thing I'd check is whether you have a security setting or extension that may interfere with normal cookie operation.
[violet] wrote:What may be happening, for example, is your "autologin" cookie is sticking, but your "pin" cookie (which holds your session) is not. So every page you visit after you log in, the game isn't getting your session information and has to log you in again (which it does silently, because it's autologin). And since your session information changes in between loading the Settings page and clicking "Update," you get a security error.
Enfaru wrote:I think I've had something occur to me while in the early stages of https://www.nationstates.net as opposed to http://www.nationstates.net. Is the https / http switching?
by [violet] » Sun Oct 26, 2014 9:42 pm
by [violet] » Sun Oct 26, 2014 10:01 pm
by [violet] » Sun Oct 26, 2014 10:16 pm
by Commerce Heights » Sun Oct 26, 2014 10:57 pm
[violet] wrote:Thank you so much for this excellent sleuthing. Right now I'm thinking the problem is related to how the "pin" cookie sets a domain of ".nationstates.net" (with a period at the start) while the autologin cookie doesn't ("nationstates.net", no period).
So if I understand this right, when you have autologin turned off, and you login manually, the pin cookie does stick as you navigate around gameside? It doesn't get regenerated every page load?
[violet] wrote:Also, can you please use this handy page to check which cookies your browser is sending to our server? It would be interesting to see how that changed depending on whether you have autologin turned on, and also if it changes when you replace "www" with "liberal" or one of the other subdomains.
Please don't publicly post any output from that link; just let me know whether the "autologin" and "pin" cookies are showing up and doing anything weird... such as the "pin" cookie only appearing when "autologin" is absent.
Edit: Actually I made that utility show less info by default, so that no-one will unwittingly copy & paste more data than they really should when debugging.
[violet] wrote:And here is yet another test: http://debugtheweb.com/test/cookieinherit.aspx
Please lemme know if the leading dot makes any difference in Safari. In Firefox, Chrome, and IE, it doesn't.
by Eluvatar » Mon Oct 27, 2014 5:15 am
by Frisbeeteria » Mon Oct 27, 2014 11:13 am
Eluvatar wrote:send it privately to admin?
by [violet] » Mon Oct 27, 2014 4:39 pm
Commerce Heights wrote:I don’t see anything unexpected from that; the pin cookie is sent, along with the autologin if I’ve enabled it. Subdomains show the same result as the primary domain.
by Commerce Heights » Mon Oct 27, 2014 6:29 pm
- I log in to nationstates.net and tick “Remember me”.
- NationStates responds with PIN A and an autologin cookie.
- Safari sends all its requests for /nation=commerce_heights and the requisite CSS, JS, and images, sending PIN A and the autologin cookie.
- NationStates happily complies with those requests or sends HTTP 304 Not Modified.
- Afterwards, Safari requests /apple-touch-icon-precomposed.png, sending PIN B and the autologin cookie.
- NationStates responds with a redirect to /nation=commerce_heights and PIN C.
- Safari requests /nation=commerce_heights, sending PIN C and the autologin cookie.
- NationStates responds with the page.
- Safari requests /apple-touch-icon.png, sending PIN C and the autologin cookie.
- NationStates responds with a redirect to /nation=commerce_heights.
- Safari requests /nation=commerce_heights, sending PIN C and the autologin cookie.
- NationStates responds with the page.
- I visit another page. Safari sends PIN A and the autologin cookie.
- NationStates responds with the page and PIN D.
- Safari requests /apple-touch-icon-precomposed.png again, sending PIN E and the autologin cookie.
- NationStates responds with a redirect to /nation=commerce_heights and PIN F.
- …
- I log in to nationstates.net and don’t tick “Remember me”.
- NationStates responds with PIN A.
- Safari sends all its requests for /nation=commerce_heights and the requisite CSS, JS, and images, sending PIN A.
- NationStates happily complies with those requests or sends HTTP 304 Not Modified.
- Afterwards, Safari requests /apple-touch-icon-precomposed.png, sending PIN B.
- NationStates responds with HTML (the home page, I guess, though it was gzipped so I didn’t see) and ignores the invalid PIN.
- Safari requests /apple-touch-icon.png, sending PIN B.
- NationStates responds with HTML and ignores the invalid PIN.
- I visit another page. Safari sends PIN A.
- NationStates responds with the page.
- Safari requests /apple-touch-icon-precomposed.png again, sending PIN B.
- NationStates responds with HTML and ignores the invalid PIN.
- …
- I log in to a subdomain and tick “Remember me”.
- NationStates responds with PIN A and an autologin cookie.
- Safari sends all its requests for /nation=commerce_heights and the requisite CSS, JS, and images, sending PIN A and the autologin cookie.
- NationStates happily complies with those requests or sends HTTP 304 Not Modified.
- Safari does not request /apple-touch-icon-precomposed.png or /apple-touch-icon.png.
- I visit another page. Safari sends PIN A and the autologin cookie.
- NationStates responds with the page.
- Safari does not request /apple-touch-icon-precomposed.png or /apple-touch-icon.png.
by [violet] » Mon Oct 27, 2014 10:36 pm
Advertisement
Users browsing this forum: Ankuran, Centennial GrandWoodlands, Russo-Austria, Soveriegn, The Germanic isles, The Wasp Nest, Torregal, Umbratellus, Woseka
Advertisement