Auto-login issue

[Commerce Heights]

When I set my nation to log in automatically in Safari 8 on OS X Yosemite, I get logged in automatically on the game, but I’m logged out every time I go from the game to the forum, and I have to log in separately through the forum every time. When I get annoyed by this and try to turn off “Log in automatically”, I’m told that the request failed a security check. I have to manually delete the cookie, after which I can log in manually and stay logged in when I go to the forum.

This happens to me only in Safari 8, not in Chrome or in Safari 7.1 on Mavericks. I have extensions and form auto-fill disabled. I also tried turning on auto-login for a different nation, and it does the same thing.

[Indian Empire]

When I set my nation to log in automatically in Safari 8 on OS X Yosemite, I get logged in automatically on the game, but I’m logged out every time I go from the game to the forum, and I have to log in separately through the forum every time. When I get annoyed by this and try to turn off “Log in automatically”, I’m told that the request failed a security check. I have to manually delete the cookie, after which I can log in manually and stay logged in when I go to the forum.

This happens to me only in Safari 8, not in Chrome or in Safari 7.1 on Mavericks. I have extensions and form auto-fill disabled. I also tried turning on auto-login for a different nation, and it does the same thing.

I am not having the problem on Internet Explorer. Try IE and see if that works.

[Commerce Heights]

When I set my nation to log in automatically in Safari 8 on OS X Yosemite, I get logged in automatically on the game, but I’m logged out every time I go from the game to the forum, and I have to log in separately through the forum every time. When I get annoyed by this and try to turn off “Log in automatically”, I’m told that the request failed a security check. I have to manually delete the cookie, after which I can log in manually and stay logged in when I go to the forum.

This happens to me only in Safari 8, not in Chrome or in Safari 7.1 on Mavericks. I have extensions and form auto-fill disabled. I also tried turning on auto-login for a different nation, and it does the same thing.

I am not having the problem on Internet Explorer. Try IE and see if that works.

Excuse me while I go grab my Snow Leopard install disc and wipe my system so I can run IE for Mac 5.2.3 through Rosetta.

Seriously, if you don’t know the solution and aren’t even going to read the problem description thoroughly, there’s no point in posting here.

[Frisbeeteria]

Secuirty Check failures imply that you have multiple tabs open with different puppets. Try it with just one nation loaded.

[Commerce Heights]

Secuirty Check failures imply that you have multiple tabs open with different puppets. Try it with just one nation loaded.

I don’t have other NS tabs open when this is happening.

[Indian Empire]

I am not having the problem on Internet Explorer. Try IE and see if that works.

Excuse me while I go grab my Snow Leopard install disc and wipe my system so I can run IE for Mac 5.2.3 through Rosetta.

Seriously, if you don’t know the solution and aren’t even going to read the problem description thoroughly, there’s no point in posting here.

And I think I know the answer that the problem is only with those browsers.

[Commerce Heights]

And I think I know the answer that the problem is only with those browsers.

I think I know that too, which is why I said “This happens to me only in Safari 8, not in Chrome or in Safari 7.1 on Mavericks.”

[The Emerald World]

So use chrome.

[[violet]]

When I set my nation to log in automatically in Safari 8 on OS X Yosemite, I get logged in automatically on the game, but I’m logged out every time I go from the game to the forum, and I have to log in separately through the forum every time. When I get annoyed by this and try to turn off “Log in automatically”, I’m told that the request failed a security check. I have to manually delete the cookie, after which I can log in manually and stay logged in when I go to the forum.

This happens to me only in Safari 8, not in Chrome or in Safari 7.1 on Mavericks. I have extensions and form auto-fill disabled. I also tried turning on auto-login for a different nation, and it does the same thing.

Hmm, interesting! I don't have a Mac handy, so maybe you can do some testing for me.

This security check error message, you get that when you go to Settings and change "Log in automatically" to "No" and click "Update," is that right?

Can you see if there's any difference in ticking the "Remember me" box when you log in (on gameside) vs setting "Log in automatically" to "Yes" in your Settings? You may need to manually clear cookies and log out in between.

So use chrome.

If there is a bug that impacts users of a particular browser, I want to know about it and fix it.

[Commerce Heights]

Hmm, interesting! I don't have a Mac handy, so maybe you can do some testing for me.

This security check error message, you get that when you go to Settings and change "Log in automatically" to "No" and click "Update," is that right?

Yes.

Can you see if there's any difference in ticking the "Remember me" box when you log in (on gameside) vs setting "Log in automatically" to "Yes" in your Settings? You may need to manually clear cookies and log out in between.

After logging in with “Remember me”, everything seems to be working properly.

[[violet]]

After logging in with “Remember me”, everything seems to be working properly.

Can you reproduce the problem by turning on autologin the old way?

[Commerce Heights]

It looks like this issue is actually triggered when I visit the Settings page with auto-login on, regardless of whether it’s from “Log in automatically” or “Remember me”.

If I’m auto-logged-in and visit the Settings page, then I get logged out of the forum every time for the rest of my session, and attempting to change a setting will fail a security check. (Contrary to what I said before, changing “Log in automatically” to “No” does actually work, even though I get the security check message. I can change actual game settings, like my theme, only if I set “Log in automatically” to “No” beforehand.)

If I log out and log back in (with auto-login still enabled), I can visit the forum properly as long as I haven’t visited the Settings page since logging in. If I have auto-login disabled, then everything’s fine, even if I visit the Settings page.

[[violet]]

It looks like this issue is actually triggered when I visit the Settings page with auto-login on, regardless of whether it’s from “Log in automatically” or “Remember me”.

If I’m auto-logged-in and visit the Settings page, then I get logged out of the forum every time for the rest of my session, and attempting to change a setting will fail a security check. (Contrary to what I said before, changing “Log in automatically” to “No” does actually work, even though I get the security check message. I can change actual game settings, like my theme, only if I set “Log in automatically” to “No” beforehand.)

If I log out and log back in (with auto-login still enabled), I can visit the forum properly as long as I haven’t visited the Settings page since logging in. If I have auto-login disabled, then everything’s fine, even if I visit the Settings page.

It sounds to me as if your browser is discarding cookies in some unusual way. The first thing I'd check is whether you have a security setting or extension that may interfere with normal cookie operation.

This would also explain the "security check" problems, which can be caused by your login being regenerated in between initial page load and when you click the "Update" button. You may find the same problem occurs when moving regions.

What may be happening, for example, is your "autologin" cookie is sticking, but your "pin" cookie (which holds your session) is not. So every page you visit after you log in, the game isn't getting your session information and has to log you in again (which it does silently, because it's autologin). And since your session information changes in between loading the Settings page and clicking "Update," you get a security error.

FYI, because this is important for your testing, how the forum works is it only checks your login status with gameside when you are NOT simply moving between forum pages. That is, if you are logged in and viewing the forum and you click on a link to another forum page, the forum won't bother asking gameside whether you're still logged in. This might lead to some odd situations for you, if your browser is losing the gameside cookie, because you will lose your gameside login, but whether you show up as logged out forumside depends on whether you're just clicking around internally on the forum or if you do something else that would make it check your login status with gameside -- like go to your address bar and press Enter, or manually type in an URL, or click a bookmark. (Some actions also cause gameside to explicitly instruct the forum to end any open sessions, like when you manually log out or relog in with the same nation. In that case, it doesn't matter whether you're clicking around the forum internally or not.)

[Enfaru]

I think I've had something occur to me while in the early stages of https://www.nationstates.net as opposed to http://www.nationstates.net. Is the https / http switching?

[Commerce Heights]

It sounds to me as if your browser is discarding cookies in some unusual way. The first thing I'd check is whether you have a security setting or extension that may interfere with normal cookie operation.

Not as far as I know. I’m allowing all cookies and have disabled extensions.

What may be happening, for example, is your "autologin" cookie is sticking, but your "pin" cookie (which holds your session) is not. So every page you visit after you log in, the game isn't getting your session information and has to log you in again (which it does silently, because it's autologin). And since your session information changes in between loading the Settings page and clicking "Update," you get a security error.

That’s exactly what’s happening. The “pin” cookie changes every time I move from one page in the game to another while auto-login is enabled.

I think I've had something occur to me while in the early stages of https://www.nationstates.net as opposed to http://www.nationstates.net. Is the https / http switching?

I’m having the same issue on both the HTTP and HTTPS sites. However, I just discovered that it does not occur while on the theme subdomains (antiquity.nationstates.net, dark.nationstates.net, et cetera).

[[violet]]

Thank you so much for this excellent sleuthing. Right now I'm thinking the problem is related to how the "pin" cookie sets a domain of ".nationstates.net" (with a period at the start) while the autologin cookie doesn't ("nationstates.net", no period).

So if I understand this right, when you have autologin turned off, and you login manually, the pin cookie does stick as you navigate around gameside? It doesn't get regenerated every page load?

[[violet]]

Also, can you please use this handy page to check which cookies your browser is sending to our server? It would be interesting to see how that changed depending on whether you have autologin turned on, and also if it changes when you replace "www" with "liberal" or one of the other subdomains.

Please don't publicly post any output from that link; just let me know whether the "autologin" and "pin" cookies are showing up and doing anything weird... such as the "pin" cookie only appearing when "autologin" is absent.

Edit: Actually I made that utility show less info by default, so that no-one will unwittingly copy & paste more data than they really should when debugging.

[[violet]]

And here is yet another test: http://debugtheweb.com/test/cookieinherit.aspx

Please lemme know if the leading dot makes any difference in Safari. In Firefox, Chrome, and IE, it doesn't.

[Commerce Heights]

Thank you so much for this excellent sleuthing. Right now I'm thinking the problem is related to how the "pin" cookie sets a domain of ".nationstates.net" (with a period at the start) while the autologin cookie doesn't ("nationstates.net", no period).

So if I understand this right, when you have autologin turned off, and you login manually, the pin cookie does stick as you navigate around gameside? It doesn't get regenerated every page load?

Yes, the pin stays the same while autologin is off.

Also, can you please use this handy page to check which cookies your browser is sending to our server? It would be interesting to see how that changed depending on whether you have autologin turned on, and also if it changes when you replace "www" with "liberal" or one of the other subdomains.

Please don't publicly post any output from that link; just let me know whether the "autologin" and "pin" cookies are showing up and doing anything weird... such as the "pin" cookie only appearing when "autologin" is absent.

Edit: Actually I made that utility show less info by default, so that no-one will unwittingly copy & paste more data than they really should when debugging.

I don’t see anything unexpected from that; the pin cookie is sent, along with the autologin if I’ve enabled it. Subdomains show the same result as the primary domain.

And here is yet another test: http://debugtheweb.com/test/cookieinherit.aspx

Please lemme know if the leading dot makes any difference in Safari. In Firefox, Chrome, and IE, it doesn't.

Both the leadingdot and noleadingdot cookies are sent to all three domains.

[Eluvatar]

CH, could you possibly capture the headers going back and forth in this process and send it privately to admin? (Or clear out the actual cookies and post here, if admin oks that )

Particularly interested in the requests generating responses from NS which presumably contain Set-Cookie on the pin.

[Frisbeeteria]

send it privately to admin?

A Getting Help request would work for this.

[[violet]]

I don’t see anything unexpected from that; the pin cookie is sent, along with the autologin if I’ve enabled it. Subdomains show the same result as the primary domain.

Well that's disappointing.

Also disappointing is that I got myself a copy of Safari 8.0 running on OSX Yosemite, but wasn't able to reproduce the problem... everything works fine for me. This is a default installation, no extensions. Under "Privacy," the cookie setting is "Allow from websites I visit."

However, there are now three people reporting an inability to stay logged in using Safari 8.0, so something is going on. I just don't know what.

[Commerce Heights]

I did some packet sniffing, and now I know what’s happening:

• I log in to nationstates.net and tick “Remember me”.
• NationStates responds with PIN A and an autologin cookie.
• Safari sends all its requests for /nation=commerce_heights and the requisite CSS, JS, and images, sending PIN A and the autologin cookie.
• NationStates happily complies with those requests or sends HTTP 304 Not Modified.
• Afterwards, Safari requests /apple-touch-icon-precomposed.png, sending PIN B and the autologin cookie.
• NationStates responds with a redirect to /nation=commerce_heights and PIN C.
• Safari requests /nation=commerce_heights, sending PIN C and the autologin cookie.
• NationStates responds with the page.
• Safari requests /apple-touch-icon.png, sending PIN C and the autologin cookie.
• NationStates responds with a redirect to /nation=commerce_heights.
• Safari requests /nation=commerce_heights, sending PIN C and the autologin cookie.
• NationStates responds with the page.

• I visit another page. Safari sends PIN A and the autologin cookie.
• NationStates responds with the page and PIN D.
• Safari requests /apple-touch-icon-precomposed.png again, sending PIN E and the autologin cookie.
• NationStates responds with a redirect to /nation=commerce_heights and PIN F.
• …

• I log in to nationstates.net and don’t tick “Remember me”.
• NationStates responds with PIN A.
• Safari sends all its requests for /nation=commerce_heights and the requisite CSS, JS, and images, sending PIN A.
• NationStates happily complies with those requests or sends HTTP 304 Not Modified.
• Afterwards, Safari requests /apple-touch-icon-precomposed.png, sending PIN B.
• NationStates responds with HTML (the home page, I guess, though it was gzipped so I didn’t see) and ignores the invalid PIN.
• Safari requests /apple-touch-icon.png, sending PIN B.
• NationStates responds with HTML and ignores the invalid PIN.

• I visit another page. Safari sends PIN A.
• NationStates responds with the page.
• Safari requests /apple-touch-icon-precomposed.png again, sending PIN B.
• NationStates responds with HTML and ignores the invalid PIN.
• …

• I log in to a subdomain and tick “Remember me”.
• NationStates responds with PIN A and an autologin cookie.
• Safari sends all its requests for /nation=commerce_heights and the requisite CSS, JS, and images, sending PIN A and the autologin cookie.
• NationStates happily complies with those requests or sends HTTP 304 Not Modified.
• Safari does not request /apple-touch-icon-precomposed.png or /apple-touch-icon.png.

• I visit another page. Safari sends PIN A and the autologin cookie.
• NationStates responds with the page.
• Safari does not request /apple-touch-icon-precomposed.png or /apple-touch-icon.png.

I don’t know what Apple is playing at here (trying to stop some unusual sort of tracking?), but I guess sending a 404 on requests to apple-touch-icon*.png would solve the issue.

[[violet]]

Ooh, fascinating. Thank you so much. Let's get those 404s happening...

[[violet]]

Okay, requests like this now 404: http://www.nationstates.net/apple-touch ... mposed.png