Forum Upgrade

Forum for admin topics, member introductions and general non-hifi chitchat.
Forum rules
1. No ad-hominem
2. No spamming or shilling
alfer
Posts: 1594
Joined: Sun Aug 05, 2012 4:01 pm
Location: West Midlands
Great Britain

Re: Forum Upgrade

Unread post by alfer » Sun Nov 26, 2017 12:05 pm

Foodback. Https: here - iPad and Chromium

Lurcher300b
Posts: 407
Joined: Tue Jun 14, 2016 1:58 pm
Great Britain

Re: Forum Upgrade

Unread post by Lurcher300b » Mon Nov 27, 2017 11:43 am

Dr Bunsen Honeydew wrote:
Sat Nov 25, 2017 6:36 pm
All the bots were deactivated again. I am convinced we have a hacker in here messing us around gently for fun.
I think that’s just paranoia.

If something is causing the browser to switch between http and https it will probably invalidate any session cookies the browser has as cookies are normally only allowed to be used by the site they are generated by.

Is it worth recapping what the problem is? Is it only seen on certain browsers? (for example on Firefox on Linux I have not seen any issue with staying logged in).

User avatar
SteveTheShadow
Posts: 727
Joined: Thu Sep 12, 2013 5:24 pm
Location: the Aether
Great Britain

Re: Forum Upgrade

Unread post by SteveTheShadow » Mon Nov 27, 2017 12:22 pm

Problem is that some Safari on iOS users are experiencing issues with the "remember me" checkbox not doing anything. This means that moving off the site logs you out. I had issues where even accessing the user control panel logged me out and I had to re-login.


The upshot is that my old HFS bookmark was directing to http://

Clearing cookies then deleting the old bookmark
manually typing in the https:// address, like this https://www.hifisubjectivist.org/index.php
saving that as the bookmark,
then logging in and checking "remember me"
stopped all the nonsense.

Now everything works properly.
Maybe iOS users on Safari should do what I did above as the old pre-upgrade bookmark was probably cocking things up with the new secure session cookie not being allowed by the browser, because it is not coming from the right address. Or something.
If you use Safari and are not seeing the lock symbol in the address bar then you, almost certainly will have the login problem.
Try sorting out as above. It worked for me.
BTE Designs modified Lenco L75 idler turntable, Rega R200 Tonearm, Goldring E3 MM cartridge, NVA Phono1 phono stage.
Mac-Mini music server with iTunes, AppleTV4 media streamer, Musical Fidelity M1 DAC,
NVA A20/P20, 25WPC stereo power amplifier/passive control unit,
own design, semi-omnidirectional, transmission line speakers- "The Flatback Banned".

hillsanddalesrover
Posts: 82
Joined: Mon Jul 03, 2017 11:56 am
Great Britain

Re: Forum Upgrade

Unread post by hillsanddalesrover » Mon Nov 27, 2017 12:49 pm

When I log in I don't get the secure padlock icon in the address bar.

W10 with Chrome browser.

In this day and age I would expect this site to be secure. :o

hillsanddalesrover
Posts: 82
Joined: Mon Jul 03, 2017 11:56 am
Great Britain

Re: Forum Upgrade

Unread post by hillsanddalesrover » Mon Nov 27, 2017 12:54 pm

hillsanddalesrover wrote:
Mon Nov 27, 2017 12:49 pm
When I log in I don't get the secure padlock icon in the address bar.

W10 with Chrome browser.

In this day and age I would expect this site to be secure. :o
UPDATE. I did as Steve suggested, saved in bookmarks with the amended address and now it is secure. :)

Lurcher300b
Posts: 407
Joined: Tue Jun 14, 2016 1:58 pm
Great Britain

Re: Forum Upgrade

Unread post by Lurcher300b » Mon Nov 27, 2017 1:02 pm

In this day and age I would expect this site to be secure.
Out of interest why? Its only a forum, not used for any selling?

User avatar
terrybooth
Posts: 3693
Joined: Wed Jul 11, 2012 6:49 pm
Location: West Yorkshire
Great Britain

Re: Forum Upgrade

Unread post by terrybooth » Tue Nov 28, 2017 8:30 pm

1. Browsers will make it more and more difficult to visit http:// only sites.
2. Google will derate sites that aren't http://
3. The site has a logon and you can extract eMail addresses from it - that equals authentication you can try against other sites. (It's the basis for a standard internet hack because most people use the same password for all sites on the internet). https:// makes this harder.
Pioneer PL71/DL103/ Phono2/HiFiPi/P90SA/TIS/CubixPro two-up

Lurcher300b
Posts: 407
Joined: Tue Jun 14, 2016 1:58 pm
Great Britain

Re: Forum Upgrade

Unread post by Lurcher300b » Tue Nov 28, 2017 11:41 pm

The site has a logon and you can extract eMail addresses from it - that equals authentication you can try against other sites.
Unless I am missing something that would only work if you can see the network traffic, so not that simple to do, if you were sitting on a ISP you could do it, but then again you could probably set up a https MITM attack from there as well if you had control over DNS responses.

I have nothing against https, and I agree there is no downside, especially as you seem to be using Lets Encrypt.

Post Reply