HiFi Subjectivist ¦ Audio Forum ¦ NVA User Group

Foodback. Https: here - iPad and Chromium

Dr Bunsen Honeydew wrote: ↑Sat Nov 25, 2017 6:36 pm All the bots were deactivated again. I am convinced we have a hacker in here messing us around gently for fun.

I think that’s just paranoia.

If something is causing the browser to switch between http and https it will probably invalidate any session cookies the browser has as cookies are normally only allowed to be used by the site they are generated by.

Is it worth recapping what the problem is? Is it only seen on certain browsers? (for example on Firefox on Linux I have not seen any issue with staying logged in).

Problem is that some Safari on iOS users are experiencing issues with the "remember me" checkbox not doing anything. This means that moving off the site logs you out. I had issues where even accessing the user control panel logged me out and I had to re-login.


The upshot is that my old HFS bookmark was directing to http://

Clearing cookies then deleting the old bookmark
manually typing in the https:// address, like this index.php
saving that as the bookmark,
then logging in and checking "remember me"
stopped all the nonsense.

Now everything works properly.
Maybe iOS users on Safari should do what I did above as the old pre-upgrade bookmark was probably cocking things up with the new secure session cookie not being allowed by the browser, because it is not coming from the right address. Or something.
If you use Safari and are not seeing the lock symbol in the address bar then you, almost certainly will have the login problem.
Try sorting out as above. It worked for me.

When I log in I don't get the secure padlock icon in the address bar.

W10 with Chrome browser.

In this day and age I would expect this site to be secure.

hillsanddalesrover wrote: ↑Mon Nov 27, 2017 12:49 pm When I log in I don't get the secure padlock icon in the address bar.

W10 with Chrome browser.

In this day and age I would expect this site to be secure.

UPDATE. I did as Steve suggested, saved in bookmarks with the amended address and now it is secure.

In this day and age I would expect this site to be secure.

Out of interest why? Its only a forum, not used for any selling?

1. Browsers will make it more and more difficult to visit http:// only sites.
2. Google will derate sites that aren't http://
3. The site has a logon and you can extract eMail addresses from it - that equals authentication you can try against other sites. (It's the basis for a standard internet hack because most people use the same password for all sites on the internet). https:// makes this harder.

The site has a logon and you can extract eMail addresses from it - that equals authentication you can try against other sites.

Unless I am missing something that would only work if you can see the network traffic, so not that simple to do, if you were sitting on a ISP you could do it, but then again you could probably set up a https MITM attack from there as well if you had control over DNS responses.

I have nothing against https, and I agree there is no downside, especially as you seem to be using Lets Encrypt.