Forum Upgrade

Forum for admin topics, member introductions and general non-hifi chitchat.
alfer
Posts: 2106
Joined: Sun Aug 05, 2012 4:01 pm
Location: West Midlands
Has thanked: 0
Been thanked: 0
Contact:

Re: Forum Upgrade

Unread post by alfer »

Foodback. Https: here - iPad and Chromium
AtoZ

Lurcher300b
Posts: 933
Joined: Tue Jun 14, 2016 1:58 pm
Has thanked: 0
Been thanked: 16 times

Re: Forum Upgrade

Unread post by Lurcher300b »

Dr Bunsen Honeydew wrote: Sat Nov 25, 2017 6:36 pm All the bots were deactivated again. I am convinced we have a hacker in here messing us around gently for fun.
I think that’s just paranoia.

If something is causing the browser to switch between http and https it will probably invalidate any session cookies the browser has as cookies are normally only allowed to be used by the site they are generated by.

Is it worth recapping what the problem is? Is it only seen on certain browsers? (for example on Firefox on Linux I have not seen any issue with staying logged in).

User avatar
SteveTheShadow
Posts: 1646
Joined: Thu Sep 12, 2013 5:24 pm
Has thanked: 272 times
Been thanked: 339 times
Great Britain

Re: Forum Upgrade

Unread post by SteveTheShadow »

Problem is that some Safari on iOS users are experiencing issues with the "remember me" checkbox not doing anything. This means that moving off the site logs you out. I had issues where even accessing the user control panel logged me out and I had to re-login.


The upshot is that my old HFS bookmark was directing to http://

Clearing cookies then deleting the old bookmark
manually typing in the https:// address, like this index.php
saving that as the bookmark,
then logging in and checking "remember me"
stopped all the nonsense.

Now everything works properly.
Maybe iOS users on Safari should do what I did above as the old pre-upgrade bookmark was probably cocking things up with the new secure session cookie not being allowed by the browser, because it is not coming from the right address. Or something.
If you use Safari and are not seeing the lock symbol in the address bar then you, almost certainly will have the login problem.
Try sorting out as above. It worked for me.
Somebody’s telling me the latest scandals.
Somebody’s stepping on my plastic sandals. Joe Jackson (1979)

hillsanddalesrover
Has thanked: 0
Been thanked: 0

Re: Forum Upgrade

Unread post by hillsanddalesrover »

When I log in I don't get the secure padlock icon in the address bar.

W10 with Chrome browser.

In this day and age I would expect this site to be secure. :o

hillsanddalesrover
Has thanked: 0
Been thanked: 0

Re: Forum Upgrade

Unread post by hillsanddalesrover »

hillsanddalesrover wrote: Mon Nov 27, 2017 12:49 pm When I log in I don't get the secure padlock icon in the address bar.

W10 with Chrome browser.

In this day and age I would expect this site to be secure. :o
UPDATE. I did as Steve suggested, saved in bookmarks with the amended address and now it is secure. :)

Lurcher300b
Posts: 933
Joined: Tue Jun 14, 2016 1:58 pm
Has thanked: 0
Been thanked: 16 times

Re: Forum Upgrade

Unread post by Lurcher300b »

In this day and age I would expect this site to be secure.
Out of interest why? Its only a forum, not used for any selling?

User avatar
terrybooth
Posts: 4396
Joined: Wed Jul 11, 2012 6:49 pm
Location: West Yorkshire
Has thanked: 499 times
Been thanked: 246 times
Great Britain

Re: Forum Upgrade

Unread post by terrybooth »

1. Browsers will make it more and more difficult to visit http:// only sites.
2. Google will derate sites that aren't http://
3. The site has a logon and you can extract eMail addresses from it - that equals authentication you can try against other sites. (It's the basis for a standard internet hack because most people use the same password for all sites on the internet). https:// makes this harder.
Pioneer PL71/DL103/ Phono2/HiFiPi/P90SA/TIS/CubixPro

Lurcher300b
Posts: 933
Joined: Tue Jun 14, 2016 1:58 pm
Has thanked: 0
Been thanked: 16 times

Re: Forum Upgrade

Unread post by Lurcher300b »

The site has a logon and you can extract eMail addresses from it - that equals authentication you can try against other sites.
Unless I am missing something that would only work if you can see the network traffic, so not that simple to do, if you were sitting on a ISP you could do it, but then again you could probably set up a https MITM attack from there as well if you had control over DNS responses.

I have nothing against https, and I agree there is no downside, especially as you seem to be using Lets Encrypt.

Post Reply