Losing login cookie constantly

Found an issue with the phpBB system here at NESdev? Use this forum to report problems.

Moderator: Moderators

Post Reply
User avatar
Dwedit
Posts: 4924
Joined: Fri Nov 19, 2004 7:35 pm
Contact:

Losing login cookie constantly

Post by Dwedit »

This might be a problem on my end, some kind of browser issue or something, but I'm losing my session cookie very quickly here.

Just had to navigate to another page, revisit this page, then my cookie was already gone.
Last edited by Dwedit on Sun Jun 12, 2022 11:46 am, edited 1 time in total.
Here come the fortune cookies! Here come the fortune cookies! They're wearing paper hats!
Joe
Posts: 650
Joined: Mon Apr 01, 2013 11:17 pm

Re: Losing session cookie constantly

Post by Joe »

I would suggest your IP address might be changing, but that shouldn't cause your session cookie to disappear anymore. (Unless the setting was changed back somehow.)

Cookies are set to expire a year in the future, so your clock would have to be very wrong to be the problem.

Maybe your browser is set to delete cookies automatically?
User avatar
Dwedit
Posts: 4924
Joined: Fri Nov 19, 2004 7:35 pm
Contact:

Re: Losing session cookie constantly

Post by Dwedit »

At the time I lost cookies, I caught these errors in the Console:

Code: Select all

Some cookies are misusing the recommended “SameSite“ attribute 3
Cookie “phpbb3_6cazq_u” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite forums.nesdev.org
Cookie “phpbb3_6cazq_k” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite forums.nesdev.org
Cookie “phpbb3_6cazq_sid” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
Here come the fortune cookies! Here come the fortune cookies! They're wearing paper hats!
Fiskbit
Posts: 891
Joined: Sat Nov 18, 2017 9:15 pm

Re: Losing session cookie constantly

Post by Fiskbit »

Thanks for the report. We're not really sure what's going on here. At the moment, we're guessing it might be something on your end or with your ISP, but it's hard to say. We haven't heard of this happening to anyone else yet, and there's not much information online about the error you posted.

If anyone else encounters this, please let us know so we know it's a more widespread issue and so we can maybe try to find something in common that could be triggering this.
Bavi_H
Posts: 193
Joined: Sun Mar 03, 2013 1:52 am
Location: Texas, USA
Contact:

Re: Losing session cookie constantly

Post by Bavi_H »

Note: I think the messages about the missing SameSite attribute are referring to new cookies the server just sent. In other words, those messages probably aren't a helpful lead to figure out what caused the previous cookies to get discarded or otherwise not sent to the server. The messages just seem to be an additional sign that the server sent new cookies.

[Currently, the cookies the forum sends don't have a SameSite attribute. The messages seem to be encouraging developers to always specify a SameSite attribute on the cookies servers send to ensure more consistent behavior across browsers. So those messages aren't exactly an error, more like a caution/warning/nag message, and not directly related to the problem?]
User avatar
Dwedit
Posts: 4924
Joined: Fri Nov 19, 2004 7:35 pm
Contact:

Re: Losing login cookie constantly

Post by Dwedit »

Okay, new strategy, using Firefox's Logging feature to find out what the heck is going on here.
I'm at the point where I can reliably reproduce losing cookies for this site.

What I can see is that the server is actively rejecting my cookies, and is giving me blank session cookies instead.

Before logging in, my cookies:
phpbb3_6cazq_u:1
phpbb3_6cazq_k:<blank>
phpbb3_6cazq_sid:<something>

After logging in, my cookies:
phpbb3_6cazq_u:53
phpbb3_6cazq_k:<secret>
phpbb3_6cazq_sid:<secret>

I'm logged in a viewing pages fine at this point.
Then I visit the page later, my cookies start out as the Logged In cookies. Those cookies are sent to the server.
Bam. Web server issues "Set-cookie", making me u:1 (not logged in) again.
So this is a server-side issue. Presumably, the "set-cookie" is part of the web server logging me out.

Potential problems:

The cookies are tagged as "HttpOnly", does this make them invalid for https sessions?
Here come the fortune cookies! Here come the fortune cookies! They're wearing paper hats!
Drag
Posts: 1615
Joined: Mon Sep 27, 2004 2:57 pm
Contact:

Re: Losing login cookie constantly

Post by Drag »

That could be it. How do you visit the forums? Do you have a bookmark or a pin you click on, or do you type the URL in? Are you somehow, unintentionally, switching back and forth between http and https?

I'm also a firefox user and I'm not having this issue here. My gut reaction was maybe something to do with firefox's "resist fingerprinting" thing they're rolling out.
User avatar
Dwedit
Posts: 4924
Joined: Fri Nov 19, 2004 7:35 pm
Contact:

Re: Losing login cookie constantly

Post by Dwedit »

My bookmark is for https://forums.nesdev.org/

And the cookies for my session are indeed sent to the server, but the server is booting me out (sending the not-logged-in version of the page, and clearing my cookies).
Here come the fortune cookies! Here come the fortune cookies! They're wearing paper hats!
Fiskbit
Posts: 891
Joined: Sat Nov 18, 2017 9:15 pm

Re: Losing login cookie constantly

Post by Fiskbit »

I still don't know what's going on and have asked brizzo. Regarding HttpOnly, from what I've seen online, it's a security feature that tells the browser to only allow the cookie to be accessed by the server. If something else such as a client side script tries to access it, it gets an empty string. It doesn't prevent use over https.

For what it's worth, I use Firefox, as well, and haven't had this issue on desktop nor mobile.
Drag
Posts: 1615
Joined: Mon Sep 27, 2004 2:57 pm
Contact:

Re: Losing login cookie constantly

Post by Drag »

I know it may seem redundant, but first try deleting all of the cookies and local storage which belong to nesdev.org and nesdev.com yourself, from Firefox's settings page.

After that doesn't work, one or more of your add-ons might be causing a conflict when you visit here, in which case you'd need to try disabling all of them to see if that fixes it, then enabling one-by-one until you find the one that causes the cookies to be lost.

Unless it's been changed recently, you're able to tell Firefox which add-ons are enabled in private windows, so you can do your testing in a private window if disabling the add-ons globally is too much.

Another common suggestion on the Firefox subreddit is to try making a new profile (while backing up your current profile so you can restore it later) to see if the problem still happens. But that's essentially a complete factory reset. :P

Lastly, I know Xfinity itself has some "protection" or "security" settings when you log into their app or their web portal (not the router, but the Xfinity service itself, like where you go to pay your bill), which can sometimes mess with certain connections, but it seems rare.
User avatar
Dwedit
Posts: 4924
Joined: Fri Nov 19, 2004 7:35 pm
Contact:

Re: Losing login cookie constantly

Post by Dwedit »

Disabling uMatrix seems to have fixed this. But I don't know why the issue was happening.
Since uMatrix is now abandoned by the original developer, looks like I'll have to switch to NoScript
Here come the fortune cookies! Here come the fortune cookies! They're wearing paper hats!
unregistered
Posts: 1318
Joined: Thu Apr 23, 2009 11:21 pm
Location: cypress, texas

Re: Losing login cookie constantly

Post by unregistered »

…maybe your nesdev cookies were wearing paper hats. And maybe the Firefox was only for iron hats, since paper hats can burn up easily. 🤔
User avatar
Dwedit
Posts: 4924
Joined: Fri Nov 19, 2004 7:35 pm
Contact:

Re: Losing login cookie constantly

Post by Dwedit »

Just posting again because a uMatrix fork called "nuTensor" seems to have fixed this issue.
Here come the fortune cookies! Here come the fortune cookies! They're wearing paper hats!
Post Reply