Firefox cookies confused by BS .org / .com?

Announcements and Info
User avatar
oddpour
Posts: 17
Joined: Sun Feb 24, 2019

Firefox cookies confused by BS .org / .com?

Postby oddpour » Thu Sep 26, 2019

Hope this is the right place to post. So awhile back the newest versions of Firefox present new abilities on blocking tracking cookies and stuff, and it's causing me problems with bullionstacker.com vs. bullionstacker.org somehow, basically requiring me to log in *a lot* over and over. It seems to only be this site, everything else seems like it works fine but that's an ad-hoc statement. (and yes, I'm ticking "remember me" and such :) )

What I see on my end: I have these options set in Firefox - which I recreated on several systems and even on my phone Firefox (it's really nice these days), all it takes is setting them up the same:

about:preferences#privacy ->

- [x] Custom
-- [x] Trackers: in all windows
-- [x] Cookies: third party trackers
-- [x[ Cryptominers
-- [x] Fingerprinters

OK cool. What I "see" happening, like just now, is an update will come in from the Buy/Sell thread, and it includes a link to bullionstacker.org - and I get the login page. I log in (tick the remember me), the URL stays as bullionstacker.org but the cookie is set as bullionstacker.com instead (I see 3 cookies which look like PHP session ID stuff, cool). In a few hours the cookie will disappear and I'm having to log in again because... the next email has a link to bullionstacker.com, not .org. And as I now type this missive, my URL bar shows bullionstacker.com - when I know I came to the site at it's .org, so something in my clicks swapped out the domain on me mid-session.

The email with domain links are always random between the two TLDs, one will have .com and the next one .org, then the next one .com - it feels like there are several nodes behind a load balancer and one or more of them is configured to the .org domain, the others to the .com domain, and somehow the email you get just randomly depends on which node sent it something. And this is somehow really confusing Firefox, I _think_ it's interpreting this flip-flopping as bad tracking juju.

Anyone else seeing this if they have the same settings? As mentioned, it happens on a few different systems and I do _not_ sync Firefox settings between them, each system (including my phone) has it's own prefs by itself. All I do is enable the new privacy features and can reproduce the problem. :(

Thanks for listening. I really don't want to disable these new privacy features, it's sadly only this website causing me grief as far as I've encountered (I have cookie-session logins saved to bunches of websites just like most people I presume).

User avatar
fredzoyt
Spiritual Supporter
Posts: 6085
Joined: Sat Jul 11, 2009
Location: Manassas,VA
Contact:

Re: Firefox cookies confused by BS .org / .com?

Postby fredzoyt » Thu Sep 26, 2019

You get an update from the Buy/Sell thread, and it includes a link to bullionstacker.org? I don't. Ever! :?

All my updates are .com, never .org.
http://www.the-highway.com/ultimate_questions.html
http://www.gotquestions.org/way-of-salvation.html
Image

Phil. 2:10 so that at the name of Jesus EVERY KNEE WILL BOW, of those who are in heaven and on earth and under the earth,

User avatar
MaxGravy
Site Admin
Posts: 16678
Joined: Sat Jul 18, 2009
Location: Texas

Re: Firefox cookies confused by BS .org / .com?

Postby MaxGravy » Thu Sep 26, 2019

Notifications should always come from bullionstacker.com

Are you using the prosilver nightmod? If so that could be the problem. It hasn't been optimized. That's all I can think of.
I'm clearly not very bright.

User avatar
oddpour
Posts: 17
Joined: Sun Feb 24, 2019

Re: Firefox cookies confused by BS .org / .com?

Postby oddpour » Thu Sep 26, 2019

I don't know what prosilver nightmod is, sorry - I use the forum here at whatever the default setup is, just tweak a few preferences and add an icon - real lightweight. I _do_ enable "Hide my online" on every login, perhaps that's connected somehow.

The notification for this thread update came with the .com URL, and my phone popped up the login (passwords on a phone are just painful), waited til I got back to the laptop. Here's the one earlier which is 100% with a .org domain on it, I get them with .org a lot (redacted my actual email address), perhaps one of the headers will help figure it out - you can see the .org all over it:

Code: Select all

Delivered-To: xxxxxxxx@gmail.com
Received: by 2002:a19:711a:0:0:0:0:0 with SMTP id m26csp2377642lfc;
        Thu, 26 Sep 2019 10:15:27 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxxUqQod4uVICRZ6BtkE4cD5srFD0+XPp2wxVyaflNrGVgWUC1CMQ9+bSO6n2J4jqXVPZUU
X-Received: by 2002:a92:5a0b:: with SMTP id o11mr3485166ilb.248.1569518127179;
        Thu, 26 Sep 2019 10:15:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1569518127; cv=none;
        d=google.com; s=arc-20160816;
        b=TDCT6NbKaM7uYJxplrC/AErJG2ba/dY+Rdu5aJt/LajWhppdtp41mz4BC5sEkE4Vgh
         zOP49ERHnlc5Unslsl5lL2Pi/LatLbHapGDW8xbjm8oNpEvHOnXBLUxIlC4/7oY5nR0J
         jsNzqBXRbjTel1UlaujF/qf32AMbbCVlWY3mM5efRXXQj5DwStt/YFWhKU7qMtDKcIyN
         ke64OvvMn3huQm3XR8xuYazwz7UGLqFg2X0eaMTPNneSZ4RJPy/5j8kl6RwZDJBheAoG
         2biJipnsbqFBhY11eZJ6ZD4drWaBDTCkqbQPKF0HAKBV5yEBtlCEEmKOXxXiM+pbuiPT
         ZlCA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:date:message-id:mime-version:reply-to
         :from:subject:to;
        bh=08XJ/3k6kr8YUYqK6bkG+9MVDPSESfcbiC4knwt0ZSw=;
        b=vSmjr6EkgEW4UjIigHBAy5rfhA2IT/+UytG5SRQUJ1oEvmzGns3KCpIUyjdZMqByJ/
         0Dm8O3f0poTmzdITigNHGrPE3N9IjxCUinO7KzGEIpFFPUOCYiEpfFdNtQWILTdjA6ti
         I/hz+8uTWCddhD3uLH7FtfhGT1eleO5kGcNHrOVKphQU9fWz9mILIsG41ujXEf53hleR
         tZhJtT7vTYwq6h1gCeb31RgY7qqUQlYr8xUFbmbmtNCJeEDpYMVJGChxCrD2bp1gSKl0
         BuAcP05xG0o0v910rWJuwjmG5vi77ITrdU6CfpftweJT86MIU8db4z0pNkqkaNnvb9o3
         2UQg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of bullions@host.bullionstacker.org designates 64.91.241.237 as permitted sender) smtp.mailfrom=bullions@host.bullionstacker.org
Return-Path: <bullions@host.bullionstacker.org>
Received: from host.bullionstacker.org (host.bullionstacker.org. [64.91.241.237])
        by mx.google.com with ESMTPS id t19si3545732ioj.9.2019.09.26.10.15.26
        for <xxxxxxxx@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 26 Sep 2019 10:15:27 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of bullions@host.bullionstacker.org designates 64.91.241.237 as permitted sender) client-ip=64.91.241.237;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of bullions@host.bullionstacker.org designates 64.91.241.237 as permitted sender) smtp.mailfrom=bullions@host.bullionstacker.org
Received: from bullions by host.bullionstacker.org with local (Exim 4.92) (envelope-from <bullions@host.bullionstacker.org>) id 1iDXMT-00065c-Vy for xxxxxxxx@gmail.com; Thu, 26 Sep 2019 12:15:26 -0500
To: oddpour <xxxxxxxx@gmail.com>
Subject: Topic reply notification - "SILVER BUY / SELL THREAD"
X-PHP-Script: bullionstacker.org/posting.php for 50.86.52.150
From: <admin@bullionstacker.com>
Reply-To: <admin@bullionstacker.com>
MIME-Version: 1.0
Message-ID: <b046d4b06bfb638afa92b3b9ba97846f@www.bullionstacker.com>
Date: Thu, 26 Sep 2019 12:15:25 -0500
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: phpBB3
X-MimeOLE: phpBB3
X-phpBB-Origin: phpbb://bullionstacker.org
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - host.bullionstacker.org
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [500 32007] / [47 12]
X-AntiAbuse: Sender Address Domain - host.bullionstacker.org
X-Get-Message-Sender-Via: host.bullionstacker.org: authenticated_id: bullions/from_h
X-Authenticated-Sender: host.bullionstacker.org: admin@bullionstacker.com
X-Source: /opt/cpanel/ea-php54/root/usr/bin/php-cgi
X-Source-Args: /opt/cpanel/ea-php54/root/usr/bin/php-cgi /home/bullions/public_html/posting.php
X-Source-Dir: bullionstacker.org:/public_html

Hello oddpour,

You are receiving this notification because you are watching the topic
"SILVER BUY / SELL THREAD" at "BullionStacker.com". This topic has received
a reply by BigEye777 since your last visit. No more notifications will be
sent until you visit the topic.

If you want to view the newest post made since your last visit, click the
following link:
http://bullionstacker.org/viewtopic.php?f=10&t=3133&e=1&view=unread#unread

If you want to view the topic, click the following link:
http://bullionstacker.org/viewtopic.php?f=10&t=3133

If you want to view the forum, click the following link:
http://bullionstacker.org/viewforum.php?f=10

If you no longer wish to watch this topic you can either click the
"Unsubscribe topic" link found at the bottom of the topic above, or by
clicking the following link:
http://bullionstacker.org/viewtopic.php?uid=14180&f=10&t=3133&unwatch=topic

--
Thanks, The stackers at bullionstacker!

jcz1
Posts: 5226
Joined: Sat May 28, 2011
Location: USA

Re: Firefox cookies confused by BS .org / .com?

Postby jcz1 » Thu Sep 26, 2019

MaxGravy wrote:Notifications should always come from bullionstacker.com


Every time the user BigEye777 posts in a thread to which I subscribe, the link is to .org instead of .com. This is the only user who causes this issue, at least for me.

User avatar
ThePowersThatBe
Site Tech
Posts: 244
Joined: Tue Nov 01, 2011

Re: Firefox cookies confused by BS .org / .com?

Postby ThePowersThatBe » Thu Sep 26, 2019

It looks like the Bullionstacker.org domain is set to point to the .com site, but not to force a redirect to it. So it's really loading from .com but displaying as .org. The dynamic links generated by the phpBB software to other parts of the forum are relative so when you load a .org page it will use more .org links. But the links in the side bar are hard coded to .com so they will always take you to .com regardless of whether you start on .com or .org.

.com is the primary site. I suggest updating any bookmarks to .com. Clear your BullionStacker cookies and log into the .com site fresh if you are experiencing issues staying logged in. I rarely click links in emails, which is generally a good practice in the age of rampant phishing. I go directly to the site and click on the topic reply notification to get to the topic, or just use "view new posts."

We can probably change the configuration to force .org links to redirect to .com instead of passing the content through.

There are a number of sites that give me problems in the new Firefox no matter what security settings I use. I primarily use Brave now, and occasionally Chrome as some web apps don't seem to like Firefox or Brave :?
(Realcent Admin)

User avatar
oddpour
Posts: 17
Joined: Sun Feb 24, 2019

Re: Firefox cookies confused by BS .org / .com?

Postby oddpour » Fri Sep 27, 2019

Respectfully, the email is coming from "something not me" and clearing my cookies will have no effect on a notification email being sent by the system(s), my local browser and cookies are just not involved in that path of travel in a technical sense. It _could_ be someone elses cookies but I would have to review the underlying architecture to make such a call - the email headers clearly show the system thinks it's generating emails from the .org domain.

And to be frank, I'm clicking this link out of email - the whole point of this email from this forum is to decrease my time taken to get to where I want (especially on my phone). I consider the emails from this forum as trusted and have no problem using the notification emails as they are designed. In the very unusual circumstance this forum is compromised, it holds nothing of value which concerns me (financial information, password, etc.) other than the weight of an online reputation.

User avatar
MaxGravy
Site Admin
Posts: 16678
Joined: Sat Jul 18, 2009
Location: Texas

Re: Firefox cookies confused by BS .org / .com?

Postby MaxGravy » Fri Sep 27, 2019

Pretty sure I just fixed this. I found a setting to force notifications to use .com in all emails.

I sent you a PM. The notification should have .com links. Please let me know. :wave:
I'm clearly not very bright.

User avatar
oddpour
Posts: 17
Joined: Sun Feb 24, 2019

Re: Firefox cookies confused by BS .org / .com?

Postby oddpour » Fri Sep 27, 2019

MaxGravy wrote:Pretty sure I just fixed this. I found a setting to force notifications to use .com in all emails.

I sent you a PM. The notification should have .com links. Please let me know. :wave:


So far so good! All three recent notifications have .com - I'll monitor it for awhile and pay attention to what comes through and how the browser reacts (in regards to the cookies working). Thank you! I'll report back then, with hope this is the root cause of the logins going sideways. :) Much appreciated.

User avatar
oddpour
Posts: 17
Joined: Sun Feb 24, 2019

Re: Firefox cookies confused by BS .org / .com?

Postby oddpour » Sun Sep 29, 2019

Sadly, this doesn't seem to fix the recurring login / cookie problem (the emails are all .com now, no worries there). This visit was a simple URL type to the front page and had to log in, and my phone browser also... timed out? and required a fresh login on it.

I have other sites which works fine and a cool add-on "Cookie Quick Manager" which shows me I have 3x cookies for bullionstacker, what appears to be the userid, a token, and a session ID with expiration dates well into the future:

Code: Select all

phpbb3_8lj9v_u / 28-09-2020 09:38:14
phpbb3_8lj9v_k / 28-09-2020 09:38:14
phpbb3_8lj9v_sid / 28-09-2020 09:38:14


What I notice in the works vs. non-works is that on the sites which have session IDs and whatnot, there is an option being show to me "isSecure" and 'isSession" which are _not_ checked on for bullionstacker, but they _are_ checked on for the other sites I'm looking at (the cookies are all arranged differently of course).

I'm looking at various types of sites and it appears the "isSecure" is the most common theme amongst all of them - "isSession" on/off seems very random, but all the working sites have "isSecure" enabled (I see it as a checkbox in this add-on UI). This led me to find this article very quickly:

https://www.phpbb.com/support/docs/en/3 ... -settings/

It says there that when the site is in SSL mode (as we are here), you have to enable it on the phpBB side as shown and maybe a quick database update to the settings.

Hopefully this provides a clue - here's the extension I'm using to examine the cookies (on my laptop, not sure if it works on the phone version): https://addons.mozilla.org/en-US/firefo ... k-manager/

Edit: the add-on allows adjusting this setting manually and saving it, I've just tried ticking on isSecure for all three cookies as a test. It seems to maybe take up to 24hrs for them to get "lost" per se, might take a bit to know if this helps.

jcz1
Posts: 5226
Joined: Sat May 28, 2011
Location: USA

Re: Firefox cookies confused by BS .org / .com?

Postby jcz1 » Sun Sep 29, 2019

oddpour wrote:It says there that when the site is in SSL mode (as we are here),


BS is not "in SSL mode", which you can tell by the URL not beginning with https. Perhaps your extension is forcing logins because BS is not using SSL?

User avatar
MaxGravy
Site Admin
Posts: 16678
Joined: Sat Jul 18, 2009
Location: Texas

Re: Firefox cookies confused by BS .org / .com?

Postby MaxGravy » Sun Sep 29, 2019

You lost me.

dont-understand.jpg
dont-understand.jpg (25.09 KiB) Viewed 261 times
I'm clearly not very bright.

User avatar
oddpour
Posts: 17
Joined: Sun Feb 24, 2019

Re: Firefox cookies confused by BS .org / .com?

Postby oddpour » Sun Sep 29, 2019

jcz1 wrote:
oddpour wrote:BS is not "in SSL mode", which you can tell by the URL not beginning with https. Perhaps your extension is forcing logins because BS is not using SSL?


I assure you, BS has a cert and it works in SSL mode - you are correct, I run "Smart HTTPS" which falls back to HTTP if SSL cannot be negotiated. There is a valid SSL cert on this website and it works.

Code: Select all

$ curl -vI https://www.bullionstacker.com

*   Trying 96.30.47.30:443...
* TCP_NODELAY set
* Connected to www.bullionstacker.com (96.30.47.30) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=bullionstacker.org
*  start date: Sep  4 00:00:00 2019 GMT
*  expire date: Dec  3 23:59:59 2019 GMT
*  subjectAltName: host "www.bullionstacker.com" matched cert's "www.bullionstacker.com"
*  issuer: C=US; ST=TX; L=Houston; O=cPanel, Inc.; CN=cPanel, Inc. Certification Authority
*  SSL certificate verify ok.
> HEAD / HTTP/1.1
> Host: www.bullionstacker.com
> User-Agent: curl/7.66.0
> Accept: */*

User avatar
MaxGravy
Site Admin
Posts: 16678
Joined: Sat Jul 18, 2009
Location: Texas

Re: Firefox cookies confused by BS .org / .com?

Postby MaxGravy » Sun Sep 29, 2019

I wasn't aware we had SSL. We looked into doing this but never implemented it. I wonder where it came from.

Is anyone else having similar issues to oddpour?
I'm clearly not very bright.


Return to “BS News!”

Who is online

Users browsing this forum: No registered users and 3 guests