Posted under Bugs & Features
For some reason, my account keeps on signing off by itself since yesterday. I thought someone hacked into my account, so I changed my password, but it still keeps on happening. All my other accounts in other websites are working properly, so is this an issue this site is currently having or not?
Thanks in advance!
Flopsy said:
I also have the same problem since yesterday. Presumably, it has something to do with the 2.93.0 update. Haven't tried using https.
I don't think so. Everything that was changed is listed here and I don't see anything which could lead to logging off. Are you sure you stay on the same subdomain and not accidentally go to, say, hijiribe from danbooru? It would be helpful if you was able to catch the exact moment when this happens. Also, browser version could be relevant.
Using the recently introduced feature that temporarily disables your blacklist seems to trigger it every time. Strangely enough, I'm not always logged out at the next page load. Often, I'll remain logged in for another few page loads, and then I'm suddenly logged out. This looks like a cookie problem to me.
It might be relevant that the blacklist disabling feature never worked right for me. I could disable the blacklist alright, but when I tried to re-enable it some (not all) entries would stay disabled. Even if I re-enabled those entries individually, the same thing would happen the next time I re-enabled my blacklist (at least if I had shut down the web browser in between). This also looks like a cookie problem.
I'm using Firefox (currently at version 40).
Type-kun said:
I don't think so. Everything that was changed is listed here and I don't see anything which could lead to logging off. Are you sure you stay on the same subdomain and not accidentally go to, say, hijiribe from danbooru? It would be helpful if you was able to catch the exact moment when this happens. Also, browser version could be relevant.
I did not go from Hijiribe to Danbooru.
tapnek said:
When you sign in securely instead of just normally.
Still happened for me.
Flopsy said:
Using the recently introduced feature that temporarily disables your blacklist seems to trigger it every time.
You're right... I tested it out, and my account did indeed sign off from using that feature. It doesn't happen if you disable the tags individually, though.
Flopsy said:
Using the recently introduced feature that temporarily disables your blacklist seems to trigger it every time. Strangely enough, I'm not always logged out at the next page load. Often, I'll remain logged in for another few page loads, and then I'm suddenly logged out. This looks like a cookie problem to me.
It might be relevant that the blacklist disabling feature never worked right for me. I could disable the blacklist alright, but when I tried to re-enable it some (not all) entries would stay disabled. Even if I re-enabled those entries individually, the same thing would happen the next time I re-enabled my blacklist (at least if I had shut down the web browser in between). This also looks like a cookie problem.
I'm using Firefox (currently at version 40).
Hm. Each disabled blacklist adds one cookie, and I vaguely remember that there are limits on how many cookies a webpage can create. Perhaps there are so many cookies added that all the older ones, including session and password hash, are wiped out. How many blacklist entries do you have?
hemoglobin said:
Would it be fundamentally contrary to the nature of cookies to attempt to store all of the separate settings for each blacklist entry together in one cookie? That's how I'd been assuming it was done until just now.
It would be easier to use local storage, I guess.
tapnek said:
What's the difference? I thought cookies always used local storage.
I don't think so. Local storage (aka client side storage) was introduced later in time than cookies, and it allows a few megabytes to be stored on client's side. Cookies are way more limited. Danbooru currently uses local storage to save autocomplete cache.
tapnek said:
And besides, even if each entry in the blacklist had its own cookie, wouldn't there be no limit as to how many a browser can store per domain, unless the cookie itself exceeds four kilobytes somehow?
There are limits, see http://browsercookielimits.squawky.net/ - though it's certainly strange, FF 40 should allow at least 180 cookies per domain, unless they lowered it for whatever reason. The easiest way is to manually check what happens to cookies once the enable/disable all button is pressed. Be careful not to post contents of other cookies here, though.
Type-kun said:
Hm. Each disabled blacklist adds one cookie, and I vaguely remember that there are limits on how many cookies a webpage can create. Perhaps there are so many cookies added that all the older ones, including session and password hash, are wiped out. How many blacklist entries do you have?
My blacklist was quite long, 139 entries. I took a closer look with the browser console and it seems that you were quite right about blacklist cookies pushing out the login cookies. (My Firefox apparently maxes out at 150 cookies.) Cleaning out the non-essential blacklist entries and deleting all the blacklist cookies seems to have fixed the logout problem. I'm still not sure why I had to delete them manually to get rid of them, once I had cleaned my blacklist. Do the cookies persist until the browser is closed, even though the corresponding blacklist entries have been deleted? Could it have anything to do with the fact that I almost always have Danbooru open in several tabs at once? Anyway, thanks for the advice!
Flopsy said:
I'm still not sure why I had to delete them manually to get rid of them, once I had cleaned my blacklist. Do the cookies persist until the browser is closed, even though the corresponding blacklist entries have been deleted? Could it have anything to do with the fact that I almost always have Danbooru open in several tabs at once? Anyway, thanks for the advice!
Correct, they're session cookies. What this means in most browsers is that they'll be deleted the next time you restart your browser. But in Firefox it's a little different: restarting your browser only deletes them if you have no Danbooru tabs open when you restart the browser. If you have even one open when restarting Firefox will act like you didn't restart it and keep the session cookies indefinitely.
I see. Thanks!
(Perhaps help:blacklists should include a notice informing users that the site may behave unpredictably if they create a very long blacklist.)
I think switching the feature to use local storage instead of cookies would be the right thing to do from a technical standpoint:
- much more data can be stored without problems
- saves bandwidth (cookies are sent to the server with every request but the blacklist cookies are not used server-side afaik, therefore they simply waste bandwidth server-side and client-side)
The only downside is that the current behavior to reset all blacklist entries to active on new sessions (after browser restart) can't be maintained with usage of local storage alone.
(If it should be maintained a combination of (multiple) local storage entries and exactly one session cookie could be used, i.e. if the session cookie is present the values in local storage will be used, if it is not they will be cleared and not used)
