[OpenStreetMap] #5028: "remeber me" does not keep the user logged in

Fri Nov 15 23:04:30 UTC 2013

#5028: "remeber me" does not keep the user logged in
--------------------------+-------------------------
  Reporter:  aseerel4c26  |      Owner:  rails-dev@…
      Type:  defect       |     Status:  new
  Priority:  minor        |  Milestone:
 Component:  website      |    Version:
Resolution:               |   Keywords:  cookies
--------------------------+-------------------------

Comment (by aseerel4c26):

 Thank you Tom!

 * With my usual firefox profile: _osm_username is just a session cookie
 and hence not there anymore after a browser restart.
 * With a firefox in another user account with a relatively clean profile
 it is instead a cookie valid until 15 Nov 2033 ... hence existent after a
 restart. And: the "remember me" checkbox works.
 * In my usual chromium profile: _osm_username is valid until 15. November
 2033. As expected it is still there after a restart, and remember me
 works.

 Interesting....

 Testing again with my usual firefox profile but in safe-mode (addons
 disabled):
 * username is NOT session-only. Consequently username and session cookie
 still there after a restart. Remeber me works as expected.
 * restarted firefox with all addons active again: cookies still there,
 rememberme works.
 * deleted _osm cookies, relogin with rememberme, again _osm_username does
 only get created as a session cookie. Hmm! Some addon sooomehow
 interfering with the username cookie creation?!
 * switched off [https://addons.mozilla.org/en/firefox/addon/noscript/
 noscript's] "secure cookie management". Now it works as on the clean
 firefox profile.
 * tested: installed noscript in the clean-ish firefox profile on the other
 user account: remember works. Switched on the secure cookie management:
 username is a session cookie, rememberme does not work.

 So, some interpretations: sorry, apparently I did my first test in
 Chromium wrong, somehow. The other user (Sabra Sharaya) also has that
 noscript setting active or hit the low session store problem on the server
 (although "If I close the browser" does not sound like that). I had asked
 "If it works for someone please comment there" in the question on the help
 site - could have several possibilities why no one has commented here.

 Why does that happen? Not sure... I have  read a bit  more about that
 feature [http://noscript.net/faq#qa6_4 in its FAQ]. I still do not
 understand why we see this behaviour. However, I can see in the log that
 noscript in fact toogles the cookies "secure" flag on and off again (as
 expained in the FAQ).

 What to do?
 * Is there anything OSM can do? I do not really know (except offering a
 full https session, good idea anyway). And: It would be less confusion if
 there would not be two cookies used for authentication but just one, but
 this is a very very very minor issue.
 * To me it currently seems that it is a noscript bug (changing the cookie
 lifetime without saying so in the FAQ for this feature). Not sure why the
 same is not done for the _osm_session cookie. I will try to monitor that
 and maybe report as bug against noscript.

 Workaround: add www.openstreetmap.org to the exception list for the secure
 cookie handling. That also works - so you can keep the secure cookie
 feature of noscript enabled for other sites. :-)

 Tom, do you got any further ideas?

-- 
Ticket URL: <https://trac.openstreetmap.org/ticket/5028#comment:5>
OpenStreetMap <http://www.openstreetmap.org/>
OpenStreetMap is a free editable map of the whole world