[OpenStreetMap] #5028: "remeber me" does not keep the user logged in
trac at noreply.openstreetmap.org
Fri Nov 15 23:04:30 UTC 2013
#5028: "remeber me" does not keep the user logged in
Reporter: aseerel4c26 | Owner: rails-dev@…
Type: defect | Status: new
Priority: minor | Milestone:
Component: website | Version:
Resolution: | Keywords: cookies
Comment (by aseerel4c26):
Thank you Tom!
* With my usual firefox profile: _osm_username is just a session cookie
and hence not there anymore after a browser restart.
* With a firefox in another user account with a relatively clean profile
it is instead a cookie valid until 15 Nov 2033 ... hence existent after a
restart. And: the "remember me" checkbox works.
* In my usual chromium profile: _osm_username is valid until 15. November
2033. As expected it is still there after a restart, and remember me
Testing again with my usual firefox profile but in safe-mode (addons
* username is NOT session-only. Consequently username and session cookie
still there after a restart. Remeber me works as expected.
* restarted firefox with all addons active again: cookies still there,
* deleted _osm cookies, relogin with rememberme, again _osm_username does
only get created as a session cookie. Hmm! Some addon sooomehow
interfering with the username cookie creation?!
* switched off [https://addons.mozilla.org/en/firefox/addon/noscript/
noscript's] "secure cookie management". Now it works as on the clean
* tested: installed noscript in the clean-ish firefox profile on the other
user account: remember works. Switched on the secure cookie management:
username is a session cookie, rememberme does not work.
So, some interpretations: sorry, apparently I did my first test in
Chromium wrong, somehow. The other user (Sabra Sharaya) also has that
noscript setting active or hit the low session store problem on the server
(although "If I close the browser" does not sound like that). I had asked
"If it works for someone please comment there" in the question on the help
site - could have several possibilities why no one has commented here.
Why does that happen? Not sure... I have read a bit more about that
feature [http://noscript.net/faq#qa6_4 in its FAQ]. I still do not
understand why we see this behaviour. However, I can see in the log that
noscript in fact toogles the cookies "secure" flag on and off again (as
expained in the FAQ).
What to do?
* Is there anything OSM can do? I do not really know (except offering a
full https session, good idea anyway). And: It would be less confusion if
there would not be two cookies used for authentication but just one, but
this is a very very very minor issue.
* To me it currently seems that it is a noscript bug (changing the cookie
lifetime without saying so in the FAQ for this feature). Not sure why the
same is not done for the _osm_session cookie. I will try to monitor that
and maybe report as bug against noscript.
Workaround: add www.openstreetmap.org to the exception list for the secure
cookie handling. That also works - so you can keep the secure cookie
feature of noscript enabled for other sites. :-)
Tom, do you got any further ideas?
Ticket URL: <https://trac.openstreetmap.org/ticket/5028#comment:5>
OpenStreetMap is a free editable map of the whole world
More information about the rails-dev