Cookie issue in Firefox Android - Loads prior login info

[Julius_2000]

Hi,

I have a weird bug on Firefox Android. When I log in as one member, then log out and log in again as another member, when I load the top menu, it keeps showing me the menu for the previous member that was logged in.

A simple refreshing of the browser doesn't help. Only the member name and avatar next to the dropdown arrow is correct after refreshing the page. I would have to delete the cookies via the browser menu and log back in.

[Aleksi "Lex" Kilpinen]

This sounds like a caching issue of some sorts, is it strictly limited to that one browser or can you see similar behaviour with different devices if you test? Some hosts have caches that can cause that, some browsers may use proxies that cause that, it can be difficult to pinpoint the cause without experimenting first.

[Julius_2000]

I believe this is a Firefox specific issue as FF tends to not refresh its pages properly in general. In the PC version for instance, I needed to enable page refresh always-on for cache frequency load in about:config (https://kb.mozillazine.org/Browser.cache.check_doc_frequency). In the standard setting (3), FF would constantly show expired content when you go back or click a link you already had clicked before and you would have to manually refresh every page (for instance when you logged in it wouldn't show you your page but instead show you the cached guest boardindex). It was especially annyoing when you were trying to reply to posts but the content was outdated. In Android, you can not edit about:config,
I have no issues in Chrome. I was able to test it on two phones low & mid-range (latter Android 13) and an older tablet running Android 8.

FF also often gives me session verfication errors when I log out and immediately try loggin back in. Simple refreshing wouldn't help and requires a purging of the cache/cookies. This also happens sometimes in the PC version. No issues in Edge or Chrome.

[Kindred]

I actually can't repeat this on ANdroid Firefox....

[Julius_2000]

I don't know whether this is caused by the Android 13 update I got yesterday. But it also happens on the other Android devices.

You cannot view this attachment.

It would even show me infos from the previous account (even though I hadn't clicked it then)
You cannot view this attachment.

Edit:
Now that I've been logged in for several minutes, after once again refreshing the page, the data is updated and I can see the actual account info. Weird...

So I go back to my other account, and the issue comes back up again.
You cannot view this attachment.

[shawnb61]

Now that I've been logged in for several minutes, after once again refreshing the page, the data is updated and I can see the actual account info. Weird...

I see that occasionally.  I normally have separate admin & user accounts, so I am constantly going back & forth.  To make things worse, I regularly destroy/build new test environments in the same locations (re-testing installs & upgrades).  Under some circumstances, you may briefly see the prior account & receive an error that makes you think the logon was unsuccessful.  However, a refresh shows you actually were successfully logged in as the new guy.  Sometimes, deleting the cookies is required (after a new env was built in the same location with different settings).

I recall this only happening after building a new environment in the same location.  If so, not really an issue; that's not normal usage.

But if it occurs just logging on back & forth between two accounts, same environment, that would be a bug.  I don't recall ever seeing it do that.

[Julius_2000]

Out of curiositiy, I just used the stopwatch of my phone and it took about 8 minutes until the profile would update. I can't remember having this type of issue happening before. Feels relatively new.

[Aleksi "Lex" Kilpinen]

I've seen very similar stuff (not on my own forum, but doing support here) and practically 100% of the time the culprit has been the host.
More specifically, a server side cache as either a plain and simple cache, or as part of a "firewall service" or ddos protection or what ever the host has decided to call it to sell it. Who is your host? Another possibility could be a caching proxy between the browser and the server.

[Julius_2000]

I'm not sure, the member who's running the site is in Russia. But wouldn't that also affect other browsers, too? The issue is absent in Chrome.

[Aleksi "Lex" Kilpinen]

The problem is that it might affect specific connections based on a multitude of variables depending on the root cause and the specific configuration. There are caches that are simply dumb and store what ever is shown at a specific url, to reuse that for following requests at the same url - then there are more sophisticated alternatives that try to identify a specific session, and only reuse contents from that session, this is the alternative that could cause something like this to you - a mobile browser is pretty much uniquely identifiable, so everything you do on that single browser could end up being treated as a "single session". But really, I'm only guessing here since we can't know specifics.

If something like this would be generally reproducible on SMF, I would hope we would have heard of it already - and I would definitely consider it a security issue.

[shawnb61]

@Julius_2000 - Do you see this on your production forum, just switching back & forth between two users?  If so, was this recently after a forum restore/rebuild/upgrade?

[Julius_2000]

Hi Shawn,
well, we're currently running just a test forum with the latest updates. I've been experiencing this log-in/ log-out profile issue only lately - at least I can't remember something like this happened in the past months.

What keeps happening time and time again, though, ever since I've been using this new forum, is, that I would get session time out warnings whenever I log out and immediately back in with either the account I just used or another test account despite reloading the page before doing so. One is an Admin account, the other is just a regular one. And this only happens with Firefox Android. I need to delete the cache until I can log back in. I know that FF has a caching issue when pages are refreshed so I think this is the cause of the problem. It's simply not updating the data and it keeps thinking I'm still logged in or whatever.

In the PC version, I can edit the about:config settings for cache frequency, but the Android version won't let you access that.

[shawnb61]

Do you have smf caching enabled in this forum?

[Julius_2000]

Do you have smf caching enabled in this forum?

Caching level is set to "no caching", the accelerator is to "SMF file based caching".

Hm. I just installed Firefox Nightly and edited the above mentioned cache doc frequency to 1, but still, same issue at least for session time outs. It's really annyoing.

You cannot view this attachment.

Another observation I made: The session time out warning almost solely occurs when I use the smf popup login window. When I use the non java login, I can login, with the non-updating profile issue still happening, though. The profile and the smf login are both in the top menu div. Could there be a correlation?

Edit:
The session time out thing also happens in the FF PC version when I try to log in with another account after I just logged out from a previous one. No issue in Edge or Chrome. Man, this is frustrating.

This is the forum
https://test.thechembase.com/index.php

[shawnb61]

Ah...  So your test forum is a subdomain of your regular forum...

If this is a config you would like to continue using, I would change the cookies for both to 'local'. 

You don't want them sharing cookies across the two...  Because that would mean they're each trying to reference sessions that don't exist in their db.  (Your local cookie identifies the session in the db.)

The problem with changing your main forum cookie settings is that is all your users may get logged out, etc...

But the bottom line is to look closely at cookie settings.

First thing to try, that won't affect your production forum:
 - Change the cookie ID in your test forum
 - Change the cookie type to local in your test forum
 - Clear your cookies locally

That might be sufficient.

[Julius_2000]

Ah...  So your test forum is a subdomain of your regular forum...

If this is a config you would like to continue using, I would change the cookies for both to 'local'. 

You don't want them sharing cookies across the two...  Because that would mean they're each trying to reference sessions that don't exist in their db.  (Your local cookie identifies the session in the db.)

The problem with changing your main forum cookie settings is that is all your users may get logged out, etc...

But the bottom line is to look closely at cookie settings.

First thing to try, that won't affect your production forum:
 - Change the cookie ID in your test forum
 - Change the cookie type to local in your test forum
 - Clear your cookies locally

That might be sufficient.

Thank you, but unfortunately nothing worked (except for manually deleting the cache which I do all the time).

And now I'm no longer able to login at all because I accidentally marked off the "database driven sessions" option or something along those lines in cookies & cache..

I also don't know why this only occurs in Firefox and not in other browsers...

[shawnb61]

I would keep the setting at local & with a different cookie id, to remove any confusion going forward.

I believe you need to go into the db & set databaseSession_enable to 1 to restore db sessions.

In the test env, I would clear all sessions from the sessions table, to eliminate any possibility of confusion.

On your smartphone, I would clear FF local data & cache.  Do this under Settings | Apps | Firefox | Storage.

[Julius_2000]

I believe you need to go into the db & set databaseSession_enable to 1 to restore db sessions.

I only have access to the ftp data folder. Would this need to be done by the host/ owner?

In the test env, I would clear all sessions from the sessions table, to eliminate any possibility of confusion.

The way I can see how our forums are structured on the FTP server is, the old one is stored in folder data and the test forum ist stored in data2. Then there are only 3 more folders called "log", "session" and "tmp". "Session" has 2 files in it, both last modified in March and April of this year.

On your smartphone, I would clear FF local data & cache.  Do this under Settings | Apps | Firefox | Storage.

Yep, this is what I have to do all the time under the current issue to be able to log back in.

[shawnb61]

You need db access for either of the above actions.  In cpanel, that is usually via phpmyadmin.

[shawnb61]

Note that file based (non-db based) sessions should work fine.  If not, your host likely needs to address that. 

[Julius_2000]

Note that file based (non-db based) sessions should work fine.  If not, your host likely needs to address that. 

Thanks, I contaced him, hope he can reset it. Could this be also solved if we reset the whole test forum?

[Julius_2000]

Alright, the owner was able to reset the dabase driven session.

Still, the FF Android issue remains. I can't immediately log back in with any account after I logged out from another when I use the popup login window. Always have delete cache in order to get it to work. Only when I use the non-java option I can log in but still get the wrong profile data for the account.

Although I love Firefox, it's is just a hot mess with SMF.

[Kindred]

It is not... whatever problems you are having are almost definitely due to some specific configuration on your device... I can not reproduce your problem using ff, android and smf 2.0.19 or smf 2.1.3

[Julius_2000]

It is not... whatever problems you are having are almost definitely due to some specific configuration on your device... I can not reproduce your problem using ff, android and smf 2.0.19 or smf 2.1.3

Hm, this happens across devices. Can only be a config problem with our installation of SMF or something. It's weird. And again, it only happens in Firefox.
I have no issue with that in our old forum running 2.0.19.

Edit:
Observation: It somehow might be correlated with time. I logged out and tried to log in immediately after and, like always, was told "session time out". But after waiting for several minutes, I was able to log back in. Kind of the same phenomenon as with the profile data I described in my intial post.

[Kindred]

that sounds like a server-side cache --   which has been reported before (not specifically/oly with SMF, but with anything using that sessions and the server cache)


If the server caches the session data and tells your device to use the cache (until a refresh happens) AND you have a long session time set in SMF's admin then yes --  you could possibly "see" the previous session information.

[Julius_2000]

Thank you for your reply, Kindred!

This is how it's set on our forum:

You cannot view this attachment.
You cannot view this attachment. 

Should I uncheck "Allow browsers to go back to cached pages" to solve the issue? Session time seems reasonably long.

Happy and safe Holidays!

Edit:
Ah, this seems working! Thank you! I'm just wondering why Chrome based browsers did not have the issue while this was checked. Do they igonre this?

[Kindred]

no....    it's not a problem with the caching inside SMF.  We handle THAT correctly....

It's a problem with SERVER-SIDE caching... like Varnish

[Julius_2000]

no....    it's not a problem with the caching inside SMF.  We handle THAT correctly....

It's a problem with SERVER-SIDE caching... like Varnish

I'm sorry, I didn't get that. What does that mean? I never had the issue with Chrome or Edge having the option checked.

[Kindred]

Talk to your host