#known 2017-11-28

2017-11-28 UTC
[chrisaldrich], [eddie], [kevinmarks], [miklb], j12t, [jackysee], [tantek], [cleverdevil], [snarfed], [jeremycherfas], tantek, jeremycherfas, mapkyca and rMdes joined the channel
# 11:59 
rMdes not sure what changed at Known Pro but I can't login, meaning when I do, the moment I choose a post type, I get logout
# 11:59 
rMdes it seems to be a conflict with SSL not being maintained at all time, so it kind of reset the sessions
[kevinmarks] joined the channel
# 12:11 
[kevinmarks] working for me
# 12:12 
rMdes also it seems it broke all my connection to social media
# 12:12 
rMdes strange
# 12:12 
rMdes i can't publish, I can login, but the moment I want to save something my session is dropped
# 12:12 
jeremycherfas Yikes.
# 12:29 
mapkyca rMdes: strange. Seems to be working for me. What happens when you try from another browser? If it's consistent, could you maybe record a network log so we can see what's going on?
# 12:33 
rMdes let me try, this is on firefox 57
[miklb] joined the channel
# 12:50 
rMdes I don't know how to record the network log
# 12:52 
rMdes the steps are : 1) login, I see the dashboard and I can go to any part of the admin site. 2) I pick a post type (status) type it, hit the publish button, I land on a Known page where I can try again, but it log me out, on the screen I can see "invalid token" - 3) I have to login again
# 12:53 
rMdes this is the insecure url : http://www.okcinfo.news/session/login
# 12:54 
rMdes it's the part of Known pro I really don't like : SSL cert is never green-checked because the cert is not for the domain
# 12:54 
rMdes The certificate is only valid for the following names: *.withknown.com, withknown.com
# 12:55 
rMdes I can add an exception though : https://www.okcinfo.news/
# 12:56 
rMdes anyway it's a mess, i guess moving to self-hosted will be simpler to fix
# 12:56 
rMdes I have no issue with self hosted sites
# 13:08 
mapkyca Yeah, sounds like a TLS/non-TLS cookie problem. Login will be directed to HTTPS, and then it sounds like you're being forwarded to non-tls afterwards and so the cookie is no longer available when you post your status update
# 13:09 
mapkyca Cookies on TLS are not available to non-TLS sessions
# 13:09 
rMdes thing is I usually never use HTTPS for this site since they don't match
# 13:09 
rMdes i was getting log out from the non HTTPS site
# 13:10 
rMdes the site was built without using HTTPS on the custom page menu url for ex
# 13:10 
rMdes so the logic would be If i login without HTTPS I should stay HTTP the whole time
# 13:10 
rMdes and there should be no cookies collusion right ?
# 13:11 
mapkyca hmm... sorry, I misunderstood
# 13:12 
rMdes I'm confused too
# 13:12 
mapkyca "invalid token" isn't necessarily anything to do with being logged out (if you can refresh the page and see the logged in menu, you haven't been logged out) that's the XSS validation failing on post
# 13:12 
rMdes that doesnt help
# 13:12 
mapkyca so, the token generated by the form... for some reason... is being rejected when it's posted
# 13:13 
mapkyca off the top of my head I can't think of a reason why this would happen, and I'd need to see the logs to really get a handle on why.
# 13:14 
mapkyca I'll see if I can push some debug or something to see if we can get some client side output to help...
# 13:14 
rMdes thanks a lot
# 13:14 
rMdes sadly i can't provide more info, since I don't have access
# 13:15 
rMdes the SSL is another issue then, has nothing to do with the token being invalidated, if I understood correctly
# 13:16 
mapkyca aye... ssl certs being invalid is another issue...
[snarfed] joined the channel
# 14:33 
@mapkyca Just pushed an update to @withknown hosted which should fix the issues some people were having with bookmarks, let me know if you're still having trouble! (twitter.com/_/status/935517101489623042)
[manton], [eddie] and travis-ci joined the channel
# 14:45 
travis-ci idno/Known#4316 (master - 06da49d : Marcus Povey): The build passed.
# 14:45 
travis-ci Change view : https://github.com/idno/Known/compare/4fecf84d216d...06da49d497e5
# 14:45 
travis-ci Build details : https://travis-ci.org/idno/Known/builds/308462546
# 15:22 
mapkyca the token is generated over site secrete + action + time + _session id_ ... so maybe if the form is generated on https but posted to http, then it's not beyond the realms of possibility that the session id has changed, although I've no real data here. network log might help with this (chrome dev console allows you to record, ff might as well)
[jackysee] and [snarfed] joined the channel
# 16:33 
ben_thatmustbeme not even going to ask what your site secretes :P
# 16:48 
mapkyca heh heh!
# 16:48 
mapkyca ok, I've updated the image with some logging. If you try again, I should be able to pull the logs and see if this gives us some more detail...
# 16:51 
@jasongreen Blog Post "Aggregating the Decentralized Social Web"  http://blog.jasongreen.net/b/9N  @mpesce @holden @withknown (twitter.com/_/status/935551784667484161)
sensiblemn joined the channel
# 17:04 
@EatPodcast @jasongreen @mpesce @holden @withknown I've said it before https://twitter.com/EatPodcast/status/935505219735244800 and I'll say it again: You need https://twitter-atom.appspot.com  and a feed reader to restore your sanity. (twitter.com/_/status/935554985584193537)
[jackysee], tantek, [keithjgrant] and [kevinmarks] joined the channel
# 19:46 
@mapkyca For any #indieweb folks who are using it, I've backported the extraction stuff I did for @withknown url unfurl into php-ogp: https://github.com/mapkyca/php-ogp updated both. (twitter.com/_/status/935595840558813190)
tantek, raretrack, [keithjgrant], [eddie], [jackysee] and [miklb] joined the channel