No internet connection
  1. Home
  2. Issues

403 Forbidden Attempting to use a *one*-time login secret 2 times

By dreyveloper @dreyveloper2020-08-12 04:31:31.359Z

Good day, a problem occur while using "v0/login-with-secret?oneTimeSecret=" now. working just fine yesterday.
this is the error message "403 Forbidden Attempting to use a one-time login secret 2 times"

  • 3 replies
  1. KajMagnus @KajMagnus2020-08-13 09:46:57.834Z

    (as per the discussion in the private topic ...)

    So this is apparently a change in Chrome the last few days, which causes problems with blog comments & Single Sign-On:

    Chrome now thinks a domain is too similar to the domain,
    so if the browser goes to comments-for-..., then Chrome shows a warning that maybe one intended to visit (but not comments-for-...).

    And when Chrome does this, it first loads the comments-for-... page once — thereby using up a oneTimeSecret=... in the URL.
    And after the user has clicked buttons in Chrome to proceed to comments-for ..., then, Talkyard replies Single Sign-On error, because the oneTimeSecret cannot be used twice.

    Maybe comments-for-... URLs will have to be changed to something else, so Chrome stops showing these warnings.

    1. In reply todreyveloper:
      KajMagnus @KajMagnus2020-08-13 15:20:50.859Z

      Seems there's a 2nd problem too: Chrome recently activated the SameSite cookie policy, in the same browser upgrade I suppose.

      I think this change in Chrome breaks Single Sign-On when combined with blog comments. (Otherwise, with no SSO, Talkayrd fallbacks to session id in HTTP headers instead.)

      So for now I'll need to ... add a config value so you can enable SameSite: None.

      SameSite Updates
      Last updated August 11, 2020.
      For the full Chrome release schedule, see here. For the SameSite-by-default and SameSite=None-requires-Secure launch timeline, see below:
      July 28, 2020: The rollout population has been increased to target a fraction of the overall Chrome 80+ stable population. We are monitoring metrics and ecosystem feedback on our tracking bug.
      Aug 11, 2020: The target rollout population has been increased to 100% of users on Chrome Stable versions 80 and above, and the actual proportion of users with the new behavior enabled is now ramping up to 100% gradually. Users will receive the new behavior when they restart Chrome.

      1. Progress
        with handling this problem
      2. @KajMagnus marked this topic as Started 2020-08-13 09:47:43.944Z.