403 Forbidden Attempting to use a *one*-time login secret 2 times
Good day, a problem occur while using "v0/login-with-secret?oneTimeSecret=" now. working just fine yesterday.
this is the error message "403 Forbidden Attempting to use a one-time login secret 2 times"
- 3 replies
- KajMagnus @KajMagnus2020-08-13 09:46:57.834Z
(as per the discussion in the private topic ...)
So this is apparently a change in Chrome the last few days, which causes problems with blog comments & Single Sign-On:
Chrome now thinks a domain
comments-for-some-website-com.talkyard.netis too similar to the domain
so if the browser goes to
comments-for-..., then Chrome shows a warning that maybe one intended to visit
And when Chrome does this, it first loads the
comments-for-...page once — thereby using up a
oneTimeSecret=...in the URL.
And after the user has clicked buttons in Chrome to proceed to
comments-for ..., then, Talkyard replies Single Sign-On error, because the
oneTimeSecretcannot be used twice.
comments-for-...URLs will have to be changed to something else, so Chrome stops showing these warnings.
- In reply todreyveloper⬆:KajMagnus @KajMagnus2020-08-13 15:20:50.859Z
I think this change in Chrome breaks Single Sign-On when combined with blog comments. (Otherwise, with no SSO, Talkayrd fallbacks to session id in HTTP headers instead.)
So for now I'll need to ... add a config value so you can enablehttps://www.chromium.org/updates/same-site
Last updated August 11, 2020.
For the full Chrome release schedule, see here. For the SameSite-by-default and SameSite=None-requires-Secure launch timeline, see below:
July 28, 2020: The rollout population has been increased to target a fraction of the overall Chrome 80+ stable population. We are monitoring metrics and ecosystem feedback on our tracking bug.
Aug 11, 2020: The target rollout population has been increased to 100% of users on Chrome Stable versions 80 and above, and the actual proportion of users with the new behavior enabled is now ramping up to 100% gradually. Users will receive the new behavior when they restart Chrome.
- Progresswith handling this problem
- @KajMagnus marked this topic as Started 2020-08-13 09:47:43.944Z.