Zebbler Encanti Experience - Psychic Projections - Data Mind
2013-06-14 16553, 2013
tinix
uuuuuuuuuuuuugh
2013-06-14 16555, 2013
Prophet5 joined the channel
2013-06-14 16526, 2013
zas joined the channel
2013-06-14 16554, 2013
reosarevok joined the channel
2013-06-14 16513, 2013
reosarevok
ocharles, do you have any idea of what causes the inability to stay logged in? :(
2013-06-14 16518, 2013
djce joined the channel
2013-06-14 16510, 2013
ocharles
reosarevok: no
2013-06-14 16515, 2013
ocharles
or I would have fixed it :)
2013-06-14 16526, 2013
reosarevok
Meh, it's *very* annoying :(
2013-06-14 16543, 2013
ocharles
I know, it's a priority
2013-06-14 16548, 2013
reosarevok
Ok
2013-06-14 16558, 2013
ocharles
but I'm unable to even reproduce it myself
2013-06-14 16520, 2013
ocharles
I'm assuming you're using beta?
2013-06-14 16530, 2013
ocharles
I wonder if beta hasn't been updated and is setting the wrong cookie
2013-06-14 16509, 2013
ocharles
I'm logged out on beta, but I'm still logged in on the main servers
2013-06-14 16529, 2013
reosarevok
No
2013-06-14 16532, 2013
reosarevok
I'm using prod
2013-06-14 16538, 2013
ocharles
Ok
2013-06-14 16546, 2013
reosarevok
On Chrome, in case it matters
2013-06-14 16514, 2013
reosarevok
I get logged out at least once a day (since every time I go check the subscription mail in the morning I'm logged out)
2013-06-14 16536, 2013
ocharles
Are you opening multiple tabs straight away?
2013-06-14 16502, 2013
reosarevok
Yeah, of course :)
2013-06-14 16524, 2013
reosarevok
(and usually some of them find me logged out, some do not - not necessarily in order, either)
2013-06-14 16527, 2013
ocharles
ok, try not doing that next time
2013-06-14 16535, 2013
ocharles
It sounds race-conditiony
2013-06-14 16546, 2013
ocharles
In fact, if all those tabs send the same cookie, then that's probably what logs you out
2013-06-14 16559, 2013
ocharles
The first one would consume the remember me token, the next would try but fail because that token doesn't exist now, and would log you out
2013-06-14 16552, 2013
reosarevok
... er, ok
2013-06-14 16501, 2013
reosarevok
But that certainly would need fixing anyway
2013-06-14 16503, 2013
ocharles
That is something I can at least test
2013-06-14 16506, 2013
reosarevok
Ok
2013-06-14 16510, 2013
ocharles
sure, I'm just trying to work out what the problem is
2013-06-14 16528, 2013
djce joined the channel
2013-06-14 16552, 2013
djce joined the channel
2013-06-14 16530, 2013
ocharles
Ok, I'm pretty convinced that multiple tabs is the problem.
2013-06-14 16506, 2013
ocharles
If you have no session in progress, the browser will send your 'remember_me' token. The server consumes this token exclusively (it atomically gets/deletes it) and then opens a session for you, logging you in.
2013-06-14 16541, 2013
ocharles
If you make another request without a session but with a 'remember_me' token, you will have a new session opened for you, but the 'remember_me' token will fail to authenticate you
2013-06-14 16549, 2013
ocharles
Now you've removed your logged in session, and you will be logged out
2013-06-14 16505, 2013
ocharles
Because the session is global (over musicbrainz.org) you're logged out in all tabs
2013-06-14 16509, 2013
ocharles
I'm not sure how to fix this though. I could put a 'grace window' on token consumption, but then I have to write a little daemon to periodically clean these up. Maybe Redis can be set to do that
2013-06-14 16504, 2013
ocharles
I'll give that a try and we'll see if things get better
2013-06-14 16520, 2013
warp
ocharles: redis can expire things for you
2013-06-14 16531, 2013
warp
ocharles: why does the token need to be consumed?
2013-06-14 16531, 2013
ocharles
warp: they are one use tokens
2013-06-14 16548, 2013
djce joined the channel
2013-06-14 16550, 2013
warp
yes, why are they one use tokes? :)
2013-06-14 16554, 2013
ocharles
you don't want someone grabbing all your cookies because then they can always login as you
2013-06-14 16558, 2013
ocharles
even if you've used that token up
2013-06-14 16517, 2013
ocharles
yes, I'll try with redis and EXPIRE
2013-06-14 16529, 2013
ocharles
and whenever a token is consumed, it will be set to expire in 5 minutes
2013-06-14 16555, 2013
warp
so in that case they're no longer one use tokens, but limited use tokes?
2013-06-14 16528, 2013
ocharles
yea
2013-06-14 16553, 2013
warp
ok, that sounds good.
2013-06-14 16547, 2013
warp
(not having a session and then opening a bunch of musicbrainz tabs at once which should all log in with the remember me token is a valid thing to do :)
2013-06-14 16507, 2013
warp
ocharles: if I do the above, will you still generate new remember me tokens for each of those tabs? or only once when the token is used while it is not yet expiring?
2013-06-14 16515, 2013
ocharles
at the moment, I will give you new tokens for all the tabs
2013-06-14 16526, 2013
ocharles
maybe we should always expire these tokens after $some_large_duration
2013-06-14 16531, 2013
warp
ocharles: oh and.. can I stay logged in using a remember me tokens on different machines and different browsers?
2013-06-14 16534, 2013
ocharles
to prevent redis forever growing
2013-06-14 16551, 2013
ocharles
warp: yes, each browser will have its own session store, and thus its own remember_me token
2013-06-14 16500, 2013
ocharles
(and when you log in each will have its own session)
2013-06-14 16556, 2013
warp
ocharles: yes, redis stores everything in memory, so please do not store anything indefinitely :)
2013-06-14 16512, 2013
ocharles
:)
2013-06-14 16518, 2013
warp
(Though I'd suggest a year or so for the expire date of non-expiring remember me tokens)
2013-06-14 16538, 2013
ocharles
Yea, I was thinking a year
2013-06-14 16534, 2013
ocharles
lame, you can't expire members in a set
2013-06-14 16508, 2013
ocharles
And Redis.pm doesn't know what setex is, apparently
2013-06-14 16501, 2013
ocharles
Ok, in review reosarevok
2013-06-14 16505, 2013
ocharles
Should be able to go to beta soon :)
2013-06-14 16547, 2013
ocharles joined the channel
2013-06-14 16531, 2013
ocharles
joy, enabling the nixos firewall stops ipv6 working :(
