Why does iOS's Safari log out the moderator web page?
I use the moderator web page with Firefox, and it stays logged in for as long as I keep the browser open. But with Safari on iPhone and iPad, I often have to log in again when I return to it. Same for every other browser I've tried under iOS. Can anyone tell me why?
Peter Shute
On 02/03/2014 05:04 PM, Peter Shute wrote:
I use the moderator web page with Firefox, and it stays logged in for as long as I keep the browser open. But with Safari on iPhone and iPad, I often have to log in again when I return to it. Same for every other browser I've tried under iOS. Can anyone tell me why?
Because the session cookie which keeps the fact that you've logged in is being expired, presumably because when you leave the browser and return to it, iOS starts a new session or otherwise invalidates the session cookie. Why it does this is an Apple question.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 4 Feb 2014, at 12:26 pm, "Mark Sapiro" mark@msapiro.net wrote:
On 02/03/2014 05:04 PM, Peter Shute wrote: I use the moderator web page with Firefox, and it stays logged in for as long as I keep the browser open. But with Safari on iPhone and iPad, I often have to log in again when I return to it. Same for every other browser I've tried under iOS. Can anyone tell me why?
Because the session cookie which keeps the fact that you've logged in is being expired, presumably because when you leave the browser and return to it, iOS starts a new session or otherwise invalidates the session cookie. Why it does this is an Apple question.
That makes sense. Is there any way around it? Is it possible to make it use persistent cookies?
Note that this problem wasn't anywhere near as bad until I upgraded from iOS6 to iOS7. I don't mind logging in again every few days.
Peter Shute
On 02/03/2014 05:53 PM, Peter Shute wrote:
That makes sense. Is there any way around it? Is it possible to make it use persistent cookies?
If you're willing to modify the code, see the MakeCookie function in Mailman/SecurityManager.py.
You could replace the comment
# We use session cookies, so don't set `expires' or `max-age' keys.by something like
c[key]['Max-Age'] = 3600 * 24 * 5to give the cookie a lifetime of 5 days.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Monday, February 3, 2014, 7:53:20 PM, Peter wrote:
On 4 Feb 2014, at 12:26 pm, "Mark Sapiro" mark@msapiro.net wrote:
On 02/03/2014 05:04 PM, Peter Shute wrote: I use the moderator web page with Firefox, and it stays logged in for as long as I keep the browser open. But with Safari on iPhone and iPad, I often have to log in again when I return to it. Same for every other browser I've tried under iOS. Can anyone tell me why?
Because the session cookie which keeps the fact that you've logged in is being expired, presumably because when you leave the browser and return to it, iOS starts a new session or otherwise invalidates the session cookie. Why it does this is an Apple question.
That makes sense. Is there any way around it? Is it possible to make it use persistent cookies?
Note that this problem wasn't anywhere near as bad until I upgraded from iOS6 to iOS7. I don't mind logging in again every few days.
Have you tried setting the Safari setting 'Block Cookies' to 'Never' to see if that in fact makes a difference? There is only three options to choose from. I wish they had an exception list you could add sites to like other browsers.
-- Best regards, Duane mailto:duihi77@gmail.com
On 4 Feb 2014, at 1:27 pm, "Mark Sapiro" mark@msapiro.net wrote:
On 02/03/2014 05:53 PM, Peter Shute wrote:
That makes sense. Is there any way around it? Is it possible to make it use persistent cookies?
If you're willing to modify the code, see the MakeCookie function in Mailman/SecurityManager.py.
You could replace the comment
# We use session cookies, so don't set `expires' or `max-age' keys.by something like
c[key]['Max-Age'] = 3600 * 24 * 5to give the cookie a lifetime of 5 days.
I don't have access to do that, and I think it's probably too difficult for me anyway. I was hoping it was a configuration option that I could ask the administrator to try. Maybe I'll just pray that iOS 7.1 fixes it.
Peter Shute
Peter Shute writes:
I don't have access to do that, and I think it's probably too difficult for me anyway. I was hoping it was a configuration option that I could ask the administrator to try. Maybe I'll just pray that iOS 7.1 fixes it.
Unlikely. This "feature" is a *fix*.
The problem is that "convenience" may be defined as "things that do what I want without asking annoying questions." Since "what I want" requires mind-reading, which few computers are capable of as yet, most vendors focus on "avoiding annoying questions". As any martinet with a teaching degree knows, *all* questions are annoying, so don't ask any is the (naive) consumer-friendly policy.
That policy is what earned Windows its reputation for insecurity (deserved IMHO, YMMV). Apple is trying to do better (after all, computer viruses were invented basically to screw the Mac -- they have been seriously burned), and so they are taking a conservative approach to getting confirmation from the user that they really are the owner of the device and that they really do want to do whatever it is that some random program off the Internet proposed that they do.
So iOS 7.1 might be a little bit better, but I wouldn't bet on a lot.
Duane Hill wrote:
I use the moderator web page with Firefox, and it stays logged in for as long as I keep the browser open. But with Safari on iPhone and iPad, I often have to log in again when I return to it. Same for every other browser I've tried under iOS. Can anyone tell me why?
Because the session cookie which keeps the fact that you've logged in is being expired, presumably because when you leave the browser and return to it, iOS starts a new session or otherwise invalidates the session cookie. Why it does this is an Apple question.
That makes sense. Is there any way around it? Is it possible to make it use persistent cookies?
Note that this problem wasn't anywhere near as bad until I upgraded from iOS6 to iOS7. I don't mind logging in again every few days.
Have you tried setting the Safari setting 'Block Cookies' to 'Never' to see if that in fact makes a difference? There is only three options to choose from. I wish they had an exception list you could add sites to like other browsers.
Yes. I was set to the default, which is to block cookies from "third parties and advertisers". I assumed it wasn't blocking mailman cookies anyway because it stays logged in if I stay in Safari. I tried "never", just in case, but no improvement.
Peter Shute
Stephen J. Turnbull wrote:
I don't have access to do that, and I think it's probably too > difficult for me anyway. I was hoping it was a configuration option > that I could ask the administrator to try. Maybe I'll just pray > that iOS 7.1 fixes it.
Unlikely. This "feature" is a *fix*.
The problem is that "convenience" may be defined as "things that do what I want without asking annoying questions."
Since "what I want" requires mind-reading, which few computers are capable of as yet, most vendors focus on "avoiding annoying questions". As any martinet with a teaching degree knows, *all* questions are annoying, so don't ask any is the (naive) consumer-friendly policy.That policy is what earned Windows its reputation for insecurity (deserved IMHO, YMMV). Apple is trying to do better (after all, computer viruses were invented basically to screw the Mac -- they have been seriously burned), and so they are taking a conservative approach to getting confirmation from the user that they really are the owner of the device and that they really do want to do whatever it is that some random program off the Internet proposed that they do.
So iOS 7.1 might be a little bit better, but I wouldn't bet on a lot.
I agree that convenience is often at the expense of security, but I feel that this is just a side efect of something they've done with multitasking. The cookies are supposed to expire if I close the browser, but I haven't. I've only swapped to another program for a while. Safari is a native app, not a random program off the internet.
Sometimes when I come back, the session remains logged in. It might be if I come back quickly. But generally I find it's logged out, so I assume iOS has temporarily closed the browser, causing the cookie to expire.
This happened in iOS6, but nowhere near as much. In iOS7, it seems to happens almost without fail. It's fair enough to expire the cookie if the browser was closed, but they iOS tries to give the impression it wasn't closed by keeping all the tabs open with the content still visible.
As Mark said, this is an Apple problem, not a mailman problem. but if it has become a permanent feature of iOS, and if lots of mailman administrators use iOS, does it become a mailman problem?
Peter Shute
On 02/04/2014 03:03 PM, Peter Shute wrote:
I agree that convenience is often at the expense of security, but I feel that this is just a side efect of something they've done with multitasking. The cookies are supposed to expire if I close the browser, but I haven't. I've only swapped to another program for a while. Safari is a native app, not a random program off the internet.
The security issues are not with the browser sofware, but rather with Cross Site Request Forgery attacks.
As Mark said, this is an Apple problem, not a mailman problem. but if it has become a permanent feature of iOS, and if lots of mailman administrators use iOS, does it become a mailman problem?
And have you asked Apple about it?
As far as providing "relief" in Mailman in the form of persistent cookies, I'm not inclined to do that in Mailman 2.1 because of the potential CSRF implications. The login/security model for Mailman 3/Postorius is different, so this may or may not be an issue there.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 2/4/14, 6:03 PM, Peter Shute wrote:
I agree that convenience is often at the expense of security, but I feel that this is just a side efect of something they've done with multitasking. The cookies are supposed to expire if I close the browser, but I haven't. I've only swapped to another program for a while. Safari is a native app, not a random program off the internet.
Sometimes when I come back, the session remains logged in. It might be if I come back quickly. But generally I find it's logged out, so I assume iOS has temporarily closed the browser, causing the cookie to expire.
This happened in iOS6, but nowhere near as much. In iOS7, it seems to happens almost without fail. It's fair enough to expire the cookie if the browser was closed, but they iOS tries to give the impression it wasn't closed by keeping all the tabs open with the content still visible.
As Mark said, this is an Apple problem, not a mailman problem. but if it has become a permanent feature of iOS, and if lots of mailman administrators use iOS, does it become a mailman problem?
Peter Shute
My guess is it depend on if iOS has asked the browser to actually close to reclaim memory, or just put it aside, while it has been in the background.
-- Richard Damon
On 5 Feb 2014, at 10:55 am, "Mark Sapiro" mark@msapiro.net wrote:
And have you asked Apple about it?
No, I wanted to eliminate the possibility that it's a mailman problem first.
It's a pity I don't still have access to iOS6, so I could make sure it's an iOS7 problem. Another change that occurred around the same time is that we moved the list to another server.
Can anyone tell me why the moderator page won't let me save the password in any of the iOS browser apps I've tried? None let me enter the URL and password myself, I have to wait for them to offer to save them, but none of them offer for that web page.
Peter Shute
On 02/04/2014 11:30 PM, Peter Shute wrote:
Can anyone tell me why the moderator page won't let me save the password in any of the iOS browser apps I've tried? None let me enter the URL and password myself, I have to wait for them to offer to save them, but none of them offer for that web page.
This again would appear to be either an iOS issue or something to do with the particular web server on the Mailman host. Are you offered password saving for other pages from the same host?
My experience with Firefox mostly on various Linux, Mac and Windows platforms is that it does not always offer to save passwords, particularly those from financial institution websites, but it does always offer to save Mailman passwords.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 6 Feb 2014, at 1:45 am, "Mark Sapiro" mark@msapiro.net wrote:
On 02/04/2014 11:30 PM, Peter Shute wrote:
Can anyone tell me why the moderator page won't let me save the password in any of the iOS browser apps I've tried? None let me enter the URL and password myself, I have to wait for them to offer to save them, but none of them offer for that web page.
This again would appear to be either an iOS issue or something to do with the particular web server on the Mailman host. Are you offered password saving for other pages from the same host?
IOS's Safari doesn't offer to save the password to the membership configuration page on the same server either.
My experience with Firefox mostly on various Linux, Mac and Windows platforms is that it does not always offer to save passwords, particularly those from financial institution websites, but it does always offer to save Mailman passwords.
Firefox offers to save the passwords to the same pages on a PC. I guess that means it's totally an iOS problem.
Peter Shute
On 6 Feb 2014, at 5:22 am, "Peter Shute" pshute@nuw.org.au wrote:
My experience with Firefox mostly on various Linux, Mac and Windows platforms is that it does not always offer to save passwords, particularly those from financial institution websites, but it does always offer to save Mailman passwords.
Firefox offers to save the passwords to the same pages on a PC. I guess that means it's totally an iOS problem.
It's interesting though that none of the other iOS apps I've tried offer to save it either - Atomic Lite, Chrome, Dolphin and Opera. Unless each of these uses the same faulty API to determine whether to offer to save the password or not, there must be something different about the mailman page that's fooling them. Maybe the lack of a username field?
Can anyone confirm whether they've had the same experience? It's happening for me on two different servers, so I'm assuming it's universal.
Getting back to the original problem of the cookie expiring, I've now closed all the Safari tabs except the mailman one, and it has stayed logged in for over an hour, despite me using other apps in the meantime.
Prior to iOS7, my solution to the problem was to use chrome exclusively for this mailman page so I could have a single tab open in that app, while using many tabs in Safari. That stopped working with iOS7, but perhaps later minor iOS updates have fixed it. I'll go back to this method for a few days to check if it's working again.
Peter Shute
On 02/05/14 16:12, Peter Shute wrote:
On 6 Feb 2014, at 5:22 am, "Peter Shute" pshute@nuw.org.au wrote:
My experience with Firefox mostly on various Linux, Mac and Windows platforms is that it does not always offer to save passwords, particularly those from financial institution websites, but it does always offer to save Mailman passwords. This can because the web sites have a setting on the form: autocomplete="off". I know Safari honors this. I don't think Mailman uses this.
Firefox offers to save the passwords to the same pages on a PC. I guess that means it's totally an iOS problem.
It's interesting though that none of the other iOS apps I've tried offer to save it either - Atomic Lite, Chrome, Dolphin and Opera. Unless each of these uses the same faulty API to determine whether to offer to save the password or not, there must be something different about the mailman page that's fooling them. Maybe the lack of a username field?
Can anyone confirm whether they've had the same experience? It's happening for me on two different servers, so I'm assuming it's universal.
I use a password management plugin with Firefox (and IE8) and it does not handle the Mailman code well. I assumed it was because of the lack of a user field. I had the same problem when managing our VoIP PBX that only had a password field without a user name. When a recent upgrade included a user name field my problems went away.
-- Gary Algier, WB2FWZ gaa@ulticom.com +1 856 787 2758 Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033
Nielsen's First Law of Computer Manuals: People don't read documentation voluntarily.
On 6 Feb 2014, at 9:55 am, "Gary Algier" gaa@ulticom.com wrote:
Firefox offers to save the passwords to the same pages on a PC. I guess that means it's totally an iOS problem.
It's interesting though that none of the other iOS apps I've tried offer to save it either - Atomic Lite, Chrome, Dolphin and Opera. Unless each of these uses the same faulty API to determine whether to offer to save the password or not, there must be something different about the mailman page that's fooling them. Maybe the lack of a username field?
Can anyone confirm whether they've had the same experience? It's happening for me on two different servers, so I'm assuming it's universal.
I use a password management plugin with Firefox (and IE8) and it does not handle the Mailman code well. I assumed it was because of the lack of a user field. I had the same problem when managing our VoIP PBX that only had a password field without a user name. When a recent upgrade included a user name field my problems went away.
That's likely to be the reason then, but it doesn't explain why my Firefox does ask to save the password, without any plugins.
Peter Shute
On 02/05/2014 03:57 PM, Peter Shute wrote:
On 6 Feb 2014, at 9:55 am, "Gary Algier" gaa@ulticom.com wrote:
I use a password management plugin with Firefox (and IE8) and it does not handle the Mailman code well. I assumed it was because of the lack of a user field. I had the same problem when managing our VoIP PBX that only had a password field without a user name. When a recent upgrade included a user name field my problems went away.
That's likely to be the reason then, but it doesn't explain why my Firefox does ask to save the password, without any plugins.
I use Firefox on an Android phone and it quite happily saves Mailman's admin login passwords w/o a user field.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 6 Feb 2014, at 11:03 am, "Mark Sapiro" mark@msapiro.net wrote:
I use Firefox on an Android phone and it quite happily saves Mailman's admin login passwords w/o a user field.
No such thing for iOS, unfortunately, although I'm betting all the other browsers available for Android will save a mailman password too.
I just tried the Mercury browser, on the grounds that its logo looks a bit like the Firefox logo, and it too doesn't ask to save it. It must be dependent on an iOS API.
Peter Shute
In case anyone's interested, I've "solved" this problem of Safari, etc, letting the cookie expire and logging out of the moderator page on the iPad by installing LastPass Tab. This is a password manager and, because of iOS restrictions that prevent an app from entering a password for another app like Safari, it contains its own browser.
I have saved a bookmark for my moderator page and edited it to save the password. Unfortunately the app needs to be logged in to access that password, which is stored in the cloud, and regularly logs itself out (and closes the web page), but it does allow me to save its own password, so a couple of taps get me back into the page.
Peter Shute
Sent from my iPad
On 6 Feb 2014, at 1:00 pm, "Peter Shute" pshute@nuw.org.au wrote:
On 6 Feb 2014, at 11:03 am, "Mark Sapiro" mark@msapiro.net wrote:
I use Firefox on an Android phone and it quite happily saves Mailman's admin login passwords w/o a user field.
No such thing for iOS, unfortunately, although I'm betting all the other browsers available for Android will save a mailman password too.
I just tried the Mercury browser, on the grounds that its logo looks a bit like the Firefox logo, and it too doesn't ask to save it. It must be dependent on an iOS API.
Peter Shute
Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/pshute%40nuw.org.au
participants (6)
-
Duane Hill -
Gary Algier -
Mark Sapiro -
Peter Shute -
Richard Damon -
Stephen J. Turnbull