New ChiefTalk

[Dan Park]

Dan:

I sure hope you fix whatever you changed with the new forum so that I can access it. I have tried everything I can think of and everything you suggested and I still can't access the site. My security is set at recommended levels and has worked fine for all I do wrt the Internet. I know it is likely something on my machine ... nevertheless, the new forum is the only Internet site that I have been unable to access in recent times. What is different about it vs. the existing Chief Talk site? I know others using FF are having no problems so I tried IE ... even put in the exceptions ... still no go. At this point, the change is not a good thing for me. Do I need to call TS and have someone what me through a bunch of steps or procedures to troubleshoot the settings, etc. on my computer?

The difference on the new site is our OAuth sign in implementation. In that implementation when we first get to the site we redirect your browser to the OAuth server to get a sign in token. Once we get there that server redirects back to our registered endpoint.

Step 1) your browser hits forums.chiefarchitect.com

a) Apache server redirects any http:// request to https:// request. This downloads our signed chiefarchitect public key certificate to your computer. For this reason you should ensure your date is set correctly. Make sure you can browse secure web pages. This is preferred because it encrypts your request data.

b) The web page checks for SESSION information to see if the OAuth token and other information about your login is available. There are also cookies written to your system to let the software know if you are signed in and to identify you when you browse from one page to another. This is not different than most other web sites.

c) If you don't have a token we redirect your browser to https://accounts-rp2.chiefarchitect.com with a request for a token. (clicking on this link should display a blank page with no errors) The token is used to request information and changes periodically to prevent forgeries by hackers. This site also uses a cookie to identify you and as well goes to https://login.chiefarchitect.com to find out if you are logged in or not.

d) login.chiefarchitect.com also stores a cookie to know if you are logged in.

Test1: Check to see if you can login to login.chiefarchitect.com

e) accounts-rp2.chiefarchitect.com redirects your browser back to forums.chiefarchitect.com

Step 2) We check to see if you have a user handle.

a) If you don't have a user handle you get redirected back to https://login.chiefarchitect.com/edit/handle

Test2: Check to see if you have a handle by clicking on the edit/handle link above while logged into chiefarchitect. If you get redirected you already have a handle. If not create one.

Step 3) We use the token to securely request your user information between the two servers. This request takes place on a private cloud network so your information is not able to be seen on the internet. This does not affect your browser but if your browser does not store the SESSION information it could cause the redirection to start again as in step 1.

Step 4) You are served up the web page. If you are logged in you see your user handle, if not you are in an anonymous session.

Once you obtain log in status the server communicates every few seconds to verify you are still logged in. But this will not redirect your browser unless the SESSION information is lost.

Things to check.

Do you have any third party software that might affect network traffic or monitor your browsing?

We talked about making sure you set firefox to allow cookies on all the sites above. If that is working correctly and you are also seeing the problem with IE or Chrome then you probably have some other firewall software that is causing the problem.

Verify you are not blocking our security certificate. I doubt that's the problem since I don't thing the symptom is correct.

What I believe is happening is that you get into this loop:

forums.chiefarchitect.com/index.php

1) forums.chiefarchitect.com/caouauth/authenticate.php
2) accounts-rp2.chiefarchitect.com
3) forums.chiefarchitect.com/caoauthe/endpoint.php -> If SESSION data that was set initially is destroyed you may get redirected back to 1)
4) forums.chiefarchitect.com/index.php -> If SESSION data saved at 3) is destroyed then we go back to 1)

So far you are the only one reporting this problem, however, I will attempt to alter the code to catch this cyclic problem and give us some better information.

Yep that's a confusing set of steps. It is however, the most secure way we know of to manage your private user information.

[Ron Ravenscroft]

thanks Dan. The more input on the new systemt he better for us all