1
Fedia.io instability
(fedia.io)
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 19 Aug 2024
1 points (100.0% liked)
Fedia Discussions
1 readers
10 users here now
founded 1 year ago
MODERATORS
I moved fedia.io away from fastly. I have a nagging feeling it has something to do with fastly. Can you let me know if you continue to see this?
Still getting it very frequently. Sometimes no amount of refreshing will allow me to vote on something. Here's the latest URL: https://fedia.io/ef/1184232?choice=1
For now try Firefox or a fork: Floorp, LibreWolf, etc. I heard that works better.. I know this isn't the solution, but that is the best workaround atm.
Most interesting: the problem had only been happening on MS Edge on my laptop. I have been using safari on my phone without issue. Just a bit ago, i refreshed the page and now every time I revisit the site, I have to log back in, just like on Edge. It’s like the old session expired and the new ones aren’t sticking. I’ll try FF on my phone.
Note: even in the time I started typing this reply to when I hit the “add comment” button, I got logged out
That is really bad indeed. And the only error you see on the server side is only "Invalid CSRF token"?
ok - I just had it happen again while looking at logs. interestingly, there was NOT a CSRF log when that happened. There were a bunch of other errors, but enough that I could look through all of them and see that they were all related to activitypub issues - signaturevalidator and the like
I really hope it's not a session issue with Valkey or something (I don't think so..). We are now just going deep into this issue I think. Both sessions & csrf. Since I notice already some weird config issues with csrf forms
FYI. Reading: https://symfony.com/doc/7.2/security/csrf.html#installation
So we might cache too much in Mbin.. Including the comments (vote forms)... oopsy?
Or remove.. CSRF protection and keep the cache.. It's a trade-off.. @[email protected] How much protection does CSRF on these forms really gives the user? I'm "just" the software engineer, you are the SecOps expert here... I mean how likely is it really that sites are doing a Cross-Site Request Forgery ...
it's hard to make a blanket statement, because it depends on the details of the application. CSRF attacks are definitely real and common, but using csrf tokens isn't critical in every application. For example, I think we have CORS headers enabled, I don't think we have functionality that allows embedded iframes, but we do allow links - if we have administrative functions that can be triggered solely with GET parameters, then someone could trick an administrator into doing something that caused damage by clicking on a link in a post. The only one that would obviously work that I can see is "logout", which would be annoying, but not world ending, and would work for everyone, not just administrators.
Thanks. I see. I do see the importance for login & logout forms having CSRF. But it does seems a bit overkill to have it on upvotes, boost and alike.. I could be wrong.
I have so many errors in prod.log that it's hard to tell for certain, but when I try to filter out those that are associated with failed federation events, that seems to be when I'm left with. I am trying again to see if I can confirm
Do you have 2FA enabled?
I do not have 2fa turned on right now.
OK, that rules out at least the 2FA code. Thanks for letting me know. So what is your password ;P?
Indeed. I am trying to get it to happen again now that I’ve got the logs filtered down to a manageable level.
If you want to know.. We did try to clean-up all those errors/warnings from the log and fix some of the issues in the main branch: https://github.com/MbinOrg/mbin/commits/main/.. We are not there yet obviously. But 1.7.x is now focusing on making Mbin more stable. @[email protected] is helping out as well here.