[DigitalPoint] App for Cloudflare® 1.9.1.1

[Kirby]

Here is a screenshot showing the entire requests from login to error, including the keep-alive response that even shows my user id



Network tab cleared, page reloaded

 

[Deleted member 184953]

After installing the latest version, removing page rules, adding cache rules and enabling guest cache I can no longer accept cookies as a guest.

Disabling Cache pages for guests remove the error.

 

[digitalpoint]

After installing the latest version, removing page rules, adding cache rules and enabling guest cache I can no longer accept cookies as a guest.

View attachment 279876

View attachment 279878

View attachment 279877

Ya, I'm seeing that now (I don't use the cookie consent anywhere). It looks like particular link works differently than all other requests in XenForo (probably because it has to do with cookie consent, so it's not assuming the user has support for cookies). I guess for the time being, disable the cache. Going to see if there's a way around it on this end.

 

[CedricV]

[DigitalPoint] Cloudflare

turns out it did get enabled! (not yet ready to pay 20 dollars to get this issue investigated by them lol) i suppose the only way to find out if it's working is to wait for new content and then load pages that should show those updated posts?

xenforo.com

My reply is being overlooked.

 

[Deleted member 184953]

My reply is being overlooked.

Update to the latest version: 1.5.0.1

 

[digitalpoint]

Here is a screenshot showing the entire requests from login to error, including the keep-alive response that even shows my user id

View attachment 279879

Network tab cleared, page reloaded
View attachment 279880

Ya, everything there looks normal (the DevTools stuff). max-age=1 is telling your browser not to keep the page in it's local cache for more than 1 second, and if an actual underlying request goes out to Cloudflare to fetch it, that request is going to have the xf_user cookie, so Cloudflare shouldn't serve you a cached version there either.

Not really sure what's going on (I haven't been able to replicate it yet on my end).

 

[digitalpoint]

Update to the latest version: 1.5.0.1

Correct... the 1.5.0.1 version fixes it for accounts that have never done anything with Cache Rules.

 

[Kirby]

that request is going to have the xf_user cookie, so Cloudflare shouldn't serve you a cached version there either.

You are on the right track, keep investigating

 

[Chromaniac]

so i am not seeing any issues with the older cookie banner (i am on an old xenforo build). but it is definitely fun logging in and out. i end up seeing guest view after logging in and logged in view after logging out especially on the homepage.

 

[digitalpoint]

You are on the right track, keep investigating

Well until I can replicate it, not sure if I can fix it. Are you doing anything non-standard somehow (like not sending cookies with your request)?

 

[CedricV]

Thanks, that fixed the Rules part.

And in Access

10000: Authentication error

Did I do something wrong there ?

 

[Kirby]

No, I am not doing anything a normal user couldn't do with a vanilla browser (no browser Add-ons, DevTools, Firewall, Anti-Virus, Pihole, etc. involved) - just a normal login by entering username and password and doing clicks on the login form.

 

[digitalpoint]

No, I am not doing anything a normal user couldn't do with a vanilla browser (no browser Add-ons, DevTools, Firewall, Anti-Virus, Pihole, etc. involved) - just a normal login by entering username and password and doing clicks on the login form.

What browser/version/operating system are you using? I'll keep trying to replicate it, but so far nada.

 

[Kirby]

Doesn't really matter (will happen with any Browser / OS), but:

OS
Windows 10 Pro 22H2 Build 19045.2486

Browsers
Chrome 108.0.5359.125
Edge 108.0.1462.76
Firefox 108.0.2
Opera 94.0.4606.38

(all 64Bit)

 

[digitalpoint]

Thanks, that fixed the Rules part.

And in Access

10000: Authentication error

Did I do something wrong there ?

Do you have all the necessary permissions for your API Token? There should be 14 (should correspond to what it shows in XF Admin -> Options -> External service providers under Cloudflare authentication.

My guess is your token is missing the permissions related to Access.

 

[digitalpoint]

Doesn't really matter (will happen with any Browser / OS), but:

OS
Windows 10 Pro 22H2 Build 19045.2486

Browsers
Chrome 108.0.5359.125
Edge 108.0.1462.76
Firefox 108.0.2
Opera 94.0.4606.38

(all 64Bit)

Do you have a different cache/proxy you are going through by chance? Maybe a proxy through your upstream ISP that isn't doing what it's supposed to be doing with Cache-Control headers somehow? Honestly not sure at this point.

I've not been able to get it to happen on the latest versions of Chrome, Safari, Firefox on macOS, iOS or Linux. I haven't dug up the Windows machine yet, but I doubt it's going to be something Windows-specific.

 

[Deleted member 184953]

What browser/version/operating system are you using? I'll keep trying to replicate it, but so far nada.

Just register to your site I/O labs, i can't log out.
I had the same message as @Kirby the user has changed...

And now if i click on my username i have this error and the menu doesn't open.

 

[Kirby]

Do you have a different cache/proxy you are going through by chance? Maybe a proxy through your upstream ISP that isn't doing what it's supposed to be doing with Cache-Control headers somehow? Honestly not sure at this point.

No, no other proxy is invloved.

I've not been able to get it to happen on the latest versions of Chrome, Safari, Firefox on macOS, iOS or Linux. I haven't dug up the Windows machine yet, but I doubt it's going to be something Windows-specific.

Correct, its' not Windows-specific - it happens with any browser (at least I think so, I haven't actually tested this or looked at your code).

 

[digitalpoint]

Update to the latest version: 1.5.0.1

So ya... from the looks of it, XenForo is doing csrf tokens different for a few URLs in the misc route. From the bit I skimmed, it's the new cookie consent thing and also language/style selectors. And XenForo's own internal function to update csrf tokens don't get applied in those cases.

I'm on the fence if it's a XenForo bug or not... because like I said, XenForo's own system for updating csrf tokens is not updating them in those places for some reason.

 

[Deleted member 184953]

I'm still logged in this page https://iolabs.io/
But i'm logged out to all others pages...