Partial fix Kiwi browser and xenforo 2.2

[Rhodium]

Affected version

2.2 beta6

I upgraded to xenforo 2.2 and some guy reported that can't log with kiwi browser: https://play.google.com/store/apps/details?id=com.kiwibrowser.browser

Its based in chromium so i don't know why. Default settings and nothing blocked:



I tested in xenforo 2.1 board with no problems, just 2.2

 

[smozgur]

Same for Safari on Mac.
However only happens if you click a link an XenForo forum link, i.e. Google Search.

What I keep doing is:

• Copy the URL when this happens - all the time recently.
• Click on "here" as it asks (or any other link in XenForo except Login since it shows the same alert at the top).
• Once I see my name on the toolbar, I paste the URL I just copied, and it is done.

It is most likely confused cookie or cookie path, but it would be really bad if same thing happens when we update to XenForo 2.2. We will either have to change the cookie name or ask everybody to clear their cookies (or likely log out and log in back). Neither sounds good.

Edit: Log out - log in doesn't work.

 

[Mike]

I can reproduce an issue with Kiwi browser, though it doesn't seem to manifest as in the screenshot. It just seems to refresh the page, I presume after the login submission happens. Normally I'd suggest this is a cached page but I think it might not be accepting the cookies, though I haven't had an opportunity to debug it (I don't know if I can debug it like Chrome on Android; if not, that will be a more problematic).

In terms of the Safari report, I tried that here and couldn't reproduce anything.

 

[Rhodium]

it doesn't seem to manifest as in the screenshot

The screenshot is after the failed login and clicking login again.

 

[Mike]

So this is a bug in Kiwi browser. There's been an open bug report relating to its incorrect SameSite cookie support for over a year:

SameSite cookies missing from HTTP requests (includes reduced test-case) · Issue #134 · kiwibrowser/src.next

There is a bug in Kiwi Browser with the handling of SameSite cookies: SameSite cookies are missing from HTTP requests sent by Kiwi. I've created a reduced test-case. How to reproduce: Open https://...

github.com

We intentionally made XF's cookies SameSite=Lax in 2.2 as Chrome has done implicitly (and Firefox is following suit). We haven't seen any issues from Chrome's change. However, here's an example of it failing in a Chromium-based browser and there don't appear to be any user agent indications that we could really detect (Kiwi appears to be Chrome 77 currently which is old, but also a version that is documented to support SameSite=Lax cookies).

We have actually managed to reproduce the Safari issue (this one is related: https://xenforo.com/community/threads/half-logged-out-overnight-on-ios.185169/) and it also appears to be related to SameSite cookies. There were some known issues with SameSite=None cookies in Safari, so it's not clear what the specific Safari issue is here yet.

Unfortunately though, this means that at least currently, we're rolling back our SameSite=Lax default. It may be possible to reapply it with user agent sniffing, though for the most popular browser (Chrome), it's essentially applied anyway.

I'm going to tag this as a partial fix mostly because it's quite explicitly a browser bug, but we are making some changes -- though mostly because of Safari as that applies to all of iOS (and some macOS users).

 

[Overscan]

I have a stubborn user insisting on using an old Webkit-based browser (Maxthon 4.9) and he has similar issues.

 

[Chris D]

We'll be more stubborn Unfortunately it's just not practical to support a browser this old, especially with something like a very old version of WebKit which has progressed so much further in this time.



FWIW I suspect their issue would be different to this as we did have to rowback on the changes that caused this bug report. You may want to open a new bug report and provide some more details but given it's a very old browser we may not be able to do anything, but the information about the issue may be useful nonetheless.