Warframe Forums Website (2 Things)

[Probably_Asleep]

Okay so two things:

1. There's a thread that I told VibingCat I would respond to, but I can't post there. I'm mainly curious more than anything else, does anyone know why some threads are un-respondable? Here's the thread:Am I the only one that can't post here? Or is it locked down entirely? I'm wondering if it's because it's a PC Bug Report and my account is through the Nintendo Switch platform.
   
   
    
2. This has been bothering me for a while now, but has anyone else noticed that your notifications get updated even when you've been logged out? Let's say you post something on a Friday and then close the browser, you get auto-logged-out by Saturday, someone quotes you on Sunday, and then you look at the forums again on Monday.
   1. You'd think, under that scenario, that you wouldn't see the "someone quoted you" notification icon on Monday, right? You're logged out after all.
   2. But I can see it. I can see that I've got new notifications and only after I try to follow the link am I asked to log back in.

#2 may seem like it doesn't matter. I mean, who cares if you get some account data leaking through after you've been logged out? But it's concerning for two reasons:

1. While very unlikely, there are still some situations where someone might see this as a violation of privacy. (The following is strictly hypothetical and to my knowledge has not happened) Let's say you have a couple who both play Warframe and share a family computer. Now let's say that one of the members of that couple has betrayed the trust of the partner by showing too much interest in another player on Warframe. The couple fights, they reconcile, and the betrayer promises to stop communicating with the other player. Then the betrayed hops on the family computer and sees that the betrayer (who was sure they had logged out) got a notification that the other player has quoted them or sent them a private message. A new fight begins. Wouldn't the betrayer feel like the website let them down in that case? Shouldn't a log out be the end of availability for all personal information, regardless of how insignificant that information may seem?
2. There has to be some level of authorization allowed between the browser and the website server for this information to get served back to the client. If I were a White-Hat hired to perform a Pen-Test on this website, I'd cite the leakage of account-locked information being made available to an unidentified user as a potential vulnerability that Black-Hats would be interested in probing further.

[NecroPed]

I always assumed it was because of the platform the account is linked to, since bugs are often system specific. But seeing that post theres an xbox account commenting there so I'm not sure now. 

I can still comment there too and checked some playstation posts and I could comment so my assumption doesn't seem to be correct 

 

[Probably_Asleep]

1 hour ago, NecroPed said:

I always assumed it was because of the platform the account is linked to, since bugs are often system specific. But seeing that post theres an xbox account commenting there so I'm not sure now. 

I can still comment there too and checked some playstation posts and I could comment so my assumption doesn't seem to be correct 

 

You can post on it!? Okay now I'm really weirded out. I don't think my account is banned (I started this thread after all).

[NecroPed]

21 minutes ago, (NSW)Probably_Asleep said:

You can post on it!? Okay now I'm really weirded out. I don't think my account is banned (I started this thread after all).

Yep, I don't think its an issue with being banned because I have experienced this with other posts and its always console posts when it happens for me. So there's definitely something going on, I'm just not sure if its a simple issue. 

[Probably_Asleep]

1 hour ago, NecroPed said:

Yep, I don't think its an issue with being banned because I have experienced this with other posts and its always console posts when it happens for me. So there's definitely something going on, I'm just not sure if its a simple issue. 

Very interesting. Thanks for the info!

[quxier]

5 hours ago, (NSW)Probably_Asleep said:

•  
• This has been bothering me for a while now, but has anyone else noticed that your notifications get updated even when you've been logged out? Let's say you post something on a Friday and then close the browser, you get auto-logged-out by Saturday, someone quotes you on Sunday, and then you look at the forums again on Monday.
  1. You'd think, under that scenario, that you wouldn't see the "someone quoted you" notification icon on Monday, right? You're logged out after all.
  2. But I can see it. I can see that I've got new notifications and only after I try to follow the link am I asked to log back in.

I don't think it's "notification getting updated while logged out". It's just this forum is VERY BAD and just for some reason log out you at random times. I've been logged out while writing post. It's BAD standard for free software... which Invision isn't (a free software). I've been posting/answering about "login issues" or other stuff for ages but those are ignored (how could you call it?).

[Probably_Asleep]

1 hour ago, quxier said:

I don't think it's "notification getting updated while logged out". It's just this forum is VERY BAD and just for some reason log out you at random times. I've been logged out while writing post. It's BAD standard for free software... which Invision isn't (a free software). I've been posting/answering about "login issues" or other stuff for ages but those are ignored (how could you call it?).

I'm glad to hear I'm not the only one experiencing website weirdness. I could see it being something like the website "forgets" to log me out and then shows me my notification info when I first get back on, and then as soon as I interact with that UI it's like: "Hey! Aren't you supposed to be logged out?"

I was worried that it might be something like the site stores a session cookie on my client, and the server can use that session token for some API calls even after it's supposedly expired. But only when certain endpoints get called does the token's expiration date actually get evaluated and deleted on the server. (Because if that's the case, then someone could start to experiment with what endpoints are and are not locked by authentication and potentially find a way to query server data without requiring valid or traceable credentials)

[NecroPed]

30 minutes ago, (NSW)Probably_Asleep said:

I'm glad to hear I'm not the only one experiencing website weirdness. I could see it being something like the website "forgets" to log me out and then shows me my notification info when I first get back on, and then as soon as I interact with that UI it's like: "Hey! Aren't you supposed to be logged out?"

I was worried that it might be something like the site stores a session cookie on my client, and the server can use that session token for some API calls even after it's supposedly expired. But only when certain endpoints get called does the token's expiration date actually get evaluated and deleted on the server. (Because if that's the case, then someone could start to experiment with what endpoints are and are not locked by authentication and potentially find a way to query server data without requiring valid or traceable credentials)

I'm not sure if this is account based, I'm really not sure (just putting some info out from my point of experience) but I think it might just be browser based (like stored cookies or the functions of the webpage still functioning without an active connection to an account or something), I get notifications on my PC on pages I've left open after viewing the notification on my phone, which should surely clear the notification since I am still currently logged in on mobile, it has cleared the notification on my mobile, I have not been logged out of mobile, so as far as my account is concerned, the notification is gone and has worked perfectly fine. But, upon returning to my PC hours later, I have the notification, and haven't been logged out on PC, but upon refreshing the browser my notifications become updated to what they were currently showing as on my phone. I'm no expert, but I feel like it could just be from cookies or something, like the websites code functions without the connection to the account because the information/code to notify you is still technically there in the webpage.

Edited August 30, 2023 by NecroPed

[quxier]

12 hours ago, (NSW)Probably_Asleep said:

14 hours ago, quxier said:

I don't think it's "notification getting updated while logged out". It's just this forum is VERY BAD and just for some reason log out you at random times. I've been logged out while writing post. It's BAD standard for free software... which Invision isn't (a free software). I've been posting/answering about "login issues" or other stuff for ages but those are ignored (how could you call it?).

I'm glad to hear I'm not the only one experiencing website weirdness. I could see it being something like the website "forgets" to log me out and then shows me my notification info when I first get back on, and then as soon as I interact with that UI it's like: "Hey! Aren't you supposed to be logged out?"

I think it's more like they set cookie when you log in with end date but don't care to check it unless you do certain action like posting.

[Tiltskillet]

20 hours ago, (NSW)Probably_Asleep said:

Am I the only one that can't post here? Or is it locked down entirely? I'm wondering if it's because it's a PC Bug Report and my account is through the Nintendo Switch platform.

That's exactly it.   I'm on PC, so all the console subforums are view-only for me.

 

[Probably_Asleep]

On 2023-08-29 at 10:05 PM, NecroPed said:

I'm not sure if this is account based, I'm really not sure (just putting some info out from my point of experience) but I think it might just be browser based (like stored cookies or the functions of the webpage still functioning without an active connection to an account or something), I get notifications on my PC on pages I've left open after viewing the notification on my phone, which should surely clear the notification since I am still currently logged in on mobile, it has cleared the notification on my mobile, I have not been logged out of mobile, so as far as my account is concerned, the notification is gone and has worked perfectly fine. But, upon returning to my PC hours later, I have the notification, and haven't been logged out on PC, but upon refreshing the browser my notifications become updated to what they were currently showing as on my phone. I'm no expert, but I feel like it could just be from cookies or something, like the websites code functions without the connection to the account because the information/code to notify you is still technically there in the webpage.

That would (at least to me) indicate that the website on the browser side isn't "checking in" with the server. I mean, it obviously does to an extent because an active session will notify you when interactions happen. But based on what you're saying it looks like it checks for additions to events without checking for subtractions from events.

 

On 2023-08-30 at 10:39 AM, quxier said:

I think it's more like they set cookie when you log in with end date but don't care to check it unless you do certain action like posting.

I think that's a good assessment. I can see that.

 

On 2023-08-30 at 11:07 AM, Tiltskillet said:

That's exactly it.   I'm on PC, so all the console subforums are view-only for me.

Thanks! Kind of weird, but at least that's an answer. I guess it sort of makes sense, but I'd personally think it would be more informative to have threads open to everyone. The bug report sections on new releases like Duviri are platform-agnostic for that very reason. ...Actually now that I'm writing it out, I realize that the new releases are after Cross-Play, whereas the more classic bug report system was included in the forums before Cross-Play.