Safari keeps logging me out...

I'm wondering if anyone is seeing the logged out problem *not being* a 1Password user.

I've disabled the 1Password integration for now and I'm seeing the logged out problem a lot less (after deleting cookies as well). It's too soon to tell whether this is the solution which works for me, but it looks like 1Password is a possible culprit.

Are all posters in this discussion using 1Password?

My wife does not use 1Password. She has account on my MacBook Pro, but 1Password is not available for her account and Safari runs without 1Password extension. She still experiences random logouts.

As a matter of fact I use Chrome with 1Password extension installed. No logouts ever. There were no logouts running Firefox with 1Password either.

rushproject wrote:
As a matter of fact I use Chrome with 1Password extension installed. No logouts ever. There were no logouts running Firefox with 1Password either.

So am I. It's just happening with Safari. I still haven't experienced a logout since disabling 1Password, but as said: I'm still testing (and miss 1Password every single minute). Will report back later.

I'm also wondering why this seems to be happening to a relatively small set of users. This thread would have exploded if this has been happening for all Safari 5 users. There probably is something specific which all posters share, but I still haven't figured out what (that's why I'm currently investigating 1Password, since you mentioned the stock install with only 1Password installed). Make no mistake, if you seem to suffer from this bug it's extremely annoying.

jphorn wrote:

I'm also wondering why this seems to be happening to a relatively small set of users. This thread would have exploded if this has been happening for all Safari 5 users. There probably is something specific which all posters

1. I am heavy web browser user. All my daily workflow is web browser centric - I answer customer inquiries using multiple web based help desks, I manage billing using web based invoicing system, I develop web software, thus I test and debug it using web browser. As I already wrote, the more page loads Safari handles, the sooner it starts dropping transient cookies. Since I request more pages than an average user does, I see the logout problem more often.

2. It takes time to identify the problem. When you were logged out for the first time, did you blame the Safari? Most people probably do not blame the web site either. Just one of those software glitches, sign in back and keep browsing. In other words, to notice the problem one must experience it regularly. It must be promoted to a pattern from a random glitch status before somebody will start googling for solution.

The bottom line: most Safari users do not see the pattern, because the logouts are too rare and unrelated event for them. But try asking your fellow Safari users whether they started to experience random logouts during last few months. This innocent question may spur a lot of revelation moments :o)

Interesting. I'm monitoring this thread (I'm personally unable to reproduce). If anyone comes up with a pattern, I'll jump into analysis mode. Thanks for all of your help!

I promised an update re: whether 1Password could be a possible culprit. My conclusion is it's not. Without 1Password enabled I'm seeing the same random logouts as with 1Password. I was almost hoping 1Password would be the answer (cause we'd have a lead), but we just have to keep on guessing and hoping Apple is able to quickly fix this.

NP Complete wrote:
Interesting. I'm monitoring this thread (I'm personally unable to reproduce). If anyone comes up with a pattern, I'll jump into analysis mode. Thanks for all of your help!

I do not believe inability to reproduce the behavior may be used as an excuse for "not jumping into analysis mode" (do not take it personally, I am referring to the policies of the company you work for). Jumping into the analysis mode is long overdue, as the thread started almost 4 months ago and is 9 pages long with many people reporting the same problem, that supposedly (there may be other reasons, but this is what my web server log files reveal) is result of dropping transient cookies.

I believe Apple has all the information (change set number that introduced the problem and description of the problem - dropping transient cookies) required to identify the code to inspect.

Glad to see someone from home base monitoring this.

I am a web developer and noticed this problem happening so frequently I have had to switch to Firefox for debugging web apps because I get logged out of my own app so often. Sometimes immediately after login, other times it takes longer.

Based on some of the ideas in this thread, I think I am starting to narrow it down. It might have to do with # cookies per domain; we have a visitor monitoring thing based on cookies for our CRM. When I disabled it, logins seem to behave much better. Don't have enough evidence to be certain yet, but that's my current hunch.

This is going to be extremely hard to reproduce, especially since I am not sure how Safari's cookie limits work (per TLD, per subdomain, etc). Also this issue definitely only began after a pretty recent Safari update. Another developer working for us does not have the problem and he refuses to update his Safari for fear of this bug.

I am an experienced web developer and capable of inspecting HTTP headers and helping you figure this out, but there are just too many permutations for me to possibly figure it out based on my current understanding of Safari. I have already played around with it for hours trying to come up with a reproducible case, but there are just too many moving parts.

If you can give me a list of some of the magic cookie management that Safari does (max size of cookie, max # cookies per domain/tld) etc I can try to come up with a way to reproduce it. Someone also thought that it might have to to with a "malformed" date string in a cookie's expiration.

In any case the net effect is that the session cookie for a site disappears, thus breaking the logged-in state. I have verified for certain that the session on the back-end is still around and Safari just isn't sending the previous session cookie, causing the webapp to request a new login.

I would greatly appreciate any info you have on internal limits of Safari cookies that might help me create a reproducible case. This is truly a horrible problem. It's the worst bug in Apple software I've seen in a very long time.

Thanks in advance,
Alan

Installed Safari 5.0.1 last night and haven't been logged out of our websites (or others) ever since. It looks like 5.0.1 is the fix we've been crying for.

5.0.1 still have the same problem for me.

Same problem for me, too.

The 5.0.1 keeps dropping transient cookies.

The cookie limits are as given in http://www.ietf.org/id/draft-ietf-httpstate-cookie-10.txt

4096 k total for the 'Cookie:' header size

50 cookies per domain.

Past that, the oldest cookies will be dropped first.

I just spent a little time trying to reproduce it while using the "Storage" inspector to see if I crossed a 50-cookie or 4K boundary.

While I was able to reproduce the session drop, I never saw the cookie count go above ~30 or the largest cookie size go above ~300 bytes.

I also checked Console.app and while there are some Safari things logged, it never reports any cookie drops that I can see. Is there a way to turn up the verbosity so that it the cookie manager logs more info?

Also, one of the tracking apps we use on the site seems to go through a lot of cookies, so there is a possibility that a particular browsing session went through 50 distinct cookies, but never exceeded 50 *at once*. Could that possibly be a trigger?

Thanks in advance for your response.

Alan

{quote:title=NP Complete wrote:}
The cookie limits are as given in http://www.ietf.org/id/draft-ietf-httpstate-cookie-10.txt

4096 k total for the 'Cookie:' header size

50 cookies per domain.

Past that, the oldest cookies will be dropped first.
{quote}

Ok, I just spent a while surfing my site while logging all HTTP headers sent via Safari so that I could catch the exact moment that Safari didn't send the session cookie anymore.

In about 10 minutes of surfing, I'd say that I had about 5-6 "session failures". It took me several attempts to feel like I logged something useful, though. I know that this won't directly help you solve the problem, since it's only evidence that Safari in fact didn't send a session cookie when it should have (and thus caused the server to initiate a new session). But hopefully it will be proof enough of the problem for you that you can help me enable enough debugging information to learn how to create a reproducible test case for you.

So here is the HTTP headers that demonstrate the problem. Please note that I had been surfing around on this particular session for a good 2-3 minutes across 30+ page loads before this happened. Sometimes it will drop a session in as little as 1 additional request; other times it takes longer.

GET /www/img/pencil.png HTTP/1.1
Host: www.tourbuzz.net
If-Modified-Since: Tue, 11 May 2010 01:15:10 GMT
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10 64; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.1 Safari/533.17.8
Referer: http://www.tourbuzz.net/panel/customer
Cache-Control: max-age=0
If-None-Match: "d00878f-1db-41b4a380"
Accept: /
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Cookie: cm_vid%7C31=356310A2-6E12-44F8-A22A-06B9F8FD558A; cm_mid%7C31=; cm_campid%7C31=; cm_sid%7C31=4FC018C3-9C91-4B1A-9053-B9159F5B70B6; cm_lastActive%7C31=1280542176527; cm_vid%7C31=3C2ED67A-033E-44B7-A1B8-088CB433200D; PHPSESSID=jcjh9r8ru75k2c3k9ipne0tvj3; __utmb=111292417.99.10.1280540105; __utmc=111292417; __utma=111292417.513372800.1259941254.1280430623.1280540105.272; __utmz=111292417.1271190255.133.2.utmcsr=staging.tourbuzz.net|utmccn=(referral) |utmcmd=referral|utmcct=/public/vtour/display/7804; _gads=ID=e6d5ad8f9e30290f:T=1260844098:S=ALNIMYw13rlXpMbNC-1uryeuQw-7Mv1qA
Connection: keep-alive

+NOTE: Upon page load, Safari Debug Console "Storage > Cookies" reports same session id
The above request was for an image from the previous page... the next request is a new "page" load, and there is no longer the PHPSESSID cookie in the request header (this is the alleged Safari bug) +

GET /panel/customer/edit/675 HTTP/1.1
Host: www.tourbuzz.net
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10 64; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.1 Safari/533.17.8
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/pn g, /;q=0.5
Referer: http://www.tourbuzz.net/panel/customer
Accept-Language: en-us
Accept-Encoding: gzip, deflate
+Cookie: cm_vid%7C31=356310A2-6E12-44F8-A22A-06B9F8FD558A; cm_vid%7C31=356310A2-6E12-44F8-A22A-06B9F8FD558A; cm_vid%7C31=356310A2-6E12-44F8-A22A-06B9F8FD558A; cm_vid%7C31=356310A2-6E12-44F8-A22A-06B9F8FD558A; cm_mid%7C31=; cm_campid%7C31=; cm_sid%7C31=4FC018C3-9C91-4B1A-9053-B9159F5B70B6; cm_lastActive%7C31=1280542181206; cm_vid%7C31=3C2ED67A-033E-44B7-A1B8-088CB433200D; cm_mid%7C31=; cm_campid%7C31=; cm_sid%7C31=4FC018C3-9C91-4B1A-9053-B9159F5B70B6; cm_lastActive%7C31=1280542176527; cm_vid%7C31=3C2ED67A-033E-44B7-A1B8-088CB433200D; __utmb=111292417.99.10.1280540105; __utmc=111292417; __utma=111292417.513372800.1259941254.1280430623.1280540105.272; __utmz=111292417.1271190255.133.2.utmcsr=staging.tourbuzz.net|utmccn=(referral) |utmcmd=referral|utmcct=/public/vtour/display/7804; _gads=ID=e6d5ad8f9e30290f:T=1260844098:S=ALNIMYw13rlXpMbNC-1uryeuQw-7Mv1qA+
Connection: keep-alive

+NOTE: the server noticed the lack of the session cookie and issued a 302 to the login page; that request is now seen below, note the new session id issued by the server:+

GET /login/promptLogin/L3BhbmVsL2N1c3RvbWVyL2VkaXQvNjc1 HTTP/1.1
Host: www.tourbuzz.net
Accept-Encoding: gzip, deflate
Accept-Language: en-us
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10 64; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.1 Safari/533.17.8
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/pn g, /;q=0.5
Referer: http://www.tourbuzz.net/panel/customer
Cookie: cm_vid%7C31=356310A2-6E12-44F8-A22A-06B9F8FD558A; cm_vid%7C31=356310A2-6E12-44F8-A22A-06B9F8FD558A; PHPSESSID=1i4nkajvqso850h0cba9ce9rl1; cm_mid%7C31=; cm_campid%7C31=; cm_sid%7C31=4FC018C3-9C91-4B1A-9053-B9159F5B70B6; cm_lastActive%7C31=1280542176527; cm_vid%7C31=3C2ED67A-033E-44B7-A1B8-088CB433200D; __utmb=111292417.99.10.1280540105; __utmc=111292417; __utma=111292417.513372800.1259941254.1280430623.1280540105.272; __utmz=111292417.1271190255.133.2.utmcsr=staging.tourbuzz.net|utmccn=(referral) |utmcmd=referral|utmcct=/public/vtour/display/7804; _gads=ID=e6d5ad8f9e30290f:T=1260844098:S=ALNIMYw13rlXpMbNC-1uryeuQw-7Mv1qA
Connection: keep-alive

----------

I hope that this log may possible shed some light on the issue for you. Please let me know how I can be of further assistance.

Also, note that I think maybe all session cookies are dropped when this happens; I often notice that when I get logged out in one tab from this "bug", when I go to other tabs and continue to browse I am usually asked to re-auth on those completely different web sites as well.

Message was edited by: Alan Pinstein