I know it's not ideal, but I fully understand the whole situation. Let's focus on making Mbin better for the existing users who are now experiencing CSRF or log-out problems. Hopefully after that, we can focus on improving anti-spam (since hcaptcha is not preventing any spam accounts for some unknown reason).
Maybe even considering additional an optional question? With only 1 correct answer. Or maybe even enforce 2FA.. I dunno.. But spam is getting out of control. Coincidence due to the rise of LLMs? Who knows. But anti-spam like hCaptcha, even set to "difficult" doesn't seem to cut it anymore...
What works for me on both mastodon and Lemmy is a free text question: why do you want to join?
The user enters whatever they like and it goes into a moderation queue. Both lemmy and mastodon send me an email when a new account is ready to review.
I read the response and choose to whether to approve their account. At the moment, spammers are really bad at answering the “why do you want to join” questions.
The main thing I experience since the CDN update is that voting often ends up in an error page, similar to how adding comments sometimes directs you to a secondary page (luckily with the comment intact). Going back and trying to vote again may or may not work.
I did not have that 3 weeks ago though, and they're not 500s - at least they're not displayed as that. I get pages like this one: https://fedia.io/ecv/7319083/-1
I've noticed recently that I'm getting errors trying to vote on any posts in a discussion I've had open for more than maybe a minute (I haven't actually timed it). I don't remember it from before these issues, but I also switched to this instance just before. Might it be related?
It might only be with certain instances. I just noticed it wasn't happening on a lemmy.world post I'd had open for a while. It could also have been something temporary. I'll try to sport/report any patterns.
Normally, if I refresh a page once and immediately vote, it works. In this case, it has never worked.
This happens periodically and it does not seem to be specific to any instance (I've seen across posts from several both in terms of the OP or the instance of the commenter).
My gut says potentially issues with timezone somewhere and my offset (UTC+9) is potentially far enough out that it's an issue. I have no evidence for that. Looking at the request and response in dev tools hasn't yielded anything particularly useful so far as I can tell.
We need server error logs. So when such a problem happens. And you can fully replicate the issue. I hope you can test it with @jerry and see if there is some error log at the server side happening as well.
That allows us (developers) to find hopefully the root-cause of this issue. If it's still present.
Y'all are great. Feel free to ask if you need me to try anything. I haven't touched PHP in years, but I am a software engineer, so feel free to be as technical as you'd like.
We can definitively use more developers. We are currently with only two: me and bentigorlich (recently debounced left as well as e-five). I also didn't use Symfony (the PHP framework behind it), but I now also got those skills in place.. So no worries, we are happy to help you. You can join us at Matrix, so it's easier to chat and discuss: Mbin Matrix space. I hope to see you there!
This annoys me about the fediverse - people take a chance on coming here and then repeatedly get left in the dark when their instance is shut down. That's why I was so very happy when you and others helped me get fedia.io back to healthy.
Still getting it very frequently. Sometimes no amount of refreshing will allow me to vote on something. Here's the latest URL: https://fedia.io/ef/1184232?choice=1
For now try Firefox or a fork: Floorp, LibreWolf, etc. I heard that works better.. I know this isn't the solution, but that is the best workaround atm.
Most interesting: the problem had only been happening on MS Edge on my laptop. I have been using safari on my phone without issue. Just a bit ago, i refreshed the page and now every time I revisit the site, I have to log back in, just like on Edge. It’s like the old session expired and the new ones aren’t sticking. I’ll try FF on my phone.
Note: even in the time I started typing this reply to when I hit the “add comment” button, I got logged out
I have so many errors in prod.log that it's hard to tell for certain, but when I try to filter out those that are associated with failed federation events, that seems to be when I'm left with. I am trying again to see if I can confirm
If you want to know.. We did try to clean-up all those errors/warnings from the log and fix some of the issues in the main branch: https://github.com/MbinOrg/mbin/commits/main/.. We are not there yet obviously. But 1.7.x is now focusing on making Mbin more stable. @BentiGorlich is helping out as well here.
ok - I just had it happen again while looking at logs. interestingly, there was NOT a CSRF log when that happened. There were a bunch of other errors, but enough that I could look through all of them and see that they were all related to activitypub issues - signaturevalidator and the like
I really hope it's not a session issue with Valkey or something (I don't think so..). We are now just going deep into this issue I think. Both sessions & csrf. Since I notice already some weird config issues with csrf forms
The tokens used for CSRF protection are meant to be different for every user and they are stored in the session. That's why a session is started automatically as soon as you render a form with CSRF protection.
Moreover, this means that you cannot fully cache pages that include CSRF protected forms. As an alternative, you can:
Embed the form inside an uncached ESI fragment and cache the rest of the page contents;
Cache the entire page and load the form via an uncached AJAX request;
Cache the entire page and use hinclude.js to load the CSRF token with an uncached AJAX request and replace the form field value with it.
Or remove.. CSRF protection and keep the cache.. It's a trade-off.. @jerry How much protection does CSRF on these forms really gives the user? I'm "just" the software engineer, you are the SecOps expert here... I mean how likely is it really that sites are doing a Cross-Site Request Forgery ...
it's hard to make a blanket statement, because it depends on the details of the application. CSRF attacks are definitely real and common, but using csrf tokens isn't critical in every application. For example, I think we have CORS headers enabled, I don't think we have functionality that allows embedded iframes, but we do allow links - if we have administrative functions that can be triggered solely with GET parameters, then someone could trick an administrator into doing something that caused damage by clicking on a link in a post. The only one that would obviously work that I can see is "logout", which would be annoying, but not world ending, and would work for everyone, not just administrators.
Thanks. I see. I do see the importance for login & logout forms having CSRF. But it does seems a bit overkill to have it on upvotes, boost and alike.. I could be wrong.
Could you join the conversation here? https://github.com/MbinOrg/mbin/pull/1130. We really are trying hard to debug this issue. Both CSRF form issue as well as log out issue.
I will also note that there are three patterns when I post a comment that may or may not be related:
it just publishes when I hit the button
I hit the button, it thinks for a second, and then the button is intractable again. Pushing it again works so far in every case (i.e. it seems something goes wrong but no UI error. I haven't had dev tools open to see what happens there. This feels like it took to long for me to reply in some cases, but not all).
I hit post and get moved to a new page which is just my post with a preview. I'm not sure if this is just how it works with certain sites or something or also related.
Being a slow peep, & also not previously paying any attention to #kbin / #mbin til last week, i then "discovered" Fedia.io [having no idea at all it was another of your babies]. As i read thru the various admin info for users pages, i thought "hey, this all seems quite familiar, has someone copied Jerry's words from `infosec.exchange'?" Then, soon after, i realised my ignorance. I've not yet tried to sign up coz i still dunno if i "need" it, alongside / instead of my existing #Friendica & Masto accounts, but clearly based on your post here, if i do later decide to try it, i'll need to remember this new status.
Howdy! Mbin (and lemmy) are very different things. It’s sort of like the difference between Twitter and Reddit. You can sort of interact back and forth, but to get the full experience, you have to either be on a lemmy or mbin (or piefed) instance.
@jerry Fair enough. Any "decision" i end up making on this is a low-priority thing, but from my initial looking at your instance the other night, i suspect i'm prolly leaning towards not bothering... not as any slight against your fine work, but simply coz i'm not sure that i like the UI & its tools [compared to Friendica & even Masto]. Also, given that as a lot of my posts, & fav interlocutors' posts, regard #AusPol, my initial keyword search for that #hashtag there were rather underwhelming.
You don't search for hashtags on a content aggregator like this (Lemmy itself didn't even support hashtags until very recently), but for communities / magazines that fit your needs that you subscribe to for a more personalized feed (I'd use external search tools to find communities though, as mbin's magazine search can only find what's already federated) - or just browse /all and let whatever is federated hit you.
I'm not sure where the guys are right now or if you still having that issue but it is likely related to the CDN news from a few days ago, which seems to be the cause for some other issues too.
Did this break federation with lemmynsfw? I just noticed a lack of certain posts on /all, and after double checking it seems there hasn't been anything federated for 4 days. https://fedia.io/d/lemmynsfw.com/
Assuming Cloudflare counts as a CDN, then kbin.earth is also behind one. It's always been behind Cloudflare, but only recently (a few months ago) have I taken advantage of it's caching and security layers.
/m/fedia is sort of like announcements and discussion for fedia.io itself, not so much for general discussions. You can use Lemmy Explorer to find communities that might be more relevant, though unfortunately it doesn't currently seem to index mbin, just lemmy and some old kbin stuff.
Seconded. I would rather default sort by old and read discussions in order and manually switch to new if/when I come back to the same discussion later.
fedia
Active
This magazine is from a federated server and may be incomplete. Browse more on the original instance.