Bug: Forum/Site SSL Issue

  • The Problem


    As a forum user, when visiting the site, occasionally a "your session has expired, please log in again" message appears. This is a protocol error, resulting in a mismatch of secure cookies and using the HTTP protocol.


    System


    OS X 10.11.4
    Chrome 51.0.2704.36 beta (64-bit)


    Problem


    In all cases, doing things to interact with the website beyond normal browsing and reading results in the following modal error dialog box: Your session expired, please login again.


    Some of those cases where the problem occurs (at least that I have encountered):


    1. Clicking the Notifications toolbar menu
    2. Trying to post a new thread
    3. Trying to post a new comment


    Troubleshooting Steps


    Deleted all cookies, session information, history, etc.


    Replication

    1. Visit http://www.kemper-amps.com
    2. You will notice a redirection from http://www.kemper-amps.com to https://www.kemper-amps.com (changes http to https)
    3. Log in to your account. Use remember me simply to recall the session.
    4. Go to the forum and verify you can view notifications
    5. Close the browser
    6. Reopen the browser and navigate to http://www.kemper-amps.com/forum
    7. You will notice no redirection from http://www.kemper-amps.com/forum to https://www.kemper-amps.com/forum
    8. Click the notifications title bar menu. You should receive a modal error dialog stating "your session has expired, please log in again"
    9. Close the browser
    10. Reopen the browser and navigate to https://www.kemper-amps.com/forum
    11. Click the notifications title bar menu. You should see the dropdown appear as expected.


    As an additional note, once you even visit the forum from an http link, you can no longer post anything. This is the second time I've written this up for that very reason.


    Solution


    I know the Kemper website has recently undergone some UI updates. Visiting the public homepage (http://www.kemper-amps.com) now redirects to the SSL-enabled version of the site (https://www.kemper-amps.com). However, with the forum, this is not the case. If you visit http://www.kemper-amps.com/forum (or any routes expanding on this path), you will not be redirected to https version of the same page. The cookies stored for logging in to the site are not valid on the HTTP version of the site. Out of the 20 cookies generated, only 2 are marked for HTTP access (one instance of kemper_forum_cookieHash with the max-age set as Session, and the REMEMBERME cookie).


    To resolve this, adjust the .htaccess file to redirect all pages, not just the root-level pages, to redirect to the HTTPS protocol.
    As an additional suggestion, adjust the cookies generated by the forum software to not provide insecure cookies. This should simply mean making the two above-listed cookies secure.


    As an alternative option: In most cases, there's no real benefit for the Kemper's front-facing site or the forums to be using SSL, though the store functionality absolutely needs it. The other option would be to simply make only the store paths use SSL, which would also alleviate this issue.

    Guitars: Parker Fly Mojo Flame, Ibanez RG7620 7-string, Legator Ninja 8-string, Fender Strat & Tele, Breedlove Pro C25
    Pedalboard: Templeboards Trio 43, Mission VM-1, Morley Bad Horsie, RJM Mini Effect Gizmo, 6 Degrees FX Sally Drive, Foxpedals The City, Addrock Ol' Yeller, RJM MMGT/22, Mission RJM EP-1, Strymon Timeline + BigSky
    Stack: Furman PL-Plus C, Kemper Rack

  • Reloading does not work when https is not in the URL.

    Guitars: Parker Fly Mojo Flame, Ibanez RG7620 7-string, Legator Ninja 8-string, Fender Strat & Tele, Breedlove Pro C25
    Pedalboard: Templeboards Trio 43, Mission VM-1, Morley Bad Horsie, RJM Mini Effect Gizmo, 6 Degrees FX Sally Drive, Foxpedals The City, Addrock Ol' Yeller, RJM MMGT/22, Mission RJM EP-1, Strymon Timeline + BigSky
    Stack: Furman PL-Plus C, Kemper Rack