Posted Tuesday, February 1st, 2022 

I treasure an chronicle story of debugging. You realize, these unbelievable experiences during which an ingenious person goes on a quest to solve a project and stop up in triumph and glory. Sherlock-Holmes-of-debugging roughly experiences. Successfully, right here is no longer a form of tales. Here is a in actuality private self-discipline, no longer an chronicle quest. Curiously it’s miles completely affecting me. Here is additionally a Lovecraftian story because I’m slowly getting angry thanks to it.

It all begun after I logged out of Hacker News and impulsively couldn’t log encourage in. It’s some distance a in actuality bizarre behaviour, the login produce redirects encourage to the homepage as if nothing came about. My password is no longer stream. I thought that presumably it’s miles a HN trojan horse, give it some days for them to peep and repair it.

Many days passed. I noticed that I could presumably mute post and upvote because these actions would redirect me to the login web page. After filling my recordsdata there and submitting the produce, whatever motion I was making an strive to originate would struggle thru, but I’d mute no longer be logged into the webapp. I attempted the utilize of every other browsers such as Safari and Vivaldi. In these browsers, I could presumably log in in most cases. I started living a roughly double existence, the utilize of Firefox for most of my looking out out and Safari for after I desired to work alongside with HN.

That bought dead in actuality like a flash. I mute saved at it because I’m indolent. I in actuality enjoy greater things to originate. That trojan horse, laughing within the gap, scared my objectives.

I purchased uninterested with it and started investigating. It boiled down to the person cookie being rejected thanks to its expiry date being already within the past.

Successfully, that looks easy to repair, dazzling? I checked the Community tab on Firefox DevTools and saw that the expiry date for that cookie was in 2038. Time is flying throughout the pandemic, but it’s no longer flying that like a flash. 2038 is mute within the long trot. Why is Firefox announcing it’s no longer? I posted a Quiz HN post asking if somebody skilled a connected self-discipline. A gleaming person pointed me to Year 2038 self-discipline, and I thought that was it.

This day I run to message the HN mods about it. This led to varied messages being exchanged with Daniel who has been extremelly precious looking out to debug this. We both despite the reality that that the self-discipline is at risk of be connected to the expiration date being too end to the 2038 lower-off date. He made a immediate lived exchange to quandary the expiration date on the cookie to 2032 in its place, and I attempted all all over again.

At that level, Daniel confirmed that they could presumably log off and in of HN from Firefox on his facet. Other Firefox customers are restful as effectively. Had this been occurring to other customers, I wager they’d be screaming. The topic looks treasure a non-public hellscape. Cherish Ged in Earthsea, right here is my occupy private devil. I enjoy to keep away with it.

Clearing cookies

My first step has been looking out to seek whatever cookies I had quandary for the .ycombinator.com domain. I cleared all of them on Firefox settings interface. It didn’t work.

I mostly browse the utilize of Firefox Nightly because I’m a form of people that mediate your browser wishes to enjoy bugs to aid your web skills contemporary and vivid. Presumably it was something stream with Nightly. Launched Firefox stable, which I haven’t launched in ages, and tried to log into HN. No cookie for me. It mute didn’t work.

Remember that Firefox Nightly and Firefox stable utilize assorted profiles. The person data from one model is shatter free the other. I’m in a position to log in to HN from all other browsers in my machine with the exception of Firefox. It doesn’t matter what profile I utilize and what Firefox model I utilize.

I disabled all of the frosty add-ons that makes web looking out out a beautiful skills—such as uBlock Origin and mates—cleared cookies and tried all all over again. It mute didn’t work.

I came treasure a wrecking ball…

In my frustration, I run to originate what you need to always no longer originate with your browser: fiddle with interior recordsdata. Firefox on macOS shops it’s data within the Application Give a make a choice to folder. MacOS hides this folder for a cause. The cause being Apple doesn’t must respond give a make a choice to calls if you shatter things up.

Once all the blueprint thru the folder for my Nightly profile, I opened the cookies.sqlite file and kicked some buckets.

After looking out out about this self-discipline, I’ve seen some former reviews that Firefox was by hook or by crook failing to obvious former cookies, and that it came about whenever you had more than 3000 cookies quandary. I had 3055 cookies on that profile. First step was deleting any cookie for the Y Combinator host. Then I deleted all of the ai_user cookies because if I’m having a depraved time, so also can merely mute Google Analytics. That diminished my cookie count below 2000.

I STILL CAN’T LOGIN TO HN.

Presumably it’s miles the cookie syntax…

Inspecting the raw response from HN server, I noticed that the date is the utilize of dashes rather then areas:

Utter-Cookie: person=sadboi; Expires=Thu, 01-Jan-2032 00: 00: 00 GMT; HttpOnly; SameSite=Lax; Secure

Presumably that was it. Isn’t the format supposed to be with areas in its place? The facts on MDN WebDocs about quandary-cookies is in actuality lax on the date format. It looks rather flexible.

Experimentation is the mother of finding out! I run to rapid create a shrimp Web Server and capture a behold at to quandary my occupy cookies the utilize of dashes within the date and gape if I could presumably replicate the trojan horse in a assorted role. The quickest manner for me to create most of my toys is to utilize LiveCode—a latest-day HyperCard—and gracious produce a straightforward stack.

The code is rather minimal, it gracious replies with some textual yell material and attempts to quandary two cookies: one with dashes within the expiry date and one more without.

on startServer
   place empty into self-discipline "debug"
   httpdStart "NewRequest", 12345, "My Server"
   begin url ("http://localhost:" & it)
stop startServer

on NewRequest pSocketID, pRequest
   place arraytojson(pRequest,,dazzling) into self-discipline "debug"

   place "Utter-Cookie: userWithDashes=kenobi; Expires=Thu, 01-Jan-2032 00: 00: 00 GMT; HttpOnly; SameSite=Lax; Secure" & crlf into tHeaders
   place "Utter-Cookie: userNoDashes=kenobi; Expires=Thu, 01 Jan 2032 00: 00: 00 GMT; HttpOnly; SameSite=Lax; Secure" & crlf after tHeaders

   httpdResponse pSocketID, 200, "Hi There, Accepted Kenobi!", tHeaders
stop NewRequest

Guess what? Dates with dashes work. I in actuality have not any self-discipline setting these cookies. They work magnificent. That is no longer the self-discipline.

I STILL CAN’T LOGIN TO HN.

A clueless person goes interior Application Give a make a choice to

Went encourage to the profile folder. You realize you’re determined if you initiate the utilize of mdfind to gape for clues.

$ mdfind -onlyin . ycombinator

I could presumably gape that ycombinator was point out in some recordsdata and folder interior my profile. There was a cache folder for it fleshy of empty recordsdata, and additionally a security connected file which I mediate is expounded to that Strict-Transport-Security header. I nuked that cache folder.

I STILL CAN’T LOGIN TO HN.

Final phrases

Whereas you’re pissed off because there’ll not be such a thing as a fully chuffed ending right here, imagine how I feel. I in actuality have not any trick left to capture a behold at. I don’t enjoy this self-discipline with every other role, and I don’t enjoy this self-discipline with other browsers. It’s some distance a spawn of hell that is born out of the conjunction of my Firefox set up and HN. I deleted all occurrences of ycombinator from the profile. No cookies, no cache, nothing. And it mute doesn’t work.

I mediate I’ve tried to repair this sufficient for this present day. I desired to post about this self-discipline as soon as I solved it, but it’s miles rather obvious that I’m in a position to’t solve it. Presumably some reader can, presumably that you’ll want to aid e-book me out of this maze.

Updates

I’ll post updates as I resolve stuff out.

1st of February 2022 at 18: 21: If I utilize non-public looking out out, there’ll not be such a thing as a trojan horse and I’m in a position to login without self-discipline. The topic mute there if I utilize my traditional profile.

1st of February 2022 at 18: 37: I mediate that some devs at HN are investigating it. Now, HN is giving me an error in Safari after I strive to delivery the positioning. I was logged in on Safari. I’m in a position to mute delivery the positioning if I’m no longer logged in.

That self-discipline lasted gracious some minutes. I’m encourage logged in in Safari.

1st of February 2022 at 20: 03: I created a brand new profile in about:profiles. I’m in a position to login into HN from that profile. The trojan horse is within the profile then, I gracious must resolve whether it’s miles fixable without nuking the profile.