The reason I don't use Chrome as my usual browser is that I'm leery of anything that Google makes and does. Their company motto "Do the right thing" is one of the great corporate ironies.

It used to be "Don't be evil" or something similar. Either way they don't follow their own edict.

This is a good discussion. Sadly, there's no way for a website to determine why someone can't log in - or at least not that I know of. I can clear up one or two of the other issues though. Secure websites come in two flavours and both exist here. The first is a page that is fully secured. On the home page of this site, everyone should see their browser's padlock symbol somewhere, with one exception as explained below. It's in a different spot for each browser but generally in the frame of the window or in the case of Edge and IE, in the address bar. The padlock appears when there is no unsecured content on the page. Elsewhere here, you may or may not see the padlock because whilst the page itself still comes from a secure server, it may contain content that is linked from other servers that are not secure. Usually this linked content is either photos from an external source or member's avatars that are from an external source. If your avatar is hosted here or via Gravatar then it is secure content.

Browsers have changed a lot over the years and I am not up to speed on what each vendor is confusing their users with but as far as I know, if you click on the address bar the fully qualified URL should show and this should include the https:// prefix and this should show no matter what page of this site you are on. This will indicate that the connection to the server is secure even when some of a page's linked contents are not.

When I first introduced SSL here it wasn't because I was worried about the server being hacked. To a degree this is always a bit of a worry but in reality there's two things a proper hacker wants - money and fame. There's no bragging rights in attacking a site the size of this one and there's certainly no money or credit card details stored here so there's really nothing to be gained by anyone going to those lengths here. Many sites that have SSL only protect their membership sign-in pages. I found it easier just to implement it across the whole site. There are small advantages in doing this from an SEO perspective too - you get some favouritism with the big search engines because they want all sites everywhere to implement SSL.

It would be good if everyone who is having difficulties in logging in could say so here and let me know their browser and OS versions. I am about to finish work on the new server that is already supposed to be operating and this work will get done even if it does end up just being a bug in a particular web browser and let's face it - none of them are fault-free. The Web was a lot easier to code for and fault find when there was only Internet Explorer and Netscape Navigator but it's not like that anymore.

We could argue that the Camel turned out to be perfect for its end use. Unfortunately turning the Camel into a Lemon causes its mobility to be severely restricted and renders it unfit for the original end use.

It can't be fixed if there is no way that you can communicate with them, to tell them that it's broken. (Self defeating)

Marc

One thing I didn't mention is that I never log out, therefore I don't have to log in again. So, perhaps the problem would occur if I logged out then tried logging back in.

In view of the reported problem I will leave FF at 51 on my 64-bit, until the issue is resolved one way or the other.

Found another FF on another system alien to the ones mentioned with the same issue mentioned.

I may have a problem: I have one that is doing this work W8.1. Mens shed W10. One on XP and a laptop used for odd jobs with Win7 Business.

Marc

On the home page of this site, everyone should see their browser's padlock symbol somewhere

For me, Chrome shows the Home page with the padlock and htpps: crossed out in red.

I just tried Chrome on my old laptop as I am not keen with it on my everydayer. I don't see a red line and I don't see a red line. Again, whether the padlock shows or not depends on where your avatar is hosted.

One strange thing is Chrome's reporting of cookies. It shows this site serving three cookies to me and that's bull. VR only ever sends one cookie and inside it is only two small pieces of information as far as I remember, my username and membership access level, which is a number from 0 to 5.

Does the red line show when you aren't signed in?

Does the red line show when you aren't signed in?

Yes. I have emailed you screen snapshots.

Very odd indeed. If you click on the padlock it should show a popup with a reason for the red.

The pop-up message read "This site uses a weak ..." and then I got the blue screen of death. I did not have enough time to read the whole message but something about security.

When I tried it again I got the BSOD again, so I'm not going to do it a third time.

Googling around it may be this message "This site uses a weak security configuration (SHA-1 signatures), so your connection may not be private."

If so, then this may be applicable:

"As of January 1, 2016, no publicly trusted CA is allowed to issue a SHA-1 certificate. So any new certificate you get should automatically use a SHA-2 algorithm for its signature.

However, existing SHA-1 certificates are still trusted by modern browsers and operating systems. Generally, they will be removing support for SHA-1 entirely by January 1, 2017.

Legacy clients will continue to accept SHA-1 certificates, and it is possible to have requested a certificate on December 31, 2015 valid for 39 months. So, it is possible to see SHA-1 certificates in the wild that expire in 2019."

I'm using Chrome Version 49.0.2623.112 m -- which was the final version created for XP.

VR's certificate expires in October 2018 I think as it is a two year one. If the algorithm has been beefed up then I'll probably purchase a new one for the new web server regardless. I might write to the issuer and get some more info on it.

Well, after uninstalling Firefox completely and then reinstalling an older version (51.0) I am once again able to login here using Firefox. Goodbye Chrome.

I have set FF not to bother advising me about updates ever again. Version 51.0 will see me out on this XP box.

It shows this site serving three cookies to me and that's bull.

I checked in firefox and there are indeed 3 cookies.

The first is called "vintage" and contains details (all in Plaintext, I might add !!), and is set to expire next February.

The other two are ASP https cookies, with no identifiable info, and expire at session end.

Unfortunately, Firefox does not indicate when the cookies are created. Neither does it let me copy/paste the info.

Plain text is in all cookies. Even hashed information will appear as text. Cookies are just like a Notepad file but they have a special relationship with the browser that saved it to your computer. If you change any of the content then the cookie will be rendered inoperable and you will need to sign in again so the site and browser can generate a new one. I was asked once why changing the rank didn't elevate the user to a higher level and I just laughed and said "better luck next time". As for your username and password, only you can see it unless someone hacks you of course.

The HTTPS cookies aren't sent by the site. They sound like session-only cookies and part of the HTTPS protocol.

The site cookie's creation date depends on whether you log in manually each time or had the site remember your login. If you log in and don't tick "remember me" then your cookie will expire after 20 minutes of idle time, or when you leave the site. This helps with stopping other users of the same computer taking over or using your access. If you log in and tick "remember me" then that is the date your cookie was created. It isn't really that important but if you are curious and want to know this date just get the date from the cookie itself and take 368 days off it to get the date you signed in.

Well I involuntarily reverted Firefox back to 51.0.1...

One of the network cards shorted out and took out the pc. Removal of the card restored life, but then Windows changed some settings and somehow lost the graphics drivers amongst other things. Rather than stuff around further, I did a system restore, and the older version of Firefox came back with it. It also fixed the video issues.

All I have to do is get a replacement network card.

Just as an update on my plans for the site over the next four weeks or so, I have plans on finishing the new server soon. A few things have come up recently that I don't have control over and they have to take precedence over the work that needs to be done here. The new server will be the first of many things to be done though. Finding the time is the only obstacle. The new certificates have been acquired for it so it is just a matter of finishing the programming of the WWW Publishing Service and this does take some careful doing as I use a few optional extras such as DNS resolution for the visitor logging and 301-Redirection to force connection to the site via the secure connection.

Once the new server is going, I will alter slightly how the redirection takes place as I am thinking it may be causing the 500 timeouts. Unfortunately it is too difficult and disruptive to alter under the current arrangements as the way it works means the site depends on it at the moment.

In finishing, I haven't said much about the issue we had toward the end of last year that was causing the site to just disappear for hours at a time on a random basis but I can confidently say this issue has been resolved with the equipment replacement that was done just prior to Christmas. That part of things has improved 1001% and I haven't had to remotely restart anything at all so far this year.