Discourse Single Sign-On

Quick update on the Single Sign-On process (that’s the thing where you click “Log In” on Discourse, and then sign into omg.lol if you’re not already signed in, and then magically wind up logged into Discourse).

I had a pretty annoying flaw in my sign-in flow where if you were signed out of omg.lol, and then tried to log into Discourse but opted not to complete the process (i.e. didn’t sign into omg.lol), and then later on came back to omg.lol and signed in… you’d wind up being taken to Discourse. Not cool, obviously.

The reason for this is that when you visit any URL on home.omg.lol that requires you to be signed in—and you’re not signed in—you need to be redirected to the destination after signing in. But you have to remember where that destination is somehow, and I chose to use a cookie. But, like a dork, I didn’t set the cookie to expire… which means that you could come back hours or days or years later and sign into omg.lol and be taken to Discourse without even remembering that you had at one point tried to sign into Discourse.

To temporarily help with the issue, I’ve set the cookie expiration for that redirection to 60 seconds. That can’t be retroactively applied to existing cookies (sorry), but at least the next time you encounter this scenario it will only remember where you were trying to go for 60 seconds (which seems like a reasonable enough amount of time to sign into omg.lol).

Longer-term, I’ll rewrite the redirection process to not rely on cookies at all while also making it appropriately temporal. Hoping to knock that out this weekend.

Anyway, apologies to everyone who ran into this and was left feeling confused or annoyed! :prami_distressed: