Hey everyone,
Sorry that private messaging is still down. It's one of the main features that is being implemented through Dazah. Unfortunately, it wasn't until sticking it into a production environment when I realized that its performance is subpar and the algorithms need a major overhaul. That's what I've been spending most of today on, and hopefully I should be done by the end of tomorrow or Saturday.
Jump to PostThat would be a lot more interesting if I could access my account to send or receive PMs
I just spent another hour plus trying to find a way to log in to my account (deleting cookies etc) but now things are worse. On my main machine I now can't …
Jump to PostI'm trying to remember how I did it now :)
Essentially, as Dani didn't copy passwords over to Dazah along with email addresses associated to DaniWeb, you need to reset your password - on Dazah. If I recall correctly, and I admit to being in a bit of a medicated …
Jump to PostI now seem to have a login at dazah, with the email for my dw account, but I can't login to dw... It asked me to approve using dazah, which I did, but then it bounced me back to dw not logged in. Since then if I click login it …
Jump to PostOK/ I'm back. Phew.
Jump to PostClearing cookies could certainly be something. I did this (almost on autopilot) at the outset of my problems with logging in, and had no hassle once I did the reset password thing.
That would be a lot more interesting if I could access my account to send or receive PMs
I just spent another hour plus trying to find a way to log in to my account (deleting cookies etc) but now things are worse. On my main machine I now can't log in at all, not even via this dummy account. Clicking on login just refreshes the page. (I'm sending this from my iPad)
I see from recent activity that a couple of old timers have got back online, but the vast vast majority are silent - maybe because they can't access the system?
I'm trying to remember how I did it now :)
Essentially, as Dani didn't copy passwords over to Dazah along with email addresses associated to DaniWeb, you need to reset your password - on Dazah. If I recall correctly, and I admit to being in a bit of a medicated fog so excuse me if not, I went to Dazah.com and disassociated the email/account from DaniWeb. Then (from the Dazah settings page - tab at top somewhere) I did a password reset having made sure I was using the right email address for my DaniWeb account. This prompted an email link to be sent that let me reset the password. Then I came back to DaniWeb, made sure I was logged out (in my case I had managed to associate another email address with another DaniWeb account of mine) and logging in with the right email address then just went smoothly.
I'm not logging out though, in case I can't get back in :)
I did the reset password routine and can successfully login to Dazah but that's as far as I get on my old account. Maybe not having all my profile fields filled out means that logging in lands me in a utopian galaxy instead of Daniweb.
I now seem to have a login at dazah, with the email for my dw account, but I can't login to dw... It asked me to approve using dazah, which I did, but then it bounced me back to dw not logged in. Since then if I click login it just refreshes the screen. I'm still sending this from my iPad hoping I won't get logged off here and left with zero access of any sort. This is a tragedy... Why didn't her friends stop Dani from launching a totally re-written system without proper QC, testing, or warning?
@Nobody_1/JC, what you are describing is exactly what happens to me with my original account. I'm sure there are many other members stuck in the same predicament - arghh
It asked me to approve using dazah, which I did, but then it bounced me back to dw not logged in.
Oooooooooohh!! I didn't realize that was the behavior everyone was experiencing! I think I know what's wrong.
Oh ... also, have you tried clearing cookies?
Oooooooooohh!! I didn't realize that was the behavior everyone was experiencing! I think I know what's wrong.
Unfortunately I tried to reproduce what I thought the problem was, and it turned out not to be what I thought. The only thing I can think of is clearing cookies? :-/ Obviously this is a huge issue, so I'll keep working at it. :(
OK/ I'm back. Phew.
Clearing cookies could certainly be something. I did this (almost on autopilot) at the outset of my problems with logging in, and had no hassle once I did the reset password thing.
Clearing cookies was in my autopilot too. I still need to do it to prevent automatic login to the previously-logged in user. I'm not at all happy with that automatic logon - there's a password on my account for a reason. If I chose to bypass that protection by using a password manager on my machine that's up to me.
To prevent automatic login, you need to log out of Dazah. Keep in mind that DaniWeb now uses "Login with Dazah" the same way that a site would use Log In with Facebook, etc.
If you logged into legacy DaniWeb, or any third party app, with Facebook, you wouldn't expect that logging out of DaniWeb would also log you out of Facebook as well. You're only logging out of the single app.
If you are already logged into Facebook on your computer, the benefit of clicking log in with Facebook on a third party app is single-click sign-in. If you log out of the app, you can log back into it with a single click as well.
The same rule applies here. :)
What I can do in the future is offer a checkbox on the Dazah sign-in page asking whether you want to stay logged in or have cookies cleared after every use.
If you are already logged into Facebook on your computer, the benefit of clicking log in with Facebook on a third party app is single-click sign-in. If you log out of the app, you can log back into it with a single click as well.
Usually it's TWO clicks when logging in via Facebook in my experience. Use Disqus as an example. First click is Disqus login. A window pops up with login options, one of which is a Facebook logo. Click that and you're in, provided you're already logged into Facebook. I'm not crazy about the two-click method either, but at least there's that popup and second click so I know that I'm logging in via Facebook. Maybe if you could ONLY log in via Facebook, that popup wouldn't show up and it would only be one click and you wouldn't know why. At minimum, I think you should implement something like that when logging into Daniweb. A "Log in through Dazah" popup so panic doesn't set in with the one click and we know to log OUT of Dazah if we want to be secure. I'm not going to remember to check Dazah in a month if I stay logged in. Facebook is common enough that, as I'm puzzling why I logged back in so easily, I think "Oh yeah, Facebook" and check that. With the new Daniweb, I just assumed single-click login was a huge bug. Turns out it's a feature. :)
If you logged into legacy DaniWeb, or any third party app, with Facebook, you wouldn't expect that logging out of DaniWeb would also log you out of Facebook as well. You're only logging out of the single app.
This new trend redefines the entire concept of "logging out". I realize you didn't start this trend, but it's a troubling one. In the old days, If I wanted the "benefit" of single-click login, Chrome offers to remember the username/password for Daniweb so I don't have to keep typing it. Click "Log In" and there's a nice popup from Chrome asking if I want to use my stored Daniweb username and password, I clicked "Yes", and voila, I'm in. It might have been three clicks, not one though. To use the Facebook example, suppose I've logged into five forums using Facebook. I want to SECURELY log out of Disqus. I now have to log out of Facebook, which logs me out of Facebook and all the other forums. Now I log back into Facebook and retype my password, then log back in to the other four forums. And I'm still stuck with the two-step login from Disqus AFTER I re-login into Facebook. That's a benefit and convenience I can do without. Which is why I don't use forums that REQUIRE me to log in through Facebook or anything else. Because once Facebook is breached, everything using Facebook as a login is breached. I know I'm paranoid. Facebook would never violate privacy and is immune to security breaches.
What I can do in the future is offer a checkbox on the Dazah sign-in page asking whether you want to stay logged in or have cookies cleared after every use.
If Dazah takes off like you hope, that same "must log out of five forums to log out of one" benefit will be there for Dazah too.
Anyway, this is just one guy's opinion. Control freak that I am, I like being able to pick and choose what is done automatically for my benefit. And I don't mind clicking three times. I need the exercise.
Usually it's TWO clicks when logging in via Facebook in my experience. Use Disqus as an example. First click is Disqus login. A window pops up with login options, one of which is a Facebook logo. Click that and you're in, provided you're already logged into Facebook.
Maybe if you could ONLY log in via Facebook, that popup wouldn't show up and it would only be one click and you wouldn't know why.
So that's what's going on here where you can ONLY log in via Dazah, so there's no option to choose which way you want to log in. The first time you try to log in, you need to authenticate DaniWeb with Dazah, and you go through the Dazah process. After that, it's seamless because it's the only login method.
Suffice to say, we follow the exact standard when it comes to this, so my hope is that what is going on is understood out of seeing the same behavior elsewhere.
I think it makes sense for us to follow just industry-wide practice and keep within the OAuth standard.
we follow the exact standard when it comes to this, so my hope is that what is going on is understood out of seeing the same behavior elsewhere.
Glad to hear this. I agree that you should follow the industry standard, particularly a small (one programmer!) shop like yourself. It sounds like the reason that you did not migrate the passwords was because you felt the old way was not secure enough? Or security was good enough, but you wanted to make it better? Regardless, beefing up password storage can only be a good thing, so bravo on that.
I think a lot of this could have been avoided by keeping us in the loop and explaining what was going on before rolling things out. A little thread in advance explaining what Dazah was (briefly), that e-mail addresses were being migrated over to Dazah, but passwords were not, so we would all have to reset the passwords, that the Daniweb login was now through Dazah, what permissions we were giving Dazah and why, what was the minimum level of permissions required, etc., plus if you offer an option to revoke those privileges, then they need to be revokable. I've explained this in other posts. When things are vague, people get nervous. If I've learned one thing in damage control/prevention, it's that perception is often reality. Your site could be the most secure site in the world, but if people don't know that, you have problems and when in doubt, users assume the worst. I had an engine rebuilt. The mechanic left greasy thumbprints all over the place. Never trusted the car after that. Turns out he did an excellent job, but I was always thinking "If he couldn't be bothered to wipe off the dirty fingerprints, where else did he take shortcuts that I can't see..."
Just food for thought for future rollouts coming from a guy who has personally learned the hard way that, running on fumes or not, tight deadlines or not, transparency and notifying everyone ahead of time of what is going on and why, along with non-vague error messages is essential. YOU may know that you have everything under control security-wise and YOU may know that you aren't going to abuse our contacts/messaging/groups/information, but WE don't know that, so if you don't explain, I got the same feeling I get when I download a Solitaire game and the program requires Admin access and wants to control my webcam and microphone or when the guy ringing up my burger order says he needs my birthdate, social security number, and mother's maiden name. Hmmm... That you were requiring access to my DAZAH contacts and not my GMAIL contacts didn't click for me. I couldn't think of any legitimate reason you'd want any control over my gmail account. In lieu of an explanation, my mind wandered to dark places.
I've been making the same points ad nauseum so I'll stop. Thank you for the clarifications. I think some more are needed, but it's no longer an emergency (as all security/privacy concerns are), so can wait till it's all debugged and you're no longer running on fumes. On one final, final note, you are a one-person show, but your product is an online forum populated by programmers, so I think you might be pleasantly surprised if you throw out an appeal for volunteer beta testers/document writers or even programming help next time.
It sounds like the reason that you did not migrate the passwords was because you felt the old way was not secure enough?
Yes, precisely.
I think a lot of this could have been avoided by keeping us in the loop and explaining what was going on before rolling things out.
The thread explaining what Dazah is exists here, and was a discussion that started about 5 months ago: https://www.daniweb.com/community-center/daniweb-community-feedback/area-51/threads/502148/future-direction-of-daniweb
e-mail addresses were being migrated over to Dazah, but passwords were not
I mentioned that somewhere a few days ago (https://www.daniweb.com/community-center/daniweb-community-feedback/threads/504951/i-ll-have-to-stop-using-the-forum-why-the-change-to-dazah-#post2205749) but, in retrospect, I should have been a lot more transparent about it.
plus if you offer an option to revoke those privileges, then they need to be revokable.
Privileges can be revoked here: https://www.dazah.com/users/settings
Just food for thought for future rollouts coming from a guy who has personally learned the hard way that, running on fumes or not, tight deadlines or not, transparency and notifying everyone ahead of time of what is going on and why, along with non-vague error messages is essential.
Essentially what it comes down to is that I rolled things out too early, I knew that going in, and so I wanted to spend the next few days squashing my todo list and getting all my ducks in a row before making a big happy announcement about it. Especially when it's something I've been going on talking about for a year. I didn't count on so many loyal users being so flustered so quickly.
. That you were requiring access to my DAZAH contacts and not my GMAIL contacts didn't click for me.
I guess it just needs to click that the login is the Dazah OAuth flow, which works just like any other OAuth flow out there. ;) I guess I assumed that because I was following industry standards, the auth page would be easily recognizable as an OAuth auth page. After all, we've all clicked on a Facebook app and been presented with "App XYZ is requesting the following Facebook privileges...".
On one final, final note, you are a one-person show, but your product is an online forum populated by programmers, so I think you might be pleasantly surprised if you throw out an appeal for volunteer beta testers/document writers or even programming help next time.
Once I get all my ducks in a row, that's the next step ;) ;), when I start looking for volunteers excited to write their own apps on top of Dazah, much the same way DaniWeb is written on top of Dazah!! It's a REALLY powerful OAuth-based API, and, as you can see, I'm eating my own dogfood here.
Privileges can be revoked here: https://www.dazah.com/users/settings
Was I not supposed to click "Continue as Fred"? Apparently that resets the permissions?
I am on Windows 10 using Google Chrome. I didn't clear cookies.
Just to clarify, at no time during the process were you logged out of DaniWeb. Your DaniWeb cookies existed all along. When you were thrown back to the Dazah authorization page, it was because DaniWeb needed Dazah permissions to continue. This is similar to the experience the first time you log in when you haven't granted Dazah permissions yet the first time around either.
More information about OAuth can be found at: https://en.wikipedia.org/wiki/OAuth
I am sure you are still looking into this, but my inbox has 17 pages of messages that I just can't clear out.
Link to clear them out will be added soon.
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.
