Sessioncookie being randomly dropped/blocked Tweakers.net

[crisp-tweakers]

Following the latest release of the Ghostery extension (version 8.4.7) for Chrome we receive bugreports from multiple users that they are randomly being logged out from our website, https://tweakers.net and https://gathering.tweakers.net

The common denominator for all these reports is the fact that all these users are using Chrome version 80 and the latest version of the Ghostery extension. Whitelisting our website in Ghostery does not mitigate the problems, disabling the Ghostery extension does.

What we are seeing is that these users can use our site for some time without problems, but then suddenly a request to out site is made and that request does not contain any cookies anymore. It is unclear wether these cookies are deleted or blocked since on such requests we will always issue a new sessioncookie, but obviously the user will be logged out of the site. This can occur on any page or during any action.

Since Chrome version 80 also made changes wrt samesite for cookies we feel that this might also be a factor. I found references to explicit samesite=none in the Cliqz browser-core heuristics for trackers, and we do explicitly set samesite=none on our session cookie (we need this for authenticated CORS requests from different domains), but I could nog figure out if or how that might be a cause.

Unfortunately this issue is somehow hard to replicate. Sometimes it takes a couple hours browsing on our site before it occurs. You can find user comments on this on our forum, but it is in the Dutch language: https://gathering.tweakers.net/forum/list_messages/1979116

It would be appreciated if you could investigate this issue further and if possible provide a fix or pointers for us on how to prevent this. If you need any more information I'd be happy to provide that.

[dennisenderink]

I'm one of the affected users on Tweakers.net; feel free to ask me if you need more information on this matter.

[sammacbeth]

Hi, thanks for reporting. We did ship some changes to be a bit more aggressive with cookie blocking in the last version, however we should still only block third-party cookies from domains on our tracker list.

From your description it sounds like a first party cookie is being dropped, and also your domain is not on our tracker list, so we certainly should not be blocking that cookie. This may then be a bug with the determination of the request context.

If you are able to reproduce the issue the following may help us find the cause:

• Open the debugger for the extension background and see if any errors are reported there.
• At the debug console you can execute CLIQZ.modules['webrequest-pipeline'].background.pageStore.tabs to see the internal page model for each tab you have open. That can tell us for which requests cookies were blocked.

[crisp-tweakers]

Hi, thanks for the prompt reply. I shall share this information with the users that reported this problem so hopefully we will be able to get the data necessary to debug this situation. I'll get back as soon as we have additional information.

[ghost]

Whatever the problem is, I hope it isn't about the more aggressive cookie blocking. I really loved that update.

[Eegee]

• Open the debugger for the extension background and see if any errors are reported there.

I have the same problem on tweakers.net but also on steamgifts.com. Since I'm still logged in for now on tweakers.net I just tried steamgifts.com and immediately got this error:

_generated_background_page.html:1 Error in event handler: TypeError: Error in invocation of tabs.executeScript(optional integer tabId, extensionTypes.InjectDetails details, optional function callback): Error at parameter 'tabId': Value must be at least 0.
    at e (chrome-extension://mlomiejdfkolichcflejclcbmpeaniij/dist/background.js:725:3895)
    at _frameListener (chrome-extension://mlomiejdfkolichcflejclcbmpeaniij/dist/background.js:725:4018)

I hope this helps you to find the cause.

Edit: some other messages:

background.js:968 Uncaught (in promise) s: Message limit exceeded (action: attrack.keysv2, tag: b6c222d94d2598e9d887279c38d798c6, limit: 1 per 24 hours)
    at chrome-extension://mlomiejdfkolichcflejclcbmpeaniij/dist/background.js:968:16998
    at Generator.throw (<anonymous>)
    at k (chrome-extension://mlomiejdfkolichcflejclcbmpeaniij/dist/background.js:968:3898)
    at a (chrome-extension://mlomiejdfkolichcflejclcbmpeaniij/dist/background.js:968:4137)

[dennisenderink]

• Open the debugger for the extension background and see if any errors are reported there.

No errors.

• At the debug console you can execute CLIQZ.modules['webrequest-pipeline'].background.pageStore.tabs to see the internal page model for each tab you have open. That can tell us for which requests cookies were blocked.

At what point do you want the results of this command? Before or after the cookie has been destroyed
or both? What exactly do you want me/us to return from the results?

[sammacbeth]

At what point do you want the results of this command? Before or after the cookie has been destroyed
or both? What exactly do you want me/us to return from the results?

On the page visit when you get logged out, if you could provide the result for the active tab, that may point to what is going wrong. If you would rather share this information privately you can contact Ghostery support and ask them to forward it to me. Thanks!

[sammacbeth]

One other thing that may help us debug this. Do you have 'Enhanced Anti-tracking', 'Enhanced Adblocking', or 'Smart Blocking' enabled? If so, if you disable them does it fix the issue?

[panomaki]

One other thing that may help us debug this. Do you have 'Enhanced Anti-tracking', 'Enhanced Adblocking', or 'Smart Blocking' enabled? If so, if you disable them does it fix the issue?

They are enabled by default on my config (Chromebook, Chrome 80.0.3987 with Ghostery 8.4.7). Disabled them, but it doesn't make a difference.

FWIW, on my desktop with Firefox & Ghostery, it doesn't happen.

[sammacbeth]

Thanks everyone for your contribution on this issue. We have identified a bug in the ghostery code which could intermittently cause some cookies to be reset for sites. We're working on a fix and will try and get it out to you ASAP! I'll update this thread when that happens.

[crisp-tweakers]

That's great news Sam! Thanks for your efforts :)