Thurrott.com login Feedback

22

Howdy, folks! I’m Nick – I help run tech here at thurrott.com. I initially posted this message as a response to lwetzel‘s thread here, but I wanted to make this it’s own thread for visibility and to provide a space for dialogue. We’ve had some feedback recently regarding folks being required to log in more frequently, and while I’m not half the writer Paul is, I hope I can add some clarity to the intended function of our login system here.

When logging in to thurrott.com, if you do not click the ‘remember me” button underneath the form, your session (referring to the “connection” established between you, a unique user, and our server – as represented by a cookie stored on your browser) persists only until the end of your browsing session. That is, until you close your browser.

If you do click the “remember me” button below the form when logging in, your session will persist for 14 days.

There are, however, a few scenarios that could lead to session persistence less than 14 days – which I’ve outlined below.

If cookies are disabled in your browser you will be unable to maintain a session, as the string of text we use to identify and authenticate you can not be stored. This is an unlikely scenario, and will be extremely apparent across every site you visit.

If browsing in “incognito” or “private mode”, any cookies set during the session will be cleared at the conclusion of the session – regardless of use of the “remember me” button. Additionally, any session data set in “normal” browsing will not carry over to incognito or private browsing. These browser functions are more accurately described as “amnesia mode”, and if anyone from Google is listening please change the name and send a check.

It should be noted that as part of our mechanism to defend against session hijacking (an attack by which a nefarious actor either guesses, or more likely, intercepts the session cookie in transit and sends it back to us, thereby masquerading as you), your unique ip address is a component of the algorithm that generates a string of text (referred to as the “session token”) that’s stored in the session cookie. As a result of this, if your ip address changes, your session will no longer persist. Even if you sync browser data across devices, for example, between Chrome on your desktop and on your mobile phone, they must remain on the same network for your session to persist as accessing the site via an LTE connection will change your ip address.

For the curious and nerdy among us, you can explore these session cookies and their expiry data in chrome by navigating to chrome://settings/cookies/detail?site=www.thurrott.com.

As always, thank you for being a part of a community we love so much and sharing your experiences, both good and bad, with us.

Please feel free to reach out to me directly with any questions or concerns: [email protected]

Comments (22)

22 responses to “Thurrott.com login Feedback”

  1. j5

    Hi Nick, thanks for taking the time to post such a detailed post. But I've got to be honest. For $50 bucks a year this is such a terrible way to tell premium and free users "how to use" the site, a post in the forums telling us how web browsers work, really???


    I'll be that guy here for everyone...we all LOVE Paul and reading his articles and listening to his take on FRD and everywhere else he is but the site is BAD!!! Most everyone here is patient and forgiving. But please no more excuses and definitely don't tell a bunch of tech nerds how a web browser works to use the website. Just fix the current state of the site (there are similar tech sites that do not have these base issues) or start upgrading the site to a version that's worthy of the respect and subscribers Paul gets!

  2. harmjr

    Thanks for this. I always wondered about this when it came to my phone. Wi-Fi vs Cellular data.

  3. George Coll

    We appreciate the critical feedback from our members and deserve it. We also know that the only way we will show that we are listening, is by improving in the several areas you all have shared.

     

    Some of you that do not follow Petri may not want to hear this, but I want to be candid about it. We are in the middle of a platform re-launch on Petri.com which has been very consuming. Most of you know, we are a very small team. This project has had many tentacles into Thurrott, for the architecture between the 2 sites were heavily co-mingled. This fact has resulted in many of the functional and performance issues we currently face on both sites, along with the inability to move fast and with agility.

     

    We will soon be turning the corner on this project and allowing for a much better focus on Thurrott. We appreciate your continued support, we hear you, and commit to being much better. 

  4. j5

    I feel like I need to apologize to Nick. He's just doing his job and tried to come on and offer help to all of us, sorry Nick, thanks for trying to help. I'm just frustrated and as you can see many are. But as a paying subscriber, it does make me upset. We know Paul is frustrated as well. The issues we complain about are not silly things, they are base level site user issues, the site rendering properly on all devices, forums are terrible, we can't edit our comments, have you seen what it's like reading comments on mobile, I don't even open it when I see how many comments there are, we know the site gets hit with spam/bots, etc but so do other sites, all popular tech sites do but for some reason on this site the lack of and implementation of makes the usability of the site bad and frustrating. Again sorry Nick, from a dude that has a job to do to another, poor attitude is on me. However, $55 bucks a year is A LOT of money to pay to access premium articles and make comments on them. Maybe venting here isn't the solution? Maybe I/we need to vent at Petri. I still stand by this, we're all here because of Paul not because of Petri.

  5. ben55124

    That IP address change is going to be a problem for devices that switch networks -- i.e. phones. As I understand this, if I were to switch from wifi to mobile data, the IP address would change and I would be thurrouted.

  6. travisgreuel

    Thank you. The "browser functions are more accurately described as “amnesia mode”, and if anyone from Google is listening please change the name and send a check" bit made my day.

  7. jwpear

    Thanks for the insight, Nick. I've sent a support request or two on this in the past as I have noticed my session not persisting and having to log in again too frequently. I get the time constraint, but I think it is too short.


    I don't understand the IP restriction and suspect that may be why I'm seeing more requests to log in. Are you guys seeing that much abuse of sessions? If I can log in with multiple machines and all those sessions are valid for 14 days as long as the IP doesn't change, what does the IP restriction accomplish other than penalizing a paying customer with a frustrating experience? If we are subjected to an IP restriction, then why not extend the lifetime of the cookie?


    I hope I'm not coming across as trying to be difficult here. I'm really not. The site is good enough for me to read content. I do wish the sessions were longer. I'd love the ability to log in with my--dare I say it on a Microsoft-focused site--Gmail account or something that's likely to already be a valid session from use with other sites. It feels SSO would benefit both parties and it would absolutely provide a better experience for paying customers.

    • nicktirrell

      Thanks so much for your feedback! Two things...


      To be completely transparent, we haven't seen any evidence of session hijacking. This, and other measures, are in place because I'd like to keep it that way. :) For perspective, here in the US, NIST recommends users re-authenticate every 12 hours and that sessions be terminated after 30 minutes of inactivity (https://pages.nist.gov/800-63-3/sp800-63b.html).


      I understand that we're not a bank, or a consumer data aggregator, and thurrott.com is not a particularly high value target for malicious actors with an interest in users and user data. However, when you use one of our platforms there's an exchange of data and an exchange of trust. An exchange of trust that we'll do everything in our power to safeguard your data. We do our best to honor that.


      All of that being said, given the balance of risk and convenience, I don't have a problem with allowing sessions to persist for 30 days - and that's a change we'll seek to make here in short order.


      As for logging in with your Google account, you actually can do this today! After clicking 'log in' in the upper right corner, look for the the "log in instantly" section of the login overlay (on the right side if you're on desktop, on the bottom if on mobile). You'll be taken to google to log in and back to thurrott.com where you'll be able to enter your existing thurrott.com username and password to link the accounts.

  8. pecosbob04

    To enlarge on what dftf mentioned above regarding the 3 free premium articles for non premium readers:


    "(1) Can we decide if non-paying members should get to see comments on Premium articles or not? Currently they can leave a comment on such articles, but then never see any replies to it, which feels rather silly."


    While I often select to read an article based on title for Paul's perspective. Just as often it is the reaction and feedback I am more interested in. The statement has been made that the intent is to allow viewing the comments but it must be very low on the priority list as this state has persisted for months. Oh and I sure wish the edit feature would rise from the ashes.



  9. christianwilson

    Hi Nick,


    I appreciate the information.


    It is very possible the 14-day timeout explains what I have experienced because I view the site across multiple devices and they would timeout at different times. Is the 14 day persistence a recent change?

  10. navarac

    Thanks for that post although like others I just needed to know that the site resets every 14 days. Seems more often though. Now - can we have editing back, please?

  11. darkgrayknight

    So if you switch to another IP address (login via home computer vs work computer), then the other IP is now invalidated and I'll need to login there again?


    This was a change more recently, right? I used to be remembered considerably longer than 14 days. I don't have any control over the work VPN and whether they change IPs for us. It would be nice if there was another possible solution as I do have to login multiple times a week even with checking remember me and not accessing via any other computer.

    • nicktirrell

      Logging in from work will not log you out at home, just as logging in from a mobile device via LTE will not log you out on your desktop. However, any time your work IP changes you will need to log in again on your work machine. This isn't an extremely recent change, but I believe in the past sessions persisted indefinitely.

  12. dftf

    Another few things:


    (6) It would be great if this site told you when someone has replied to one of your comments. The only thing you can do now is to bookmark pages you've commented on, and manually revisit them to check for updates. (If this is something Premium members do get, then the "Premium Membership Features & Benefits" lists don't make that clear.)


    (7) Could Premium forum-posts not appear for non-paying members? I don't see the point in clicking on them, only to go to the "Join Thurrott Premium" landing-page. It makes the site feel broken. At-least redirect to a more-specific landing-page.


    (8) The order of forum-posts doesn't make sense. It appears they are listed by "Date started", whereas I'd argue "Last reply" makes more-sense.  (I think it used to order in the latter-style, but this was changed after many archaic posts kept getting resurrected by random spam-comments. But the solution there is to simply have a cut-off on forum posts: so say after 30 days of a forum-post receiving no new comments, it should auto-lock and allow no-further new comments or replies. Most other forums work in this way.)

  13. dftf

    No-offense Nick but the type of audience Paul gets here will be at-least "intermediate" when it comes to tech, and I'd argue would already realise that if they browse in a "private" browser-window, all cookies will be lost upon closing it. And likewise them not ticking/checking a "Remember me" box will mean that they won't be!


    Also, for the later part of your explanation, you only offer instructions based on the Google Chrome browser. Again, with respect, you might need to "know the audience" for this site. I would bet the majority are not viewing it via that browser, but via Edge, Brave, Firefox, Opera or Safari or some Chromium or Firefox offshoot.


    And in-terms-of some issues I feel need looking into more-promptly than the remembering-credentials issue:


    (1) Can we decide if non-paying members should get to see comments on Premium articles or not? Currently they can leave a comment on such articles, but then never see any replies to it, which feels rather silly.


    (2) Can the formatting of threaded/nested comments be done better? When you view this site on a smartphone, and come-across comments with many replies, the later replies start to fit into narrower-and-narrower columns, before later ones eventually becoming non-visible as they go off-screen.


    (3) A dark-theme would be appreciated, especially when on mobile!


    (4) The error-messages on this site need revising. So many times I've tried to create a Forum post, only for it to go to a "Whoops, we can't find that page" when I tap "Submit". But then a few days after, the post sometimes appears, even-through it errored. Likewise, sometimes you can add comments on this site, other times you get a vague error, or it just forces you to do endless Captcha codes.


    (5) Can the advertising be more-relevant to the audience? I've no idea why this site thinks I would be interested in tips on using fresh-herbs effectively when cooking, for example!

Leave a Reply