@prologic@twtxt.net hey mate, all working well here so far. The login issue isn’t really an issue as far as actually logging in goes, rather if I get my password wrong it gives the response error code in console, the response of which contains the HTML for the wrong password page if you inspect it, but on the frontend itself nothing actually happens which is the confusion. Just stays on the login page as if it was never submitted. Am I alone in having this issue as well?

⤋ Read More
In-reply-to » @prologic Watched that one the other day after seeing that much chatter about #HTMX on the feed. And now I'm watching HTMX Sucks - Youtube by the same person (or should I say people?) 😂

But what would you prefer if you were rethinking the architectural design of your next web app? A bazillion lines of Javascript™ with all kinds of indirections and acrobatics that are impossible to understand? 🤔 – Or just write your web application as a normal set of pages in the Hypermedia Driven Application (HDA) style/architecture, than sprinkle a few hx-* attributes and get the same user experience? 😅 #htmx

⤋ Read More
In-reply-to » @prologic Watched that one the other day after seeing that much chatter about #HTMX on the feed. And now I'm watching HTMX Sucks - Youtube by the same person (or should I say people?) 😂

@bender@twtxt.net Actually the video is a reaction to: HTMX Sucks that is originally an essay by Carson Gross (the creator) in the “The worse-is-better design philosophy” and what not style. So No, it isn’t … or at least not in the sense one would get from such a title. 😄

⤋ Read More
In-reply-to » @lyse I am part of the selective “can’t-watch-videos” generation 😅. It has to be something truly exceptional for me to watch it, otherwise I prefer reading.

@bender I agree. For learning, reading is heaps better. There’s also the very powerful Ctrl+F that I do not want to miss.

⤋ Read More
In-reply-to » @bender Hmmmm I'm not sure about this... 🧐 Does anyone have any other opinions that know this web/session security better than me?

@prologic I do NOT claim to be an expert in that realm. I’ve seen different things being implemented in the guise of “remember me”. But I reckon the most common scheme, when this checkbox is activated, is to issue a dedicated, long-lived refresh token in a login cookie. I’m sure it is known under several different names. This “remember me” login cookie is separate from the actual short-lived session cookie.

Part 2 of this answer explains it fairly well: https://stackoverflow.com/a/477578 Also, this was a nice read: https://web.archive.org/web/20180819014446/http://jaspan.com/improved_persistent_login_cookie_best_practice

It depends on your threat model, but the use of public computers in libraries, internet cafés or similar is probably the most relevant here, when arguing against activating “remember me”. These days, shared computer use is declining I’d assume. With twtxt being a niche for more computer-affine folks, I’d reckon this threat is not that high up the list. On the hand, you want to bring yarnd to the average non-nerd user, so this threat might actually rank more important.

It’s probably okay and safe enough to remove “remember me” entirely and just issue a long-lived session cookie and be done with that. Optionally, power users or the administrator could benefit from configurable cookie lifetime(s).

⤋ Read More