Fix login problems for Safari 13.1 users

johncs · April 20, 2020, 11:07pm

If you’re running Mac OS and you recently upgraded your OS, you likely got a new version of Safari: version 13.1. This version of Safari had a very subtle change included in it that made it impossible for users to log into Shmeppy, oh no!

I’ve fixed the issue, so Safari 13.1 users can now log into Shmeppy.

Special thanks to lostbodhisattva on Discord who was able to isolate the version of Safari that was having problems.

What was wrong?

This is fairly technical, but I’ll take a whack at explaining this. Shmeppy stores your session ID in local storage.

A session ID is a massive and unique number that your browser sends to Shmeppy’s servers whenever your browser needs to claim to be you. It’s very similar to a pin number, except far more secure.
Local storage is a database that your browser maintains on your computer. It’s shared between all your browser tabs that are on Shmeppy.com. Shmeppy’s client side JavaScript can access this database.

Imagine you’re logged in and you have two tabs open, both on Shmeppy.com. If you try to log out in one of those tabs, most websites would leave you logged in on the other tab (though you might get errors if you tried to do anything because your session ID would be revoked).

Shmeppy tries to be a little smarter in this situation, and will log you out of both tabs immediately. It does this by “listening for change alerts” to local storage, which basically means that Shmeppy’s client side JavaScript has asked your browser to say something if local storage changes.

This code was faulty: if the browser ever alerted Shmeppy’s client side JavaScript that something has changed, it would log you out. Now this hasn’t been a problem before because (mostly) the only time these change alerts would happen is when you logged out in another tab.

But Safari 13.1 now alerts Shmeppy’s client side JavaScript when any changes happen, even changes that it just made. So you’d log in, your session ID would get saved in local storage, your browser would alert Shmeppy’s client side JavaScript to the change, and you’d be immediately logged out. Whoops!