Skip to main content
AT&T Community Forums
Announcements
A

New Member

 • 

2 Messages

Fri, Jan 24, 2020 5:58 AM

BUG: Unable to login to att.com using Safari with Prevent cross-site tracking enabled

There appears to be a design flaw with the login architecture of att.com. I am unable to login with Safari when "Prevent cross-site tracking" is enabled. Similarly, I'm unable to login via Chrome or Firefox when 3rd-party cookies are blocked. I have to either disable those settings (not suggested) or make an exception for att.com (which only works in Chrome and Firefox and is an inconvenient step that most users wouldn't know how to do).

Most likely this is because the att.com identity server is issuing a cookie under a different domain (good practice) and the att.com site that relies on the identity server is trying to read that same cookie from a different domain (bad practice).

If I'm correct, the issue stems from a fundamental flaw in the login design. Those of us who care about proper browser and internet security will be very frustrated with this. 99% of all cross-domain cookie usage is for unsolicited tracking. In this day and age where security and privacy are paramount, more and more people are, and should be, opting to restrict 3rd-party cookies. Browser developers themselves are starting to enable these protection as the default. This kind of design may have been common in the past but is simply not acceptable now.

Best practice now would be to keep each sites cookies in separate domains and avoid reading any cookies across domain on a page. Instead, use a process like Open ID Connect (based on OAuth2) to generate tokens to hydrate the client (relying party) cookies.

If there are any att.com devs reading this, please let me know if my assumptions above about the site's design are correct and if there might be an initiative to fix Alternatively, if it is due to something else, please let me know that too. If other users can confirm this behavior, that would be nice too just to make sure I'm not crazy. :-)

Responses

lizdance40

ACE - Sage

 • 

78.4K Messages

9 months ago

This is a customer populated forum, not at&t. And certainly not how or where you will get at&t to change their website.

🐾 I don’t work for AT&T or any carrier. Never have, never will. My replies are based on experience and reading content available on the website. If you posted personal information, please edit and remove.

Award for Community Excellence 2020 Achiever*
*I am not an AT&T employee, and the views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.

New Member

 • 

2 Messages

Thanks @lizdance40. That's what I was afraid of.

I chatted with att support for a long time last night describing the issue. They were able to confirm there are "intermittent" issues with logins but they could not confirm my assumption about the underlying cause. That didn't surprise me too much because most users that call and complain about logins wouldn't be able to articulate the issue well enough to give support a full picture of the problem. And, most support employees aren't tech saavy enough to know how the sites work.

As a dev, I know how valuable it is to have a tech savvy user that can explain issues in detail. So, I offered to speak directly with the developers to show them the issues and suggest a couple of fixes.

At the time, I was speaking to a support supervisor. She eventually told me that she honestly didn't know how to reach out to the development teams. I was pretty disappointed by this. I know that att is a large company and will therefore have a lot of bureacracy but I've never worked at a company that didn't have a defined process for escalating a support call into a bug or feature request and a way to route it to the appropriate development team.

She then told me that I should try posting my issue here. Being skeptical I asked repeatedly if this was monitored by att development teams. She assured me it was. I was still skeptical but I thought I'd try. Ugh.

If devs aren't going to monitor these threads and support says they have no way to report a bug, do you know of anyway that I can make them aware of the issues? I feel like everytime I login, I experience a bug in their website.

(edited)

lizdance40

ACE - Sage

 • 

78.4K Messages

Most of AT&T support does not even know the community Forum exists, and if it they know, they don't know what it does. So no surprise.

And unfortunately other than calling and speaking with tech support I have no idea how or who to direct your problem.

🐾 I don’t work for AT&T or any carrier. Never have, never will. My replies are based on experience and reading content available on the website. If you posted personal information, please edit and remove.

Award for Community Excellence 2020 Achiever*
*I am not an AT&T employee, and the views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.

Get started...

Ask a new question