←back to thread

Windows NT on 600MHz machine opens apps instantly. What happened?

(twitter.com)
752 points dceddia | 9 comments | 23 Jun 23 14:02 UTC | HN request time: 0.237s | source | bottom
Show context
verall ◴[23 Jun 23 14:36 UTC] No.36447353[source]
A lot of people are bringing up Wirth's law or other things, but I want to get more specific.

Has anyone else noticed how bad sign-on redirect flows have gotten in the past ~5 years?

It used to be you clicked sign in, and then you were redirected to a login page. Now I typically see my browser go through 4+ redirects, stuck at a white screen for 10-60 seconds.

I'm a systems C++ developer and I know nothing about webdev. Can someone _please_ fill me in on what's going on here and how every single website has this new slowness?

replies(16): >>36447462 #>>36447463 #>>36447473 #>>36447749 #>>36447944 #>>36448057 #>>36448342 #>>36448778 #>>36448926 #>>36448930 #>>36449089 #>>36449478 #>>36450517 #>>36450908 #>>36453785 #>>36460900 #
1. pdntspa ◴[23 Jun 23 14:43 UTC] No.36447473[source]
It's SSO, which communicates via tons and tons of redirects
replies(3): >>36447653 #>>36447860 #>>36448076 #
2. reaperducer ◴[23 Jun 23 14:54 UTC] No.36447653[source]
It's SSO, which communicates via tons and tons of redirects

Not always. AT&T goes through about 25 redirects to sign in. No SSO involved.

replies(2): >>36447829 #>>36448717 #
3. pdntspa ◴[23 Jun 23 15:05 UTC] No.36447829[source]
Are you sure?
4. Nextgrid ◴[23 Jun 23 15:07 UTC] No.36447860[source]
That's not really an excuse - you really only need 3 page loads:

* initial page provided by the service you're logging into - this gets your email address so it can lookup your account and determine which SSO provider to redirect to

* actual login page served by your SSO provider - here you authenticate to the SSO provider. It can occasionally cause another page load to get your 2FA code if configured, or go through further identity checks

* final "page" that consumes the query parameters sent back by the SSO provider - this is often just a 302 redirect to the home page but sets a session cookie.

The main problem is that all these pages are super bloated, with tons of unnecessary JS and BS. All the code for login page that takes a username and password should be able to fit entirely on an A4 sheet of paper - it's literally just an HTML form and a few lines of CSS.

Furthermore, even beyond inter-company SSO, there are shitty companies out there which use such flows internally even though everything is part of the same security domain, hosted on the same infrastructure and thus can be hosted on the same top-level domain and use a single session cookie. Microsoft is a pretty bad one - Teams for example will use a redirect to some other Microsoft-owned domain to get your (already existing) Office 365 session; this is completely unnecessary, they can host all those things on the same top-level domain and reuse a single session cookie seamlessly.

replies(1): >>36451085 #
5. JohnFen ◴[23 Jun 23 15:20 UTC] No.36448076[source]
I never use SSO mechanisms, but I see this same problem.
replies(1): >>36449540 #
6. nullindividual ◴[23 Jun 23 16:01 UTC] No.36448717[source]
It's SSO behind the scenes between services within ATTs environment. It's just not "SSO" to you, the end user.
7. Peanuts99 ◴[23 Jun 23 17:03 UTC] No.36449540[source]
The app still needs to check if your email is using SSO or is federated. And even then some apps use internal SSO to tie different systems together.
8. Sohcahtoa82 ◴[23 Jun 23 19:20 UTC] No.36451085[source]
This is the correct answer.

If anyone thinks you need more redirects than this, I'd really like to know what more you think is necessary.

replies(1): >>36453318 #
9. phist_mcgee ◴[23 Jun 23 22:53 UTC] No.36453318{3}[source]
Because we never decommissioned the old auth server fully and we have to serve some of the page on a separate domain. Oh and the landing page URI has changed. Also we need to send you to a certain locale. And on and on..