Detailed Description:
* Problem:
Currently I am updating some CMSMS v1 sites to CMSMS v2 with SSL (https://).
On one site running CMSMS v2.1.6 I got problems with logging in to the /admin
area.
The first login attempt succeeds but is redirected back to the
https://hostname.tld/admin/login.php
forum reference: https://forum.cmsmadesimple.org/viewtopic.php?f=8&t=75734
* Investigation:
By verifying all my config.php settings, the Apache/2.4.7 (Ubuntu) + Lets
Encrypt SSL server configuration I did not find something uncommon or strange.
On an other CMSMS v2.1.5 site with the exact same settings the /admin login
works as expected. After a succesful login the user is redirected to:
/admin/index.php?_sk_=XXc4bXXXaXXXXeXe
The CMSMS 2.1.5 site is an e-commerce website with alle the common CMSMS +
CGEcommerce modules.
The CMSMS 2.1.6 site runs vanilla CMSMS with some LISE instances
By looking at the HTTP Headers from the 2.1.6 site I have to login twice I see
that the cookies and session information is stored ok on the first attempt:
Request URL:https://hostname.tld/admin/login.php
Request Method:POST
Status Code:302 Found
Location:https://hostname.tld/admin/login.php
Pragma:no-cache
Server:Apache/2.4.7 (Ubuntu)
Set-Cookie:_sk_=XXc4bXXXaXXXXeXe; path=/; domain=hostname.tld; secure; httponly
Set-Cookie:cms_passhash=XXc4bXXXaXXXXeXeXXc4bXXXaXXXXeXeXXc4bXXXaXXXXeXe;
path=/; domain=hostname.tld; secure; httponly
Set-Cookie:cms_admin_user_id=1; path=/; domain=hostname.tld; secure; httponly
* Unfriendly solution:
After the first login the enduser can type in: https://hostname.tld/admin/ in
the browser to start working with the CMS.
Or he/she has to login for the second time with the same credentials.
Ad1) The News Modules is set as the homepage on: My Preferences -> My Account ->
[User Preferences] : Homepage
After the second login I see this:
https://hostname.tld/admin/moduleinterface.php?mact=News,m1_,defaultadmin,0&_CMSKEY_=XXXXXXXXXXXXXXXX&_sk_=c3bc86b6527b2a00
!! The login is correct but has a weird CMSKEY: "CMSKEY_=XXXXXXXXXXXXXXXX"
* My config.php settings:
$config['url_rewriting'] = 'mod_rewrite';
$config['page_extension'] = '/';
$config['root_url'] = 'https://hostname.tld';
$config['admin_url'] = 'https://hostname.tld/admin';
* A temporary tweak:
To give help my enduser overcome a double login hassle I tweaked login.php a
tiny bit like:
19 #$Id: login.php 10858 2016-10-03 17:03:35Z calguy1000 $
238 // attempt to redirect to the originally requested page
239 $tmp = $_SESSION["redirect_url"];
240 unset($_SESSION["redirect_url"]);
241
242 if( strstr($tmp,CMS_SECURE_PARAM_NAME.'=') !== FALSE ) {
243 $the_url = new cms_url($tmp);
244 $the_url->set_queryvar(CMS_SECURE_PARAM_NAME,$_SESSION[CMS_USER_KEY]);
245 $tmp = (string)$the_url;
246 }
247
248 if( !strstr($tmp,'.php') || endswith($tmp,'/') ) {
249 // force the url to go to index.php
250 $tmp =
$config['admin_url'].'/index.php?'.CMS_SECURE_PARAM_NAME.'='.$_SESSION[CMS_USER_KEY];
251 }
252
253 //redirect($tmp);
254 redirect($config['admin_url']);