Bug #34938
Logout after login
| Status: | Resolved | Start date: | 2012-03-16 | |
|---|---|---|---|---|
| Priority: | Must have | Due date: | ||
| Assignee: | Michael Stucki | % Done: | 100% |
|
| Category: | [FOR] Login | |||
| Target version: | Public Beta | |||
| Votes: | 0 |
Description
Hey Felix,
we still have the error that you get logged out after login. It is very difficult to reproduce because it happens very seldom. But Frederic Gaus told me that it always happens during the Get-Listed process for here: http://preview.typo3.org/support/professional-services/get-listed/?no_cache=1
That's why we couldn't send out the mailing for the agency listing yet. This is a blocker for the launch :-(
Please try to have a look into that. You can always contact Frederic if you have further questions.
Cheers
Joern
Related issues
| related to The typo3.org project - Task #29914: Make Login work without RSA - prepare for varnish | Resolved | 2011-09-17 | ||
| related to The typo3.org project - Bug #30089: Login broken | Closed | 2011-09-20 | ||
| related to The typo3.org project - Bug #35467: Login does not work if the page is requested by https | Closed | 2012-04-01 |
History
Updated by Felix Kopp about 1 year ago
I can not debug this adequately.
Anyone can support?
http://forge.typo3.org/issues/34938
http://forge.typo3.org/issues/29914
http://forge.typo3.org/issues/30089
Updated by Helmut Hummel about 1 year ago
Updated by Helmut Hummel about 1 year ago
OK, I found the reason for that.
If you log in on the current typo3.org a fe_typo_user cookie is set for domain ".typo3.org"
If you log in on preview.typo3.org the fe_typo_user cookie is set for domain "preview.typo3.org"
Now the browsers send both cookies and it depends on the browser which one is sent first. So it can happen that the session id issued for typo3.org is evaluated on preview.typo3.org -> logout
Easiest way to fix this is set cookieDomain for preview.typo3.org so that the cookie domain will also be ".typo3.org" overwriting whatever has been set on the other website.
Updated by Felix Kopp about 1 year ago
GREAT catch!!
Would have never looked at the current website, thank you very much, Helmut!
Updated by Felix Kopp about 1 year ago
- Status changed from New to Under Review
Updated by Nikola Stojiljković about 1 year ago
- Assignee changed from Felix Kopp to Nikola Stojiljković
I will investigate this one further today as I'm on the login/registration features...
Updated by Nikola Stojiljković about 1 year ago
As Joerg Winkler pointed out to me, this bug is still present.
Updated by Nikola Stojiljković about 1 year ago
- Status changed from Under Review to Accepted
Updated by Helmut Hummel about 1 year ago
Ist the problem still present, when all cookies are cleared before logging in to preview?
Be aware that in Safari you have to clear cookies and after that quit Safari to really delete the cookies.
Updated by Nikola Stojiljković about 1 year ago
Helmut Hummel wrote:
Ist the problem still present, when all cookies are cleared before logging in to preview? Be aware that in Safari you have to clear cookies and after that quit Safari to really delete the cookies.
Yes, still present after clearing the cookies. We need to test this in the later stage when we update our hosts file for the final deployment testing.
I can confirm though that this indeed is a problem with the cookie domain, doesn't happen on my local machine where I use domain name t3org.dev.
Also, doesn't seem like a varnish problem as the user stays logged in as long as he browse only the preview.typo3.org (without going to shop.typo3.org or typo3.org).
Updated by Helmut Hummel about 1 year ago
Nikola Stojiljković wrote:
Helmut Hummel wrote:
Ist the problem still present, when all cookies are cleared before logging in to preview? Be aware that in Safari you have to clear cookies and after that quit Safari to really delete the cookies.
Also, doesn't seem like a varnish problem as the user stays logged in as long as he browse only the preview.typo3.org (without going to shop.typo3.org or typo3.org).
Well if you clear cookies and then visit typo3.org then obviously the problem is back again.
Updated by Helmut Hummel about 1 year ago
Setting
$TYPO3_CONF_VARS['FE']['cookieDomain'] = '.typo3.org';
on preview.typo3.org will solve this issue. Can you try this?
Updated by Nikola Stojiljković about 1 year ago
Helmut Hummel wrote:
Setting
[...]
on preview.typo3.org will solve this issue. Can you try this?
Yes, was about to try exactly that one after lunch :)
Updated by Helmut Hummel about 1 year ago
Nikola Stojiljković wrote:
on preview.typo3.org will solve this issue. Can you try this?
Yes, was about to try exactly that one after lunch :)
Bon Appetit ;)
To be precise: It will work in that way that if you log in on preview.typo3.org, you will be logged out from typo3.org or shop.typo3.org and vice versa.
Updated by Helmut Hummel about 1 year ago
Can you please also have a look at #35467
Thanks.
Updated by Nikola Stojiljković about 1 year ago
- % Done changed from 0 to 100
Helmut Hummel wrote:
Bon Appetit ;)
Thanks :)
To be precise: It will work in that way that if you log in on preview.typo3.org, you will be logged out from typo3.org or shop.typo3.org and vice versa.
Exactly. I set the cookieDomain in the localconf.php, should online in the next build. Verified by playing with the hosts file locally, did fix the problem.
Updated by Nikola Stojiljković about 1 year ago
- Status changed from Accepted to Under Review
Updated by Nikola Stojiljković about 1 year ago
- Assignee changed from Nikola Stojiljković to Jörg Winkler
Updated by Joern Bock about 1 year ago
- Target version changed from 1197 to Public Beta
Updated by Joern Bock about 1 year ago
- Status changed from Under Review to Closed
Updated by Michael Stucki about 1 year ago
- Status changed from Closed to Needs Feedback
- Assignee changed from Jörg Winkler to Nikola Stojiljković
This problem is not fixed.
IMHO we need to revert the change r2193 because it will also affect other sites that have their own fe_users: http://shop.typo3.org/ etc.
Please remove the line, we're only using one domain for this site.
Updated by Michael Stucki about 1 year ago
Some more background on this:
The same change was also in the localconf.php of association.typo3.org. So both have overwritten each other with a global fe_typo_user cookie, and therefore the latter is now still breaking due to this change.
What we need to do for a proper fix is to make sure that every site will sets the cookie only for it's own domain (thus, no cookieDomain must be set at all).
Updated by Nikola Stojiljković about 1 year ago
- Assignee changed from Nikola Stojiljković to Michael Stucki
I see that shop.typo3.org and association.typo3.org no longer set cookies on typo3.org domain. The problem was that visiting shop.typo3.org from preview.typo3.org overwrote the FE user cookie from preview.typo3.org. So, it is indeed fine now to remove this line (which I just did). This change will be online as soon as the next build is executed.
But in order to properly fix this we need to do:- short-term: rename the fe_typo_user cookie to something else on these domains (core patch or XCLASSing extension would be needed for this) so they don't colide anymore,
- long-term: implement centralized user DB with SSO
Updated by Michael Stucki about 1 year ago
- Status changed from Needs Feedback to Resolved
Thanks Nikola!
I have updated the localconf.php (manually for now).
Additionally, I have fixed the issue on association.typo3.org by changing the cookie name (needs a core change, but works fine).
Therefore, this case is now closed. Thank you!