cannot re login to G2b4

lamkacheong

Joined: 2005-06-26
Posts: 15

Posted: Sat, 2005-07-30 06:10

problem: I can only log in ONCE.

details:
After I have logged in from Gallery2 b4, I cannot log in again. After submitting the username and password, it brings me the the first page of the gallery2 with "log in" button still on the right upper corner.

But if I to clear the cookies, I can login again.

Also, if I set the Gallery2 into 'immediate' or 'buffer' debug mode, I will also be able to log in (but not for 'logged' debug mode').

In the 'immediate' and 'buffer' debug mode, it won't redirect me the Gallery2 main page automatically, I need to click to the main page manually. I suspect the problem is that there is not enough time to update the cookies.

If this is really the problem, what can I do?
How can I make sure that the cookie is written properly before being redirected to the logged in main page?

Or is it another problem?

----
Gallery version: G2b4
Webserver (with version): IIS 5
Datatabase (with version): Mysql 4.0.13
PHP version (eg 4.2.1): 4.3
phpinfo URL (optional):
Graphics Toolkit(s): gd 2.0.15
Operating system: Win NT
Web browser/version: IE 6

valiant

Joined: 2003-01-04
Posts: 32509

Posted: Sat, 2005-07-30 10:26

it's a webserver issue. a very strange one.

when logging out, g2 should send you a new GALLERYSID (the value should change) with the cookie headers.
when loggin in, g2 should also change the GALLERYSID.
none of this happens with your G2 / iis5 server.

facts:
1. browse to your site, got a new guest session / cookie
2. logging in, HTTP 302: no set-cookie header, but location has new GALLERYSID in url
3. HTTP 200 response, logged in, set-cookie header with SID from last location parameter
4. click logout, HTTP 302 has no set-cookie header, and url has no GALLERYSID
5. HTTP 200 response , not logged in, no set-cookie header, GALLERYSID didn't change
-> session on server was deleted in logout controller request, but browser has still old GALLERYSID
6. click login, HTTP 302 has no set-cookie header, and url has no GALLERYSID
7. HTTP 200 response, not logged in, no set-cookie header
-> NOT logged in. we have still the sid from step 3.

how it should be (my server):
generally: HTTP 302 responses should have a set-cookie header, period.

I have found the following IIS bug:
http://support.microsoft.com/kb/q176113/

it applies to IIS 3, 4, and 5. It's fixed in IIS 6.

In short: IIS 5 ignores all other headers when the Location header (redirect) is set.

What can we do?
a) nothing. ignore the bug and require IIS 6, i.e. say that G2 is incompatible to IIS 5 because of this IIS 5 bug.

b) add the GALLERYSID param to all Location URLs

c) try to detect IIS v < 6, add GALLERYSID param to all Location URLs of IIS < 6

d) GallerySession change such that it creates a new GALLERYSID when we receive a sessionId that doesn't exist in our g2data/session dir.
what could / should be changed:
- function isSessionValid: returns true if there's no session for the sessionId. shouldn't it return false in this case? the problem is that if it is set to true, it will create new session data, but not change the sessionId. the new session data has the correct remoteIdentifier, thus no cookie will be sent back.
if isSessionValid() would return false, then it would create a new session / sessionId in the case of this IIS 5 bug.
case logout: worked before, will still work. and it will create a new session / sessionId (reset)
case login: won't work. the browser will still send the wrong sid in the redirect becsause it did not receive the new SID.

-> changing function isSessionValid() is good, but it won't solve the IIS 5 bug.

-> we need to append the GALLERYSID to location URLs if we're running on IIS 5.

valiant

Joined: 2003-01-04
Posts: 32509

Posted: Sat, 2005-07-30 13:07

see:

https://sourceforge.net/tracker/index.php?func=detail&aid=1247943&group_id=7130&atid=107130

valiant

Joined: 2003-01-04
Posts: 32509

Posted: Sat, 2005-07-30 22:06

lamkacheong, i have no IIS server to test, but i have a fix.

could you replace your main.php with the one from here: http://dev.nei.ch/main.php.tar.gz
please ?

it should fix your problem. please report if it works.

edit: the forum software altered html characters in the code...

lamkacheong

Joined: 2005-06-26
Posts: 15

Posted: Sun, 2005-07-31 06:04

valiant, I have done so, but the problem cannot be fixed.

lamkacheong

Joined: 2005-06-26
Posts: 15

Posted: Fri, 2008-02-15 15:54

I should state clearly the current condition:
now I found that actually the code works partially.
If I try to login immediately after having logged out, I cannot login again.
But if I leave the whole site, and reenter the site with a clean url, and then login, I can.

I think it is the problem of the login icon link. After logging out, may be the login link has lengthy parameter string which has some problem.

1. redirected url if I don't leave the site first:
http://XXXX/gallery2/main.php?g2_view=core.ShowItem&%3Bg2_navId=x03203248&g2_GALLERYSID=1d18976d179b4de74984d3b31ca677c2&g2_fromNavId=xd1559ce4

2. redirected url if I leave the site first:
http://XXXX/gallery2/main.php?g2_fromNavId=x5a44352b&g2_GALLERYSID=536486a31bb714afc936111b3b4ddbf9

if you expand link 1, you will see some substrings "&%3B", I think this is the problem

And I have add these two lines, now the problem seems to be really solved.

$redirectUrl = str_replace('amp;', '', $redirectUrl);
$redirectUrl = str_replace('amp%3B', '', $redirectUrl);

valiant

Joined: 2003-01-04
Posts: 32509

Posted: Sun, 2005-07-31 08:32

lamkacheong, sorry, the forum software changed some html characters in my code. could you please replace the whole main.php with the one from this download?
http://dev.nei.ch/main.php.tar.gz

and report if it works? thanks.

lamkacheong

Joined: 2005-06-26
Posts: 15

Posted: Sun, 2005-07-31 11:30

yes, it works
THANK YOU VERY MUCH.

valiant

Joined: 2003-01-04
Posts: 32509

Posted: Sun, 2005-07-31 12:20

you're welcome

thanks for testing

ddeg10

Joined: 2003-02-10
Posts: 72

Posted: Fri, 2005-08-12 08:20

I have the same problem and the new main.php did not work.

valiant

Joined: 2003-01-04
Posts: 32509

Posted: Fri, 2005-08-12 08:29

ddeg10, i doubt it's the same problem.

please post a phpinfo link and some system information / g2 version, browsers used.

also, make sure you've deleted the cookies from your browser and try again.

lamkacheong Joined: 2005-06-26 Posts: 15	Posted: Sat, 2005-07-30 06:10
	problem: I can only log in ONCE. details: After I have logged in from Gallery2 b4, I cannot log in again. After submitting the username and password, it brings me the the first page of the gallery2 with "log in" button still on the right upper corner. But if I to clear the cookies, I can login again. Also, if I set the Gallery2 into 'immediate' or 'buffer' debug mode, I will also be able to log in (but not for 'logged' debug mode'). In the 'immediate' and 'buffer' debug mode, it won't redirect me the Gallery2 main page automatically, I need to click to the main page manually. I suspect the problem is that there is not enough time to update the cookies. If this is really the problem, what can I do? How can I make sure that the cookie is written properly before being redirected to the logged in main page? Or is it another problem? ---- Gallery version: G2b4 Webserver (with version): IIS 5 Datatabase (with version): Mysql 4.0.13 PHP version (eg 4.2.1): 4.3 phpinfo URL (optional): Graphics Toolkit(s): gd 2.0.15 Operating system: Win NT Web browser/version: IE 6
	XUser login Username: * Password: * Create new account Request new password
valiant Joined: 2003-01-04 Posts: 32509	Posted: Sat, 2005-07-30 10:26
	it's a webserver issue. a very strange one. when logging out, g2 should send you a new GALLERYSID (the value should change) with the cookie headers. when loggin in, g2 should also change the GALLERYSID. none of this happens with your G2 / iis5 server. facts: 1. browse to your site, got a new guest session / cookie 2. logging in, HTTP 302: no set-cookie header, but location has new GALLERYSID in url 3. HTTP 200 response, logged in, set-cookie header with SID from last location parameter 4. click logout, HTTP 302 has no set-cookie header, and url has no GALLERYSID 5. HTTP 200 response , not logged in, no set-cookie header, GALLERYSID didn't change -> session on server was deleted in logout controller request, but browser has still old GALLERYSID 6. click login, HTTP 302 has no set-cookie header, and url has no GALLERYSID 7. HTTP 200 response, not logged in, no set-cookie header -> NOT logged in. we have still the sid from step 3. how it should be (my server): generally: HTTP 302 responses should have a set-cookie header, period. I have found the following IIS bug: http://support.microsoft.com/kb/q176113/ it applies to IIS 3, 4, and 5. It's fixed in IIS 6. In short: IIS 5 ignores all other headers when the Location header (redirect) is set. What can we do? a) nothing. ignore the bug and require IIS 6, i.e. say that G2 is incompatible to IIS 5 because of this IIS 5 bug. b) add the GALLERYSID param to all Location URLs c) try to detect IIS v < 6, add GALLERYSID param to all Location URLs of IIS < 6 d) GallerySession change such that it creates a new GALLERYSID when we receive a sessionId that doesn't exist in our g2data/session dir. what could / should be changed: - function isSessionValid: returns true if there's no session for the sessionId. shouldn't it return false in this case? the problem is that if it is set to true, it will create new session data, but not change the sessionId. the new session data has the correct remoteIdentifier, thus no cookie will be sent back. if isSessionValid() would return false, then it would create a new session / sessionId in the case of this IIS 5 bug. case logout: worked before, will still work. and it will create a new session / sessionId (reset) case login: won't work. the browser will still send the wrong sid in the redirect becsause it did not receive the new SID. -> changing function isSessionValid() is good, but it won't solve the IIS 5 bug. -> we need to append the GALLERYSID to location URLs if we're running on IIS 5.

valiant Joined: 2003-01-04 Posts: 32509	Posted: Sat, 2005-07-30 13:07
	see: https://sourceforge.net/tracker/index.php?func=detail&aid=1247943&group_id=7130&atid=107130

valiant Joined: 2003-01-04 Posts: 32509	Posted: Sat, 2005-07-30 22:06
	lamkacheong, i have no IIS server to test, but i have a fix. could you replace your main.php with the one from here: http://dev.nei.ch/main.php.tar.gz please ? it should fix your problem. please report if it works. edit: the forum software altered html characters in the code...

lamkacheong Joined: 2005-06-26 Posts: 15	Posted: Sun, 2005-07-31 06:04
	valiant, I have done so, but the problem cannot be fixed.

lamkacheong Joined: 2005-06-26 Posts: 15	Posted: Fri, 2008-02-15 15:54
	I should state clearly the current condition: now I found that actually the code works partially. If I try to login immediately after having logged out, I cannot login again. But if I leave the whole site, and reenter the site with a clean url, and then login, I can. I think it is the problem of the login icon link. After logging out, may be the login link has lengthy parameter string which has some problem. 1. redirected url if I don't leave the site first: http://XXXX/gallery2/main.php?g2_view=core.ShowItem&%3Bg2_navId=x03203248&g2_GALLERYSID=1d18976d179b4de74984d3b31ca677c2&g2_fromNavId=xd1559ce4 2. redirected url if I leave the site first: http://XXXX/gallery2/main.php?g2_fromNavId=x5a44352b&g2_GALLERYSID=536486a31bb714afc936111b3b4ddbf9 if you expand link 1, you will see some substrings "&%3B", I think this is the problem And I have add these two lines, now the problem seems to be really solved. $redirectUrl = str_replace('amp;', '', $redirectUrl); $redirectUrl = str_replace('amp%3B', '', $redirectUrl);

valiant Joined: 2003-01-04 Posts: 32509	Posted: Sun, 2005-07-31 08:32
	lamkacheong, sorry, the forum software changed some html characters in my code. could you please replace the whole main.php with the one from this download? http://dev.nei.ch/main.php.tar.gz and report if it works? thanks.

lamkacheong Joined: 2005-06-26 Posts: 15	Posted: Sun, 2005-07-31 11:30
	yes, it works THANK YOU VERY MUCH.

valiant Joined: 2003-01-04 Posts: 32509	Posted: Sun, 2005-07-31 12:20
	you're welcome thanks for testing

ddeg10 Joined: 2003-02-10 Posts: 72	Posted: Fri, 2005-08-12 08:20
	I have the same problem and the new main.php did not work.

valiant Joined: 2003-01-04 Posts: 32509	Posted: Fri, 2005-08-12 08:29
	ddeg10, i doubt it's the same problem. please post a phpinfo link and some system information / g2 version, browsers used. also, make sure you've deleted the cookies from your browser and try again.

cannot re login to G2b4

XUser login