Joomla! Discussion Forums

Description:

AOL Users Can't Login (or remain logged in) to Joomla Sites for the duration of their Session

Joomla 1.0.12 does NOT address the AOL login issues that wee purported to have been fixed in Joomla 1.0.8 using the Security Level 2 option for Proxy IPs.

AOL and Proxy IP users are complaining that even if they can drill into the site, when they must login or register, they:

1) lose their login state
2) see "You are not authorized..."
3) ultimately cannot log back in after repeated attempts

The 'Who's Online' module shows they are still logged in, even though the login shows they are no longer logged in. The number of users online is also inflated.

Checking AOL cookies, we see the user acquires up to 5 cookies just by hitting the site, probably form 5 IPs being used by AOL proxy servers.

Thus, one cannot conduct e-commerce on a Joomla site with AOL users. Our stats show that 30% of the users out there are still using AOL. It would appear that none of what was addressed in Joomla 1.0 8 has resolved this AOL user login issue, and we're using Joomla 1.0.12. This is a disaster!

When will this be addressed and fixed in Joomla?  I have been all over  the web and Joomla.org forums, seen postings about this problem as recent as January 2007, yet no one has a  definitive answer.  We have just launched two sites using VirtueMart and Joomla 1.0.12 only to discover that most AOL users cannot keep their session going long enough to purchase anything.  And in actuality, it also applies to anyone behind a proxy server. VirtueMart claims this is a Joomla issue.

I have tried setting Security to Level 2, which I understand is the way to correct this proxy IP problem, but it does nothing.  We tried forcing the removal of 'www' from the URL (as suggested by certain forum users) to no avail.  I read all about the hot-fix patch, but that info was from a year ago, prior to it being incorporated into Joomla 1.0.8.

To restate the problem, most if not all AOL users cannot register or login to Joomla 1.0.12 long enough to make a purchase – they will be logged out at some point. They will remain listed as logged in by "Who's Online" module. They will most like see "You are not authorised..." warnings. After a certain number of attempts, they will NOT be allowed to log back in.

It's a glaring error. Now we're stuck without any solution on the table and no way to conduct e-commerce without constant complaints from AOL and proxy IP users. Help!

Reported on:
Joomla! 1.0.12 Stable [ Sunfire [eCommerce Edition]

Classification:
[Q&T] Critical/High/Medium/Low/Enhancement

Affected functions:
Login, Who's Online, sessions, VirtueMart, and random public pages are reported as restricted.

Related files:


Steps to replicate:
http://ecommerce.bacsports.org
Login name: test
Password: test

Analysis:
[Q&T] Confirmed/Unable to confirm/Rejected

Proposed fix(es):
Unknown

Topic / Artifact ID:
AOL Users Can't Login; Proxy Server problems /
See http://forum.joomla.org/index.php/topic,120946.0.html

System info:
Joomla! 1.0.12 Stable [ Sunfire [eCommerce Edition]
Joomla Security = Level 2
Mac OS X
Apache/1.3.33
PHP 4.3.11

I really wish this item would get addressed. We are getting complaints from other users coming in from large proxy services that are getting booted out due to a problem with Joomla's login function.

This issue more or less renders Joomla/VirtuMart a poor solution for many users. The complaints are rolling in from users with these combinations:

AOL (AOL Browser)
Comcast (IE 7)
MSN (IE 7)

Help!

yo mate, the problem is in the global settings of joomla. if you change the security settings so they are lower (level 2) everything should be ok.

Agreed... more specifically, go to SITE > GLOBAL CONFIGURATION and select the SERVER tab.  Look for the "Session Authentication Method:" pulldown and set it to "Level 2 Security - Allow of Proxy IPs".

I appreciate the replies. The suggestion to change the settings to Level 2. However, even with this modification, we continued to have problems with VirtuMart.

Using the VirtuMart login was also needed before the problems eventually (we hope) stopped.

Lyn

Any update on this? I've got one registered user using AOL that can't stay logged-in even with Level 2 security set. I can see in the logs that their IP address is changing with every page clicked on, sometimes it uses a pool of 4-6 IPs. The first three octets are the same which is a requirement of Level 2 Security so it "supposed" to work. Thanks for any update

This is also broken for me.  I have an AOL user, my server security settings are at level 2, and the individual still can't register without getting a "not authorized" response.

Anyone have a fix?

Still not solved????

I have the same problem. Security level = 2... AOL users can't register, login, or are logged out within a few clicks or seconds.

Please, if you know how to fix this issue post the solution.

Thanks a lot!!!

Also, I use Virtuemart...

I've seen this problem too

Minimise the AOL browser (to stop it dropping the connection) and use Firefox, then everything works OK

I realise that this isn't a fix for the AOL browser issue but it allows people to work in Joomla sites whilst the bug remains.

Tim

OK, it's true that if you use Firefox or IE then it works. But if you're running an important site, you can't admit to miss AOL users.

There should be a true solution for this issue.

I've posted an explanation and my patch for this issue to my blog here Joomla 1.0.x patch for AOL support. I've also attached my SVN patch for the HEAD of 1.0.x to this post. I'm attempting to open an official ticket and submit it via Joomla's official patch submission process, but having trouble jumping through those hoops at the moment.

The short explanation is that AOL users can appear to originate from multiple IP addresses through the life of a single session. While Joomla's Security level = 2 patch attempts to account for this by using subnets to hash a session id, this is insufficient for AOL users because they are not necessarily bound to a single subnet.

My patch is not pretty because it will require regular updates. I've used the published list of AOL subnets to help identify AOL users. Pretty or not...it works and solves a significant shortcoming of the current release.  Buyer beware but it works for me.

I found the patch and understand it goes into the includes/joomla.php. But where in the script does it go. Sorry not a php guru like yourselves :-)

Aslo, if this script is implemented, do we still turn the security level to 2?

sal3m, my patch consists of two methods that should replace a single existing method named "sessionCookieValue" within your joomla.php file.
Yes, after applying my patch you'll need to set security level 2 to use it.

I have tried it and all I get is a blank screen. I have copied it in straight from the downloadable file and from the website
http://jroller.com/agileanswers/entry/j ... _0_x_patch

Is it possible to have a complete joomla.php file for this issue. I think the problem lies with the text copy/paste adding extra characters.

Word wrap was off

Is anyone out there still dealing with this AOL issue? I've tried lowering the security level but it did not work...curious if anyone has discovred a solution.

Dito:

Joomla! 1.0.12 Stable [ Sunfire [eCommerce Edition]

I have a website whereby local schools login via the Yorkshire Humber Grid for Learning ISP and mysteriously recently some schools login can't access the site and are appearing on the who's online list.

Users experiencing the problem can successfully login at home so I can only guess this is a proxy problem as listed above.

I've recently set the global configuration to server security settings level 2 and awaiting to see if this solves the problem. I'll update the post with any findings made.

**********Edit********************
Whilst the affected users haven't got back to me... one user has been able to log in and successfully submit a report online so I'm taking it as red the situation has been sorted
**********Edit********************

I don't have a non-custom joomla.php (mine is heavily motified). If the two methods above don't work as-is, you'll need to lean on your friendly neighborhood php guru. It's not too tough, but it may require a little tweaking to get them to work with your specific joomla.php / Joomla version.

This appears to be the same issue as identified here viewtopic.php?f=32&t=268208

Any Joomla Admins know about this as it appears to have been an issue since 1.0.12 - or earlier.....

Please advise on a working fix....

Thanks

Does anyone have a solution to this problem. About 50% of my user can't get into my site as they get the pop-up saying that there blocked by the administrator.

I have already used the hack for the past few weeks but there isn't any difference.

I so surprised that joomla hasn't tried to resolve this issue yet

Thanks in advance

I just found out that my site suffers from this problem as well -- at least I now understand all the user complaints that just left me scratching my head.
I see the first post on this defect was February 6 of last year... the most recent post was April 16th of this year... that's over 14 months and nothing has been done to fix the problem. I guess everyone who knows anything about the inner workings of Joomla 1.0.x has moved on to 1.5 and this will never be fixed.
My bad for relying on open-source I guess... not that I have any right to complain, you get what you pay for.
I guess I'm just a little bit grumpy because I think Joomla tries to suggest it's robust and mature enough that it deserves to be taken seriously.
HAH!

Hi,

On the global configuration tab you can find a security level drop down. This can be set to level 1 instead of 3, this level 1 also states something about AOL users and logins.

Note; the version I'm using, and where the screenshot was taken on, is 1.0.15.

Robin - thanks for the post and suggested solution - is this the only solution, what I mean is that level 2 did not work and I am hesitant to go level 1 - I mean what other security issues will we be opening up if we go to level 1?

Greg

Hi Greg,

Not sure about level 1 here, if it would open up other areas, I'd have to check what code is behind it.Could you briefly try though, see if it works?

Ok i have set my setting to 1. We shall see what happens

Thanks for helping greg

I have had 2 member try to get in and i have the same problem. just to give you an updat

The member that are blocked always have the date "1999-11-29 23:00:00" as there signup date.

What do you think could be the problem?

I'll do some digging in the Q&T forums, I've seen this before...

Thanks Robin your help is appreciated - I have asked a couple of AOL users that were having trouble before to try again - when I get a reply from them I will report back.

Thanks

Greg

Oh one more thing that might help in locating the issue, please read viewtopic.php?f=126&t=272708

It's a small tool to get your sys info. And post it here...

Here you go (my domain name removed though)

Diagnostic Information
Joomla! Version: Joomla! 1.0.15 Stable [ Daytime ] 22 February 2008 23:00 UTC
configuration.php: Not Writable (Mode: 444 ) | RG_EMULATION: Disabled
Architecture/Platform: Linux 2.6.9-023stab033.7-enterprise ( i686) | Web Server: Apache/1.3.37 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.4.6 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a ( mydomain.com.au ) | PHP Version: 4.4.6
PHP Requirements: register_globals: Disabled | magic_quotes_gpc: Enabled | safe_mode: Disabled | MySQL Support: Yes | XML Support: Yes | zlib Support: Yes
mbstring Support (1.5): Yes | iconv Support (1.5): No | save.session_path: Writable | Max.Execution Time: 30 seconds | File Uploads: Enabled
MySQL Version: 4.1.22-standard ( Localhost via UNIX socket )

Extended Information:
SEF: Enabled | FTP Layer: N/A | htaccess: Implemented
PHP/suExec: User and Web Server accounts are not the same. (PHP/suExec probably not installed)
PHP Environment: API: apache | MySQLi: No | Max. Memory: | Max. Upload Size: 50M | Max. Post Size: 8M | Max. Input Time: 60 | Zend Version: 1.3.0
Disabled Functions:
MySQL Client: 4.1.22 ( latin1 )

Hope that helps

Greg

OK I have had two AOL users test and I have moved it to Security level 1 and they can still not login or remain logged in.

Anything else?

Cheers

Greg