I have a website based on Joomla 2.5, and I have installed the mobile basic template.
If I browse the website with a mobile android device, the mobile device is correctly detected so the mobile basic template is automatically chosen.
Under this conditions, if I open the login page and login with user and password, I can login successfully, and then I can logout with the logout button.
However, if I switch to the desktop version of the browser (in which the blue lotus template - thegrue.org - is used) and then I open the login page, I cannot login. If I try it, after few seconds I'm redirected again to the login page. And conversely, if I am already logged in from mobile template and then I switch to the desktop template, I cannot logout if I click the logout button.
I have debugged it remotely from a PC (with a USB debug session) with Chrome browser and I got the following events in the network panel (I have just altered the website name to "example.com")
Code: Select all
curl 'https://www.example.com/login.html' -H 'cookie: __cfduid=d4d2a2e17b5f9cb1d81c743bea135d71f1520545564; 5f0149c105d4b9d657924dfade925b47=f9c355a3e0f97fd11ea5bb26f445dd36; mjmarkup=desktop; _ga=GA1.2.1395993738.1520545571; _gid=GA1.2.588834092.1520545571' -H 'origin: https://www.example.com' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9,it-IT;q=0.8,it;q=0.7,es-MX;q=0.6,es;q=0.5' -H 'upgrade-insecure-requests: 1' -H 'user-agent: Mozilla/5.0 (Linux; Android 5.1; G20 Build/LMY47I) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.137 Mobile Safari/537.36' -H 'content-type: application/x-www-form-urlencoded' -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8' -H 'cache-control: max-age=0' -H 'authority: www.example.com' -H 'referer: https://www.example.com/login?device=desktop' --data 'username=johnsmith&password=123456&remember=yes&Submit=Log+in&option=com_users&task=user.login&return=aW5kZXgucGhwP0l0ZW1pZD00NzM%3D&78501b9a5204ed2903096ef39cb343a6=1' --compressed ;
curl 'https://www.example.com/login.html?device=' -H 'cookie: __cfduid=d4d2a2e17b5f9cb1d81c743bea135d71f1520545564; 5f0149c105d4b9d657924dfade925b47=f9c355a3e0f97fd11ea5bb26f445dd36; mjmarkup=desktop; _ga=GA1.2.1395993738.1520545571; _gid=GA1.2.588834092.1520545571' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9,it-IT;q=0.8,it;q=0.7,es-MX;q=0.6,es;q=0.5' -H 'upgrade-insecure-requests: 1' -H 'user-agent: Mozilla/5.0 (Linux; Android 5.1; G20 Build/LMY47I) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.137 Mobile Safari/537.36' -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8' -H 'cache-control: max-age=0' -H 'authority: www.example.com' -H 'referer: https://www.example.com/login?device=desktop' --compressed ;
curl 'https://www.example.com/login.html?device=desktop' -H 'cookie: __cfduid=d4d2a2e17b5f9cb1d81c743bea135d71f1520545564; 5f0149c105d4b9d657924dfade925b47=f9c355a3e0f97fd11ea5bb26f445dd36; mjmarkup=desktop; _ga=GA1.2.1395993738.1520545571; _gid=GA1.2.588834092.1520545571' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9,it-IT;q=0.8,it;q=0.7,es-MX;q=0.6,es;q=0.5' -H 'upgrade-insecure-requests: 1' -H 'user-agent: Mozilla/5.0 (Linux; Android 5.1; G20 Build/LMY47I) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.137 Mobile Safari/537.36' -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8' -H 'cache-control: max-age=0' -H 'authority: www.example.com' -H 'referer: https://www.example.com/login?device=desktop' --compressed ;
(...)
Code: Select all
curl "https://www.example.com/login.html" -H "cookie: __cfduid=d745e79ada496996a2ebd14386ea3f50e1512200042; _ga=GA1.2.879855785.1512200047; _gid=GA1.2.162231340.1520406020; 795a0b657f5210881eccf88c66c0a7dd=en-GB; 5f0149c105d4b9d657924dfade925b47=351865effcb616039e285ec3fd5ba0fc" -H "origin: https://www.example.com" -H "accept-encoding: gzip, deflate, br" -H "accept-language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7" -H "upgrade-insecure-requests: 1" -H "user-agent: Mozilla/5.0 (Linux; Android 7.1.2; A101 Build/N2G47O) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.137 Mobile Safari/537.36" -H "content-type: application/x-www-form-urlencoded" -H "accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8" -H "cache-control: max-age=0" -H "authority: www.example.com" -H "referer: https://www.example.com/login.html?device=desktop" --data "username=johnsmith^&password=123456^&remember=yes^&Submit=Log+in^&option=com_users^&task=user.login^&return=aW5kZXgucGhwP0l0ZW1pZD00NzM^%^3D^&a9145ed3e5ab37749e395ccd478078f1=1" --compressed &
curl "https://www.example.com/orders.html" -H "cookie: __cfduid=d745e79ada496996a2ebd14386ea3f50e1512200042; _ga=GA1.2.879855785.1512200047; _gid=GA1.2.162231340.1520406020; 795a0b657f5210881eccf88c66c0a7dd=en-GB; 5f0149c105d4b9d657924dfade925b47=351865effcb616039e285ec3fd5ba0fc; f7b1195650b55cc425fe8e2d69568220=4C124510+6435D+45A+7145913755F525240445A505B59105C4D514A4C134F1A47514310145E41+115581422705552+0+7+3+0174C" -H "accept-encoding: gzip, deflate, br" -H "accept-language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7" -H "upgrade-insecure-requests: 1" -H "user-agent: Mozilla/5.0 (Linux; Android 7.1.2; A101 Build/N2G47O) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.137 Mobile Safari/537.36" -H "accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8" -H "cache-control: max-age=0" -H "authority: www.example.com" -H "referer: https://www.example.com/login.html?device=desktop" --compressed &
(...)
So the trick is inside the first request. Comparing them, I could see that in the bad case the cookie mjmarkup=desktop is present, while in the good case it is not present.
In fact, in the bad case, after the first request there are other repeated requests with the same url, with the addition of the suffix "?device=" and then "?device=desktop".
Also in the logout, the difference between the good and bad case is the "mjmarkup=desktop". Here is the first network event in the bad case:
Code: Select all
curl "https://www.example.com/it/" -H "cookie: __cfduid=dff022a4aebdca243f17c65e08df1b0981512199974; _ga=GA1.2.1048130598.1512199981; _gid=GA1.2.740733611.1520184847; 5f0149c105d4b9d657924dfade925b47=780e7515312e1adf547bf4b75595baa3; f7b1195650b55cc425fe8e2d69568220=4C124510+6435D+45A+7145913755F525240445A505B59105C4D514A4C134F1A47514310145E41+115581422705552+0+7+3+0174C; _gat=1; 795a0b657f5210881eccf88c66c0a7dd=it-IT; mjmarkup=desktop" -H "origin: https://www.example.com" -H "accept-encoding: gzip, deflate, br" -H "accept-language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7" -H "upgrade-insecure-requests: 1" -H "user-agent: Mozilla/5.0 (Linux; Android 7.1.2; A101 Build/N2G47O) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.137 Mobile Safari/537.36" -H "content-type: application/x-www-form-urlencoded" -H "accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8" -H "cache-control: max-age=0" -H "authority: www.example.com" -H "referer: https://www.example.com/it/?device=desktop" --data "Submit=Esci^&option=com_users^&task=user.logout^&return=aW5kZXgucGhwP0l0ZW1pZD01NTU^%^3D^&1eed3cd1d1e47d03971bab59bcec31ea=1" --compressed &
Code: Select all
curl "https://www.example.com/it/" -H "cookie: __cfduid=d745e79ada496996a2ebd14386ea3f50e1512200042; _ga=GA1.2.879855785.1512200047; _gid=GA1.2.162231340.1520406020; 5f0149c105d4b9d657924dfade925b47=6c868c44f46991d44e904c318569ff40; f7b1195650b55cc425fe8e2d69568220=4C124510+6435D+45A+7145913755F525240445A505B59105C4D514A4C134F1A47514310145E41+115581422705552+0+7+3+0174C; 795a0b657f5210881eccf88c66c0a7dd=it-IT; _gat=1" -H "origin: https://www.example.com" -H "accept-encoding: gzip, deflate, br" -H "accept-language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7" -H "upgrade-insecure-requests: 1" -H "user-agent: Mozilla/5.0 (Linux; Android 7.1.2; A101 Build/N2G47O) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.137 Mobile Safari/537.36" -H "content-type: application/x-www-form-urlencoded" -H "accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8" -H "cache-control: max-age=0" -H "authority: www.example.com" -H "referer: https://www.example.com/it/?device=desktop" --data "Submit=Esci^&option=com_users^&task=user.logout^&return=aW5kZXgucGhwP0l0ZW1pZD01NTU^%^3D^&cc9ac9d20fac99f044fd7a4b76da6f7c=1" --compressed &
How can I avoid this?
Best regards
Alberto