Backend wide open Topic is solved

[brian]

The only extension you have in your system that I am not familiar with is ARK editor. I cant see that would be a problem but maybe try and uninstall that and see if you still have a problem.

However personally I suspect that you have somehow set your browser to remember the login

[dottedhippo]

Hmmm. Now I can't replicate the problem myself.

I will try to close in to te circumstances that generate this...

[dottedhippo]

However personally I suspect that you have somehow set your browser to remember the login

How would that be possible?

[brian]

OK I have now replicated the issue on your site - still cannot replicate it on any other

[dottedhippo]

Thanks, Brian. My hosting provider is willing to look into it, so maybe that is the next step to do.

Thanks! Your help is much appreciated.

[dottedhippo]

The security token seems to have something to do with it.

[brian]

As that is something that is set on your browser then there is no security issue - but i still cant see what is causing the problem and I only replicated the issue once.

[dottedhippo]

As that is something that is set on your browser then there is no security issue - but i still cant see what is causing the problem and I only replicated the issue once.

In any case it is replicated by me many times. The probability of the problem being client dependent is unlikely I guess...

[dottedhippo]

Brian, if you have a hunch figuring this out, let me now!

[dottedhippo]

I cleared the session table to no avail.

The local backup on my laptop (XAMPP) has the same issue.

The issue typicly happens after a "request refused - invalid security token" error after trying to login.

Clearing the cookies locally is the only thing that helps.

The problem probably sits somewhere in Joomla - the files or the database.

This would be an opportunity to decide if we want to keep this website, or start afresh.

[dottedhippo]

I could post the FPA output for my plugins, if that is of any help... ?

[Per Yngve Berg]

System TMP Writable: No is a problem on the server that have to be fixed.

IIS servers do only have one permission, so all three numbers will always be equal.

IIS servers do not use a .htaccess file, but a web.config. Have you renamed webconfig.txt to web.config.

Finally. Have you tried to disable the Authentication Cookie Plugin, so you will not get logged in by the cookie in the browser?

[dottedhippo]

Thanks, Per, I don't have time today but I will get to it as soon as I have the time!

System TMP Writable: No is a problem on the server that have to be fixed.

What is the "System TMP" exactly?

[dottedhippo]

IIS servers do not use a .htaccess file, but a web.config. Have you renamed webconfig.txt to web.config.

I already have a web.config from my hosting provider. Should I merge that with the file from Joomla? How is that done?

BTW, I think my provider accepts both .htaccess and web.config! I will inquire with them.

[dottedhippo]

System TMP Writable: No is a problem on the server that have to be fixed.

Joomla tmp folder has sufficient acces rights (full access rights for applications).

[Per Yngve Berg]

System TMP Writable: No is a problem on the server that have to be fixed.

Joomla tmp folder has sufficient acces rights (full access rights for applications).

This is the PHP Temp folder, not the Joomla Temp folder. It's server wide setting and must be set by your host.

[dottedhippo]

System TMP Writable: No is a problem on the server that have to be fixed.

Joomla tmp folder has sufficient acces rights (full access rights for applications).

This is the PHP Temp folder, not the Joomla Temp folder. It's server wide setting and must be set by your host.

I have checked with my hosting provider, and they confirm that the System Temp is not writable. They gave me the advice to use a different folder, such as the PHP TEMP folder or the Joomla TMP folder. Is it possible to set one of them?

[brian]

Can we please make one thing absolutely clear for anyone coming across this post. The joomla admin is NOT wide open. The only reproducable issue on this one site is that someone who has logged in may be able to access the admin without logging in again when using the exact same computer and web browser

[dottedhippo]

Configuration file says $tmp_path is set to the Joomla tmp folder.

[dottedhippo]

Can we please make one thing absolutely clear for anyone coming across this post. The joomla admin is NOT wide open. The only reproducable issue on this one site is that someone who has logged in may be able to access the admin without logging in again when using the exact same computer and web browser

That is correct.

[Per Yngve Berg]

You can change the php temp folder in php.ini.

[dottedhippo]

It appears to have been solved after an update of Chrome.

I think it did not handle its cookies appropriately.

-sigh of relief-