Page 3 of 3

Re: Backend wide open

Posted: Mon Apr 23, 2018 11:51 am
by brian
The only extension you have in your system that I am not familiar with is ARK editor. I cant see that would be a problem but maybe try and uninstall that and see if you still have a problem.

However personally I suspect that you have somehow set your browser to remember the login

Re: Backend wide open

Posted: Mon Apr 23, 2018 11:54 am
by dottedhippo
Hmmm. Now I can't replicate the problem myself.

I will try to close in to te circumstances that generate this...

Re: Backend wide open

Posted: Mon Apr 23, 2018 11:56 am
by dottedhippo
brian wrote:However personally I suspect that you have somehow set your browser to remember the login
How would that be possible?

Re: Backend wide open

Posted: Mon Apr 23, 2018 1:22 pm
by brian
OK I have now replicated the issue on your site - still cannot replicate it on any other

Re: Backend wide open

Posted: Mon Apr 23, 2018 1:24 pm
by dottedhippo
Thanks, Brian. My hosting provider is willing to look into it, so maybe that is the next step to do.

Thanks! Your help is much appreciated.

Re: Backend wide open

Posted: Mon Apr 23, 2018 1:26 pm
by dottedhippo
The security token seems to have something to do with it.

Re: Backend wide open

Posted: Mon Apr 23, 2018 1:28 pm
by brian
As that is something that is set on your browser then there is no security issue - but i still cant see what is causing the problem and I only replicated the issue once.

Re: Backend wide open

Posted: Mon Apr 23, 2018 1:39 pm
by dottedhippo
brian wrote:As that is something that is set on your browser then there is no security issue - but i still cant see what is causing the problem and I only replicated the issue once.
In any case it is replicated by me many times. The probability of the problem being client dependent is unlikely I guess...

Re: Backend wide open

Posted: Mon Apr 23, 2018 1:44 pm
by dottedhippo
Brian, if you have a hunch figuring this out, let me now! :D

Re: Backend wide open

Posted: Mon Apr 23, 2018 3:41 pm
by dottedhippo
I cleared the session table to no avail.

The local backup on my laptop (XAMPP) has the same issue.

The issue typicly happens after a "request refused - invalid security token" error after trying to login.

Clearing the cookies locally is the only thing that helps.

The problem probably sits somewhere in Joomla - the files or the database.

This would be an opportunity to decide if we want to keep this website, or start afresh.

Re: Backend wide open

Posted: Mon Apr 23, 2018 4:31 pm
by dottedhippo
I could post the FPA output for my plugins, if that is of any help... ?

Re: Backend wide open

Posted: Mon Apr 23, 2018 6:55 pm
by Per Yngve Berg
System TMP Writable: No is a problem on the server that have to be fixed.

IIS servers do only have one permission, so all three numbers will always be equal.

IIS servers do not use a .htaccess file, but a web.config. Have you renamed webconfig.txt to web.config.

Finally. Have you tried to disable the Authentication Cookie Plugin, so you will not get logged in by the cookie in the browser?

Re: Backend wide open

Posted: Mon Apr 23, 2018 8:48 pm
by dottedhippo
Thanks, Per, I don't have time today but I will get to it as soon as I have the time!
Per Yngve Berg wrote:System TMP Writable: No is a problem on the server that have to be fixed.
What is the "System TMP" exactly?

Re: Backend wide open

Posted: Tue Apr 24, 2018 12:11 pm
by dottedhippo
Per Yngve Berg wrote:IIS servers do not use a .htaccess file, but a web.config. Have you renamed webconfig.txt to web.config.
I already have a web.config from my hosting provider. Should I merge that with the file from Joomla? How is that done?

BTW, I think my provider accepts both .htaccess and web.config! I will inquire with them.

Re: Backend wide open

Posted: Tue Apr 24, 2018 1:15 pm
by dottedhippo
Per Yngve Berg wrote:System TMP Writable: No is a problem on the server that have to be fixed.
Joomla tmp folder has sufficient acces rights (full access rights for applications).

Re: Backend wide open

Posted: Tue Apr 24, 2018 4:06 pm
by Per Yngve Berg
dottedhippo wrote:
Per Yngve Berg wrote:System TMP Writable: No is a problem on the server that have to be fixed.
Joomla tmp folder has sufficient acces rights (full access rights for applications).
This is the PHP Temp folder, not the Joomla Temp folder. It's server wide setting and must be set by your host.

Re: Backend wide open

Posted: Wed Apr 25, 2018 11:53 am
by dottedhippo
Per Yngve Berg wrote:
dottedhippo wrote:
Per Yngve Berg wrote:System TMP Writable: No is a problem on the server that have to be fixed.
Joomla tmp folder has sufficient acces rights (full access rights for applications).
This is the PHP Temp folder, not the Joomla Temp folder. It's server wide setting and must be set by your host.
I have checked with my hosting provider, and they confirm that the System Temp is not writable. They gave me the advice to use a different folder, such as the PHP TEMP folder or the Joomla TMP folder. Is it possible to set one of them?

Re: Backend wide open

Posted: Wed Apr 25, 2018 11:55 am
by brian
Can we please make one thing absolutely clear for anyone coming across this post. The joomla admin is NOT wide open. The only reproducable issue on this one site is that someone who has logged in may be able to access the admin without logging in again when using the exact same computer and web browser

Re: Backend wide open

Posted: Wed Apr 25, 2018 11:56 am
by dottedhippo
Configuration file says $tmp_path is set to the Joomla tmp folder.

Re: Backend wide open

Posted: Wed Apr 25, 2018 11:58 am
by dottedhippo
brian wrote:Can we please make one thing absolutely clear for anyone coming across this post. The joomla admin is NOT wide open. The only reproducable issue on this one site is that someone who has logged in may be able to access the admin without logging in again when using the exact same computer and web browser
That is correct.

Re: Backend wide open

Posted: Wed Apr 25, 2018 3:30 pm
by Per Yngve Berg
You can change the php temp folder in php.ini.

Re: Backend wide open

Posted: Thu May 10, 2018 1:24 pm
by dottedhippo
It appears to have been solved after an update of Chrome.

I think it did not handle its cookies appropriately.

-sigh of relief- :D