Remember me

[gachla]

Steps to reproduce the issue

User checks remember me box on login. Redirected to page set in login. Bookmark page. Quit Browser
Relaunch browser and go to bookmarked page.

Expected result

Allowed to see restricted page

Actual result

Joomla doesn’t allow access to restricted bookmark page and sends you to home page with error.
You are not authorized to view this resource

System information (as much as possible)

Joomla 3.6.2

Additional comments

If a remember me cookie is set and you quit your browser, the cookie joomla_user_state is killed as it is set to destroy when ‘When the browsing session ends’
This causes issues when the person comes back to the site after restarting browser. If the user has bookmarked a page that is restricted, any redirects to that restricted page is met with You are not authorized to view this resource. After that error, Joomla now recreates joomla_user_state and now you can access that same restricted page without logging in. If remember me cookie exists, then the joomla_user_state cookie should also exist so that the user can have access immediately to the restricted page.

May be apart of [#10373] - Have Joomla play nice with reverse caching proxies like Varnish, Nginx etc.

[RonakParmar]

I have used Joomla! 3.6.3-dev — © 2016 joomlacmsstaing setup in my local to test this issue.
What I have done was,

• Configured "Your Profile" page after login redirect in login module at backend.
• Clicked Remember Me checkbox and logged-in frontend.
• Bookmarked Your Profile page.
• Close the browser.
• Relaunched the browser and able to access the restricted page i.e. Your Profile page. and I am still logged-in in my joomla setup.
  Not able to reproduce this issue, let me know If I am doing anything wrong.

  ---

  _{This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11541.}

[brianteeman]

Unable to replicate this with current staging

@gachla please can you retest

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11541.}

[brianteeman]

Closed due to lack of response - it can always be re-opened if required

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11541.}

[stefanpoensgen]

I got this error too but only with mutlilanguage enabled.
I've set up a new joomla test installtion with multilanguage.

if i perform the login on the frontend(check remember me) i can browse to the restricted content.
now if i close the browser window, reopen it and go direct to my test page's restricted content i got the following error
"You are not authorised to view this resource."

but the user menu is visible so i’m logged in, but something is not correct

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/11541.}

[stefanpoensgen]

1. http://test.mcchip-dkr.com/index.php/en/ User: Demo / demo Check remember me
2. Go to "Your Profile"
3. Close Browser
4. Open Browser and direct open http://test.mcchip-dkr.com/index.php/en/your-profile

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/11541.}

[RonakParmar]

@stefanpoensgen I have followed above steps and still not able to reproduce this issue.
After reopen the browser, I can visit profile page.

[stefanpoensgen]

Bookmark http://test.mcchip-dkr.com/index.php/en/your-profile or copy paste in to browser. Do not enter the site before you go to http://test.mcchip-dkr.com/index.php/en/your-profile

I got this error with every browser and every pc

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/11541.}

[stefanpoensgen]

https://www.youtube.com/watch?v=Q5wqtMkL3NA&feature=youtu.be

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/11541.}

[ghost]

Issue seems solved, cannot confirm describes behavior.

Test on:

Joomla! 3.7.0-staging
macOS Sierra, 10.12.3
Safari 10.0.3
PHP 7.0.4
MySQLi 5.5.53-0

[zero-24]

Closing. Thanks:)

[stefanpoensgen]

in joomla 3.7.0-beta2 the issue still exists

[Bakual]

I'm reopening this since apparently the issue still exists. Needs proper tests to reproduce since not everybody seems to be able to do it.
I get it has to do with the multilingual plugin since the issue is only on multilingual sites.

[robobenklein]

Here's a new perspective - I'm not on a multilingual site yet I can reproduce the problem.

I believe this is due to the system content plugin rendering before the system cookie auth / Remember me plugin is activated. (Meaning the page renders, then logs you in after it already rendered the HTML.)

This doesn't happen with just articles or pages for me, but also occurs with modules and navigation.

My dev site: https://323.robosane.net/ (v3.8.1)
Steps to reproduce:

1. Log into site
2. Go to home page
3. Wait for server-side session to timeout. (~15 minutes)
4. Reload page
5. Now the navigation says I am not logged in. (because it shows the login item still, and only registered users can see search page)
6. Reload page again.
7. Site now acts like I am logged in.
8. Wait 15 minutes again
9. have to reload the page twice to get logged in

If I get time I will try this on a fresh install to clear out any plugins which might be changing anything.

[Polm90]

Issue still present on joomla 3.9.18.

I do login with remember me checkbox checked.
After server side session timeout, I open the site again. I see the main menu as if I'm not logged in, but the module with my name is visible and correctly displays my username. So the layout is inconsistent.
To see the other menu voices, I have to try to navigate to the login page; so, I'm redirected to the home page and the site displays the error message "you are not allowed to see this resource", but now I see the menu (and evertything) as I am logged in.

[AndySDH]

I confirm this is still an issue.

The issue happens with Components (access is not given on first visit for remembered user), as well as Menu Items Links (access-restricted menu items are not displayed correctly on first visit for remembered user).

On the other hand, modules are not affected by this issue (access-restricted modules get displayed correctly for remembered user)

An issue from 2016 still not solved, 4 years must be a record :D

[AndySDH]

I found that this wasn't being an issue in one of my sites while it was in the others, so I investigated a little and found what makes it happen!

This actually seems to have to do with plugin ordering and (maybe) sh404sef's plugins:

In the System Plugins ordering, if the plugin "System - Remember Me" is ordered AFTER "sh404sef - System plugin" or "shlib - Db query cache and programming library", then the issue happens.

However, if the plugin "System - Remember Me" is ordered BEFORE "sh404sef - System plugin" and "shlib - Db query cache and programming library", then the issue is gone. For example, if the "System - Remember Me" is ordered as the very first System plugin at the top, this issue will not happen.

To anyone that had this issue before, can you verify if this is also the solution for you?
@gachla @stefanpoensgen @robobenklein @Polm90

Any insight on why plugin ordering might affect this?

[zero-24]

Any insight on why plugin ordering might affect this?

Well can you send me the plugins in questions to tobias.zulauf[at]community.joomla.org ? My guess is that that plugins do some redirect or special handling that result into the remember me plugin not getting triggered.

[Polm90]

I found that this wasn't being an issue in one of my sites while it was in the others, so I investigated a little and found what makes it happen!

This actually seems to have to do with plugin ordering and (maybe) sh404sef's plugins:

In the System Plugins ordering, if the plugin "System - Remember Me" is ordered AFTER "sh404sef - System plugin" or "shlib - Db query cache and programming library", then the issue happens.

However, if the plugin "System - Remember Me" is ordered BEFORE "sh404sef - System plugin" and "shlib - Db query cache and programming library", then the issue is gone. For example, if the "System - Remember Me" is ordered as the very first System plugin at the top, this issue will not happen.

To anyone that had this issue before, can you verify if this is also the solution for you?
@gachla @stefanpoensgen @robobenklein @Polm90

Any insight on why plugin ordering might affect this?

It seems to work. But I do not have that plugin installed. I have helix and sp page builder ones...

[AndySDH]

It seems to work. But I do not have that plugin installed. I have helix and sp page builder ones...

So what did you do to fix the problem? Just moved the "Remember Me" plugin at the top of the System plugins?

[zero-24]

It seems to work. But I do not have that plugin installed. I have helix and sp page builder ones...

So what did you do to fix the problem? Just moved the "Remember Me" plugin at the top of the System plugins?

Have you sended me the plugins so we can try to debug what is wrong?

[AndySDH]

Have you sended me the plugins so we can try to debug what is wrong?

@zero-24 I have communicated the issue to the sh404sef developer itself, let's see what happens :)

[zero-24]

Awesome please share the feedback you get so we can work on a solution to this.

[Polm90]

It seems to work. But I do not have that plugin installed. I have helix and sp page builder ones...

So what did you do to fix the problem? Just moved the "Remember Me" plugin at the top of the System plugins?

No, I was wrong... I've tried a bit more and the issue is still there...

[zero-24]

Ok but ypu can constantly reproduce this issue right? Can you share with us the steps and extensions you took so we can try to debug this issue.

[weeblr]

Hi

Yannick here, developer of sh404SEF. I have spent quite some times now with AndySDH trying to figure out if sh404SEF has anything to do with this but I came to the conclusion it does not, as seems confirmed by what @Polm90 said, that he still sees the issue but does not use sh404SEF.

That issue is particularly tricky because @AndySDH set up a default J3 install, with sh404SEF, and can reproduce the issue each time he visits his test site. And I cannot reproduce it on the very same test site. If I take the exact same steps (log-in, close browser, come back), the site works perfectly fine for me, while it shows the problem for him. Tested with multiple browsers of course.

[zero-24]

hmm could you confirm that the cookie used by the core plugin is still aviable in that browser where it fails?

[weeblr]

Oddly enough, @AndySDH confirmed the cookie is there and even that he can see a log-in action in the Action logs. I'll let him comment any further as I have never been able to view the problem happening myself.

[zero-24]

Oddly enough, @AndySDH confirmed the cookie is there and even that he can see a log-in action in the Action logs.

ok now it is getting strang.. the cookie is there and we record a login action. I tend to get out of ideas :D I guess you use the default session handler right?

[weeblr]

The thing is, @AndySDH can see the problem on his site, on a default Joomla install he made for reproducing purposes and even on weeblr.com. I can't vouch for session handling on his sites but on weeblr.com, it's indeed the default session handler.
I ran out of ideas some times ago :)

[AndySDH]

That's the weird part.

The cookie is there, it logs you in, there is a login action recorded, but the Menu Items act as if you're logged out (just for the first pageview - then when you refresh, the correct menu items update and show correctly).

We'll see if we can figure more of this out.

[weeblr]

Hi
So I did a bit more digging and I thing I can describe a reproducible test bed. What tricked me is that I assumed that Chrome does indeed clear "session" cookie when you close it. It does not. Session cookies are preserved upon closing and re-opening Chrome (windows 10, everything up to date).
So to reproduce was Andy is seeing, I had to manually delete the session cookie:

• Install a clean Joomla 3, no 3rd party or anything
• Add a menu item to an article with "Registered" access
• Add a menu item to an article with "Guest" access
• Add the login module
• Log out of admin just in case and clear cookies
• Load the home page, you should see the "Guest" menu item
• Open dev tools
• Login using the login module
• In dev tools, go to Application->cookies and you should see: session cookie, user_state cookie and remember_me cookie
• Delete session and user_state cookies (they are "session" cookies). Only the remember_me cookie is still present. Deleting session cookie manually is required (for me) to simulate the browser closing session cookies when being closed.
• Copy a link to a public page of the site, for instance the /getting-started page
• Navigate to Joomla.org (to avoid Chrome reloading your site from cache and disturbing the test)
• Close the browser
• Open it back (depending on browser settings, you'll be either on an empty page or the last page you browsed before closing)
• Navigate to yourtestsite.com/getting-started

At this point, you will see:

• the login module shows you as logged-in as expected
• all cookies have been re-created as expected: session, user_state and remember-me still there
• BUT the Guest menu item is displayed instead of the Registered menu item - which is the problem @AndySDH is having

Hitting F5 or refreshing the page returns everything to normla, "Registered" menu item is displayed and "Guest" menu item disappear.

[weeblr]

Hi

What tricked me is that I assumed that Chrome does indeed clear "session" cookie when you close it. It does not. Session cookies are preserved upon closing and re-opening Chrome (windows 10, everything up to date).

To be more clear, Chrome does not delete session cookies when you set it to "Continue were you left off", that is your browser is set to re-open the tabs opened when you closed it.

Not that it has anything to do with the issue discussed here. Chrome not deleting cookies just makes reproducing a bit harder by having to manually delete the cookies in question.

[AndySDH]

Hi

What tricked me is that I assumed that Chrome does indeed clear "session" cookie when you close it. It does not. Session cookies are preserved upon closing and re-opening Chrome (windows 10, everything up to date).

To be more clear, Chrome does not delete session cookies when you set it to "Continue were you left off", that is your browser is set to re-open the tabs opened when you closed it.

Oh there you go. That must be the reason for why you weren't able to reproduce it before then, nice find :)

[AndySDH]

Check this out guys for easier steps to reproduce:
https://streamable.com/hvrtcp

I can reproduce this on a clean install site, but only with sh404sef extension installed. I personally have not been able to reproduce it without sh404sef installed.

However @weeblr was able to also reproduce it on his site without sh404sef installed. So it's up in the air on what causes it.

[weeblr]

Hi

Still investigating. I can reproduce without sh404SEF but only with some system plugins enabled. So far, it appears the problem occurs if the system plugin has a handler for the onAfterRoute event. Not been able to pinpoint the actual triggering factor.

[weeblr]

Hi again

@zero-24 @AndySDH After quite some time on this, I understand now the problem and what causes it. It does occur with sh40SEF and probably with a number of other extensions.

TLDR:

The problem happens if any system plugin calls $app->getMenu() from the onAfterInitialise event if that system plugin is located before the Remember Me plugin.
That may not be too common however what's more common is to get the Application router, usually to attach parse rules:

$router->attachParseRule(array($this, 'parseRule'), JRouter::PROCESS_DURING);

As the router also uses getMenu() in its constructor, the problem happens.

Details:

When the menu is built by calling $app->getMenu(), Joomla\CMS\Menu\AbstractMenu stores the current user (to later decide which items to show).
If a system plugin tries to attach rules to the router, or tries to read the menu items, and the Remember Me plugin has not ran yet then the menu object stores a "guest" user.

The Remember Me plugin will not ran in that case if it's located after that plugin making that call.

With a stock Joomla, this can be reproduced with the test instructions above after adding the line:

$router->attachParseRule(array($this, 'parseRule'), JRouter::PROCESS_DURING);

to the onAfterInitialize method of one of Joomla's own system plugins, for instance the P3P one.

The only fix I can see for this would be for the menu item to not store the user in its constructor but later, only when it needs it (I tested that and it works)

For now, the workaround is to move the RememberMe plugin at the top of the System plugins.

[jiweigert]

Nice tracing of the cause of the error..

[zero-24]

I can only seccond that great analyse! @weeblr
Can you do a PR with the suggested change (moving the user call around?) And add a note why that should not be loaded on the constructor?

[AndySDH]

Great finds @weeblr! I'm glad we were able to pinpoint the cause of the issue, this was a tricky one to troubleshoot :D

For now, the workaround is to move the RememberMe plugin at the top of the System plugins.

Yeah, as I discovered earlier this seemed to be a consistent workaround. Maybe an idea could be to have Joomla force the "Remember Me" plugin to be on top of the system plugin ordering, so every time you update Joomla, a check is made that the Remember me plugin is on top of the list.

Even though it may not be a solid solution, as other extensions may still be "fighting" for that first spot in the ordering and override this.

But it still could be a good idea to implement regardless.

[weeblr]

@zero-24 I will work on that. I have found the easiest way to reproduce is to enable the Language filter plugin (even on a single language site): it does attach rules to the router and is located before the Remember Me plugin. It's also likely Joomla 4 has the same problem.

I also suspect there are other areas where the same kind of issue arise because of some piece of data being stored instead of using the live value.

I'll look at a PR for that in the coming days.

@AndySDH You certainly were the tenacious one on that one ;)

[zero-24]

Thanks @weeblr 👍 Feel free to send the PR against staging so we fix all required places there there and than merge it up to 4.0 too.

[weeblr]

@zero-24 See PR #30980

[zero-24]

Closing as we now have the PR 👍

[weeblr]

Hi all,

In the hope this can be fixed once and for all, I have redone a PR (#30991 ) and closed the previous one. This will solve the problem for Joomla 3 in a B/C way. Discussion should also happen about whether Joomla 4 should use the same fix, or take another approach.

However the latest PR is only for Joomla and I hope it can be processed quickly.

[weeblr]

Hi @Polm90 @jiweigert @gachla @RonakParmar @stefanpoensgen @brianteeman @robobenklein

We now have a PR to fix that problem. It affects both Joomla and Joomla 4, and just using the Language Filter plugin is enough to trigger it so I assume a fair number of people are affected, even if never actually noticed it.

@AndySDH already tested the PR so we need at least one more tester to validate this and be ready for having the fix merged for Joomla 3 (separate discussion is to be had for Joomla 4, although the same fix can be applied as well).

The PR, #30991, has clear and simple instructions to reproduce the problem and test the fix on a stock Joomla 3.

Thanks for assisting in solving this.

Cheers