New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remember me #11541
Comments
I have used Joomla! 3.6.3-dev — © 2016 joomlacmsstaing setup in my local to test this issue.
|
Unable to replicate this with current staging @gachla please can you retest This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11541. |
Closed due to lack of response - it can always be re-opened if required This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11541. |
I got this error too but only with mutlilanguage enabled. if i perform the login on the frontend(check remember me) i can browse to the restricted content. but the user menu is visible so i’m logged in, but something is not correct This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/11541. |
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/11541. |
@stefanpoensgen I have followed above steps and still not able to reproduce this issue. |
Bookmark http://test.mcchip-dkr.com/index.php/en/your-profile or copy paste in to browser. Do not enter the site before you go to http://test.mcchip-dkr.com/index.php/en/your-profile I got this error with every browser and every pc This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/11541. |
https://www.youtube.com/watch?v=Q5wqtMkL3NA&feature=youtu.be This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/11541. |
Issue seems solved, cannot confirm describes behavior. Test on:Joomla! 3.7.0-staging |
Closing. Thanks:) |
in joomla 3.7.0-beta2 the issue still exists |
I'm reopening this since apparently the issue still exists. Needs proper tests to reproduce since not everybody seems to be able to do it. |
Here's a new perspective - I'm not on a multilingual site yet I can reproduce the problem. I believe this is due to the system content plugin rendering before the system cookie auth / Remember me plugin is activated. (Meaning the page renders, then logs you in after it already rendered the HTML.) This doesn't happen with just articles or pages for me, but also occurs with modules and navigation. My dev site: https://323.robosane.net/ (v3.8.1)
If I get time I will try this on a fresh install to clear out any plugins which might be changing anything. |
Issue still present on joomla 3.9.18. I do login with remember me checkbox checked. |
I confirm this is still an issue. The issue happens with Components (access is not given on first visit for remembered user), as well as Menu Items Links (access-restricted menu items are not displayed correctly on first visit for remembered user). On the other hand, modules are not affected by this issue (access-restricted modules get displayed correctly for remembered user) An issue from 2016 still not solved, 4 years must be a record :D |
I found that this wasn't being an issue in one of my sites while it was in the others, so I investigated a little and found what makes it happen! This actually seems to have to do with plugin ordering and (maybe) sh404sef's plugins: In the System Plugins ordering, if the plugin "System - Remember Me" is ordered AFTER "sh404sef - System plugin" or "shlib - Db query cache and programming library", then the issue happens. However, if the plugin "System - Remember Me" is ordered BEFORE "sh404sef - System plugin" and "shlib - Db query cache and programming library", then the issue is gone. For example, if the "System - Remember Me" is ordered as the very first System plugin at the top, this issue will not happen. To anyone that had this issue before, can you verify if this is also the solution for you? Any insight on why plugin ordering might affect this? |
Well can you send me the plugins in questions to tobias.zulauf[at]community.joomla.org ? My guess is that that plugins do some redirect or special handling that result into the remember me plugin not getting triggered. |
It seems to work. But I do not have that plugin installed. I have helix and sp page builder ones... |
So what did you do to fix the problem? Just moved the "Remember Me" plugin at the top of the System plugins? |
Have you sended me the plugins so we can try to debug what is wrong? |
@zero-24 I have communicated the issue to the sh404sef developer itself, let's see what happens :) |
Awesome please share the feedback you get so we can work on a solution to this. |
No, I was wrong... I've tried a bit more and the issue is still there... |
Ok but ypu can constantly reproduce this issue right? Can you share with us the steps and extensions you took so we can try to debug this issue. |
Hi Yannick here, developer of sh404SEF. I have spent quite some times now with AndySDH trying to figure out if sh404SEF has anything to do with this but I came to the conclusion it does not, as seems confirmed by what @Polm90 said, that he still sees the issue but does not use sh404SEF. That issue is particularly tricky because @AndySDH set up a default J3 install, with sh404SEF, and can reproduce the issue each time he visits his test site. And I cannot reproduce it on the very same test site. If I take the exact same steps (log-in, close browser, come back), the site works perfectly fine for me, while it shows the problem for him. Tested with multiple browsers of course. |
hmm could you confirm that the cookie used by the core plugin is still aviable in that browser where it fails? |
Oddly enough, @AndySDH confirmed the cookie is there and even that he can see a log-in action in the Action logs. I'll let him comment any further as I have never been able to view the problem happening myself. |
ok now it is getting strang.. the cookie is there and we record a login action. I tend to get out of ideas :D I guess you use the default session handler right? |
The thing is, @AndySDH can see the problem on his site, on a default Joomla install he made for reproducing purposes and even on weeblr.com. I can't vouch for session handling on his sites but on weeblr.com, it's indeed the default session handler. |
That's the weird part. The cookie is there, it logs you in, there is a login action recorded, but the Menu Items act as if you're logged out (just for the first pageview - then when you refresh, the correct menu items update and show correctly). We'll see if we can figure more of this out. |
Hi
At this point, you will see:
Hitting F5 or refreshing the page returns everything to normla, "Registered" menu item is displayed and "Guest" menu item disappear. |
Hi
To be more clear, Chrome does not delete session cookies when you set it to "Continue were you left off", that is your browser is set to re-open the tabs opened when you closed it. Not that it has anything to do with the issue discussed here. Chrome not deleting cookies just makes reproducing a bit harder by having to manually delete the cookies in question. |
Oh there you go. That must be the reason for why you weren't able to reproduce it before then, nice find :) |
Check this out guys for easier steps to reproduce: I can reproduce this on a clean install site, but only with sh404sef extension installed. I personally have not been able to reproduce it without sh404sef installed. However @weeblr was able to also reproduce it on his site without sh404sef installed. So it's up in the air on what causes it. |
Hi Still investigating. I can reproduce without sh404SEF but only with some system plugins enabled. So far, it appears the problem occurs if the system plugin has a handler for the onAfterRoute event. Not been able to pinpoint the actual triggering factor. |
Hi again @zero-24 @AndySDH After quite some time on this, I understand now the problem and what causes it. It does occur with sh40SEF and probably with a number of other extensions. TLDR: The problem happens if any system plugin calls $app->getMenu() from the onAfterInitialise event if that system plugin is located before the Remember Me plugin.
As the router also uses getMenu() in its constructor, the problem happens. Details: When the menu is built by calling $app->getMenu(), The Remember Me plugin will not ran in that case if it's located after that plugin making that call. With a stock Joomla, this can be reproduced with the test instructions above after adding the line:
to the onAfterInitialize method of one of Joomla's own system plugins, for instance the P3P one. The only fix I can see for this would be for the menu item to not store the user in its constructor but later, only when it needs it (I tested that and it works) For now, the workaround is to move the RememberMe plugin at the top of the System plugins. |
Nice tracing of the cause of the error.. |
I can only seccond that great analyse! @weeblr |
Great finds @weeblr! I'm glad we were able to pinpoint the cause of the issue, this was a tricky one to troubleshoot :D
Yeah, as I discovered earlier this seemed to be a consistent workaround. Maybe an idea could be to have Joomla force the "Remember Me" plugin to be on top of the system plugin ordering, so every time you update Joomla, a check is made that the Remember me plugin is on top of the list. Even though it may not be a solid solution, as other extensions may still be "fighting" for that first spot in the ordering and override this. But it still could be a good idea to implement regardless. |
@zero-24 I will work on that. I have found the easiest way to reproduce is to enable the Language filter plugin (even on a single language site): it does attach rules to the router and is located before the Remember Me plugin. It's also likely Joomla 4 has the same problem. I also suspect there are other areas where the same kind of issue arise because of some piece of data being stored instead of using the live value. I'll look at a PR for that in the coming days. @AndySDH You certainly were the tenacious one on that one ;) |
Thanks @weeblr 👍 Feel free to send the PR against staging so we fix all required places there there and than merge it up to 4.0 too. |
Closing as we now have the PR 👍 |
Hi all, In the hope this can be fixed once and for all, I have redone a PR (#30991 ) and closed the previous one. This will solve the problem for Joomla 3 in a B/C way. Discussion should also happen about whether Joomla 4 should use the same fix, or take another approach. However the latest PR is only for Joomla and I hope it can be processed quickly. |
Hi @Polm90 @jiweigert @gachla @RonakParmar @stefanpoensgen @brianteeman @robobenklein We now have a PR to fix that problem. It affects both Joomla and Joomla 4, and just using the Language Filter plugin is enough to trigger it so I assume a fair number of people are affected, even if never actually noticed it. @AndySDH already tested the PR so we need at least one more tester to validate this and be ready for having the fix merged for Joomla 3 (separate discussion is to be had for Joomla 4, although the same fix can be applied as well). The PR, #30991, has clear and simple instructions to reproduce the problem and test the fix on a stock Joomla 3. Thanks for assisting in solving this. Cheers |
Steps to reproduce the issue
User checks remember me box on login. Redirected to page set in login. Bookmark page. Quit Browser
Relaunch browser and go to bookmarked page.
Expected result
Allowed to see restricted page
Actual result
Joomla doesn’t allow access to restricted bookmark page and sends you to home page with error.
You are not authorized to view this resource
System information (as much as possible)
Joomla 3.6.2
Additional comments
If a remember me cookie is set and you quit your browser, the cookie joomla_user_state is killed as it is set to destroy when ‘When the browsing session ends’
This causes issues when the person comes back to the site after restarting browser. If the user has bookmarked a page that is restricted, any redirects to that restricted page is met with You are not authorized to view this resource. After that error, Joomla now recreates joomla_user_state and now you can access that same restricted page without logging in. If remember me cookie exists, then the joomla_user_state cookie should also exist so that the user can have access immediately to the restricted page.
May be apart of [#10373] - Have Joomla play nice with reverse caching proxies like Varnish, Nginx etc.
The text was updated successfully, but these errors were encountered: