SMF 1.1.9 - You were unable to login. Please check your cookie settings.

Started by Wabiloo, April 19, 2012, 07:08:54 AM

Previous topic - Next topic

Wabiloo

Hi,
I'm getting this (clearly standard) error on an SMF 1.1.9 forum I just inherited from a previous webmaster (who now left): "You were unable to login. Please check your cookie settings. "

I have gone through these forums and tried what I could (deleting cookies, trying other browsers, changing the cookie duration, changing the cookie name)... nothing works!
I see a number of tips that require me to go to the Admin CP. Here is my problem: I can't login, even with the administration account!  So, how can I get to the admin CP in the first place???

kat

Welcome to the wonderful world of weirdness, Wabiloo! ;)

That forum's pretty ancient, now.

I'm thinking that upgrading to the latest v1 version, 1.1.16, might be your best and easiest option, to be honest.

That might kill two birds with the one, proverbial, stone. ;)

Do yourself a HUGE favour, though, before you do that...



Read my sig. :)

Wabiloo

Well, I did all that now:
- backed up everything
- upgrade to SMF 1.1.16

And guess what?  Still the same message... This is majorly irritating...

kat

Well, to try and narrow things down, a bit, is it just you that's getting this? Or, are your members suffering from the same hassles?

Is there an account that we could have access to, to try and see if we can figure this one out?

(I realise that you can't create one, as you can't access Admin).

Could you, perhaps, PM me your own account details, so that I can try to log in and see what I get?

Probably best for you to read this, first:

http://www.simplemachines.org/community/index.php?topic=87130.0

After all, I could just be some twonk who goes around collecting admin accounts to go screw people's sites, for the fun of it. ;)

Wabiloo

All users are getting the same problem, I've had confirmation of that.

I've sent you a PM with the website and account details

kat

I'm getting the same as you. "You were unable to login. Please check your cookie settings.".

Now that sure is weird.

When this started happening, was there anything that was done, beforehand?

Like a mod installation, a server upgrade, that kinda thing?


Small delay, here, coz I've been press-ganged into doing some housework stuff.

Back ASAP!

Wabiloo

As stated, I recently inherited this website, and the webmaster left without leaving much information.
As far as I know, no mod was installed, nor was the server upgraded. The site may have been moved from a Win to a Linux server several months ago, but continued working fine, until about 3 weeks ago. Nothing really happened beforehand, and I contacted the hosting company who checked and give me the same answer...

Wabiloo

And here is something even weirder!
I decided to create a fresh 2.0.2 installation on the side, just to rule out any mod or accident that may have occurred on the old forum.

Although that one is fresh and only has 1 admin user, the exact same error message is returned when logging in...

I'm sending you details of that one via PM

kat

Here's a curved-ball, for you...

Do you have full ownership (CHOWN) of the files on your site.

Is mod_security enabled?

(Back in a while... Women, huh?) ;)

Wabiloo


kat


Wabiloo

I don't think that's it...
Here is what the hosting company's support team has to say about it:

I've checked the error log and it doesn't look like mod_security is flagging anything and it would be extremely unlikely for it to stop a login form. Also nothing has changed with the mod_security ruleset recently.
mod_security has to be turned on to protect the server because it is shared with many customers and not all customers tend to write the most secure code so it needs the software firewall.

kat

I think your host's having a laugh.

mod_security isn't that effective.

All it does, is look for words like "poker", "pictures", or "sex" and words containing the letters, to block comment and referrer spam.

It has zilch to do with code, as I understand it.

Your host is either spinning you a line, or they're Godaddy totally incompetent.

Almost every site with SMF on it has mod_security disabled, if not all of them.

If the word "Sex" is blocked, for example, anything like "Wessex", "Essex", etc. can cause problems.

Even a term like "Less extreme" can trigger the damned thing.

Wabiloo

Well, maybe so, but I have no control over this.
Plus, they've clearly always had it on, and the forum used to work until a few weeks ago...
There must be something else going on here...

kat

The thing is, if it's on, it's bound to screw something, sometime.

Maybe the switch from Winderz to Apache was where this cropped up?

Tell ya what... What if you ask them to disable it, temporarily, just to prove whether or not this is what the problem is?

If they disable it and everything works, we'll know what the problem is.

If they disable it and the problem persists, we'll know that we have to look at something else.

But, as you haven't changed anything and this hassle seems to have appeared at around the time that they switched systems, it seems, to me, to be pointing to that being the problem.

In all honesty, I can't think of anything else that could be causing this, at all.

That doesn't mean that it might not be something else. Someone with a bit more knowledge than I have might have other ideas. But, for me, this is really screaming "mod_security"!!!

Wabiloo

Hi again,

I have talked to the hosting company again, and they are adamant that this issue cannot have anything to do with mod_security. They checked the logs and see nothing in it that shows that the firewall rules got triggered.
"I've checked the error log and it doesn't look like mod_security is flagging anything and it would be extremely unlikely for it to stop a login form. Also nothing has changed with the mod_security ruleset recently."

This is getting VERY frustrating. Please tell me I dont have to move away from SMF and find a way to migrate all that data to another forum package...

kat

If they're so certain, why not ask the to disable it, temporarily, to prove the point, one way or the other?

Wabiloo

I did ask, and they are not willing to do it at this stage (although they are going to get a more senior person to review the request)



Advertisement: