SMF/Joomla Bridge Login Issue w/ SEF

Started by aceat64, April 11, 2007, 04:45:44 AM

Previous topic - Next topic

aceat64

I am using the latest version of Joomla and SMF, with the SMF Joomla Bridge and it all works perfectly, it's great I love it. Sadly, whenever I turn on the SEF in Joomla (default SEF), suddenly users can not login to the site or post in the forums if they are already logged in. I've got the forums wrapped and with SEF off everything works without issue. I search high and low on the forums to see if there was a post that could help me fix this issue, but there were none.  :-[

The website is at teammaelstrom.com [nofollow] and is (at the time of writing) not using SEF for now. When a user attempts to login they are taken to the forum's login page, with a login prompt and an error reading "You should fill in a username." in nice red letters. Any subsequent attempt to login to the site, even from that page brings you to the same screen. The URL for that page is "/component/option,com_smf/Itemid,26/action,login2" now if you go to "teammaelstrom.com/forums/" you can login without issue!

I've been poking around here and there trying to figure out what's going on, but I've come to the point where it's best to ask those with more knowledge. I've checked the error_log, no php errors of any kind in there (my server is setup to log all php errors to error_log rather then spit them out to users). My best guess is that for whatever reason the session data isn't being read by SMF or the bridge login when you are redirected, and thus it thinks you called the page without a username/password entered.

Other then this (mostly cosmetic) issue, I am absolutely in love with SMF/Joomla, and the fact that stand-alone SMF supports SEF has converted me from phpBB.  :)

Also of note, I'm planing on converting over to OpenSEF (usualy the SEF Extension for SMF/Joomla! Bridge and OpenSEF from this forum) once I get the basic Joomla SEF working.

Here are my software versions:
Joomla! 1.0.12
SMF 1.1.2
SMF 1.1 Joomla Bridge 1.1.7
PHP 4.3.9 (more info at http://teammaelstrom.com/info.php [nofollow])
MySQL 4.1.20
Apache 2.0.52

My .htaccess file:

##  Can be commented out if causes errors, see notes above.
Options +FollowSymLinks

#
#  mod_rewrite in use

RewriteEngine On


#  Uncomment following line if your webserver's URL
#  is not directly related to physical file paths.
#  Update Your Joomla!/MamboDirectory (just / for root)

# RewriteBase /


########## Begin - Joomla! core SEF Section
############# Use this section if using ONLY Joomla! core SEF
## ALL (RewriteCond) lines in this section are only required if you actually
## have directories named 'content' or 'component' on your server
## If you do not have directories with these names, comment them out.
#
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR]            ##optional - see notes##
#RewriteCond %{REQUEST_URI} (/|\.htm|\.php|\.html|/[^.]*)$  [NC]
RewriteRule ^(content/|component/) index.php
#
########## End - Joomla! core SEF Section



########## Begin - 3rd Party SEF Section
############# Use this section if you are using a 3rd party (Non Joomla! core) SEF extension - e.g. OpenSEF, 404_SEF, 404SEFx, SEF Advance, etc
#
#RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR]             ##optional - see notes##
#RewriteCond %{REQUEST_URI} (/|\.htm|\.php|\.html|/[^.]*)$  [NC]
#RewriteCond %{REQUEST_FILENAME} !-f
#RewriteCond %{REQUEST_FILENAME} !-d
#RewriteRule (.*) index.php
#
########## End - 3rd Party SEF Section



########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits

aceat64

Crap, I just noticed the nice "support" board, I probably should have posted in there. Serves me right posting stuff at 4am.

Orstio

Try commenting out this line:

Options +FollowSymLinks

aceat64

I just tried it with FollowSymLinks disabled, still not able to login.  :-[

aceat64

Is there a way for me to see what sessions or cookies are being used or what the SMF login page is expecting to get? I'm trying to figure out some way to debug this without much success.

aceat64

Ok, here's some info from Live Headers (great Firefox addon)...

With SEF:

POST /component/option,com_smf/Itemid,26/action,login2/ user=aceat64&passwrd=[REMOVED]&cookielength=-1&hash_passwrd=&op2=login&option=com_smf&Itemid=26&action=login2&returnurl=2&lang=english&return=http%3A%2F%2Fteammaelstrom.com%2Fcomponent%2Foption%2Ccom_frontpage%2FItemid%2C1%2F&message=


Without SEF:

POST /index.php?option=com_smf&Itemid=26&action=login2 user=aceat64&passwrd=[REMOVED]&cookielength=-1&hash_passwrd=&op2=login&option=com_smf&Itemid=26&action=login2&returnurl=2&lang=english&return=http%3A%2F%2Fteammaelstrom.com%2Findex.php%3F&message=


So it looks like the form data makes it to the bridge without issue. I'm going to figure this out or die trying!

aceat64

I placed some diagnostic code into the LogInOut.php file to see what is being passed to it. It looks as if the form data doesn't get to it when SEF is on!

Diagnostics Code:

// === START DIAGNOSTICS ===
$al_headers = apache_request_headers();
$al_data = "===START HEADER INFO===\n";
foreach ($al_headers as $al_header => $al_value) { $al_data .= "$al_header: $al_value\n"; }
$al_data .= "user: {$_REQUEST['user']}\n";
$al_data .= "passwrd: {$_REQUEST['passwrd']}\n";
$al_filename='/tmp/test.txt';
if (is_writable($al_filename)) {
    if (!$al_handle = fopen($al_filename, 'a')) { exit; }
    if (fwrite($al_handle, $al_data) === FALSE) { exit; }
    fclose($al_handle);
}
// === END DIAGNOSTICS ===


Output with SEF off, no user name given, and password "test":

===START HEADER INFO===
Host: teammaelstrom.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://teammaelstrom.com/index.php?option=com_frontpage&Itemid=1
Cookie: PHPSESSID=4df085d2de5a5eb90798e5c530ee75a5; mosvisitor=1; 7c1a663dfe9260d48a58dd724f7e10ad=02adc7ec39b33e632b108d850df99354; b93134aa9aff7c9edc40d7d8653a556a=ca7384fc28b285eea0e9bb6f00531dba
Content-Type: application/x-www-form-urlencoded
Content-Length: 219
user:
passwrd: test


Output with SEF on, user name and password were filled out:

===START HEADER INFO===
Host: teammaelstrom.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://teammaelstrom.com/
Cookie: PHPSESSID=4df085d2de5a5eb90798e5c530ee75a5; mosvisitor=1; 7c1a663dfe9260d48a58dd724f7e10ad=02adc7ec39b33e632b108d850df99354; b93134aa9aff7c9edc40d7d8653a556a=ca7384fc28b285eea0e9bb6f00531dba
Content-Type: application/x-www-form-urlencoded
Content-Length: 185
user:
passwrd:


So with SEF off, the form data goes to SMF without issue, with SEF on it gets nothing! So the fault must be with Joomla or com_smf. Once I figure out the right place to put the diagnostic code I'll try to narrow it down some more.

aceat64

Ok, I placed my diag code into com_smf/smf.php in the integrate_login function right after the globals. When SEF is off, the script get executed and logs the header info, but with SEF on the diag code never runs, which means for whatever reason integrate_login() isn't being run when SEF is turned on!

Now if only I can figure out what this means...

Orstio

Integrate_login comes after the check in SMF for the input of a username.

aceat64

Well, I've played around with it some more, the only thing that I can figure out is that for whatever reason com_smf isn't passing along the request data when a form is submitted. Though com_smf_registration seems to be able to pass the form data along without issue.

Any more help with this would be greatly appreciated.  :)

Orstio

#10
In your bridge config, what did you use as your path to SMF?

Can you try putting your diagnostics code at the beginning of smf.php?

aceat64

Great, no wonder this issue is so hard to track down... for whatever reason it appears that apache's mod_rewrite (on my server) is not passing on the POST data to the php script.

Here's a test page I put together:
http://teammaelstrom.com/test.html [nofollow]

That allows you to try a number of ways of submitting data to this script:

<?php

// === START DIAGNOSTICS ===
$al_headers apache_request_headers();
$al_data "===START HEADER INFO===<br>\n";
foreach (
$al_headers as $al_header => $al_value) { $al_data .= "$al_header$al_value<br>\n"; }
$al_data .= "URI: {$_SERVER['REQUEST_URI']}<br>\n";
$al_data .= "user: {$_REQUEST['user']}<br>\n";
$al_data .= "passwrd: {$_REQUEST['passwrd']}<br>\n";
$al_data .= "Option: {$_REQUEST['option']}<br>\n";
$al_filename='/tmp/test.txt';
//if (is_writable($al_filename)) {
//    if (!$al_handle = fopen($al_filename, 'a')) { exit; }
//    if (fwrite($al_handle, $al_data) === FALSE) { exit; }
//    fclose($al_handle);
//}
print($al_data);
// === END DIAGNOSTICS ===

?>



The rule in my htaccess file is fairly simple, it is:

RewriteRule testing /test.php?option=using_redirect


So who knows what I've screwed up or where, but thank you Orstio for you help. When I figure out how to get this working, I'll post a solution here for future reference. Btw, without SEF the bridge and SMF are working great, I don't think I'll be using phpBB ever again (shudders).

aceat64

Well, almost a week later and I figured out that I had it fixed before I even posted on this forums, but I forgot to comment out one line. The problem was mod_security being overly tight-assed about the POST requests. Problem solved, and now I can sleep. :)

Orstio

Can you share what line you've commented?

sangweb

Can you tell us what you've done to fix this?  I am having the same issue.  Thanks.

Quote from: aceat64 on April 17, 2007, 02:47:47 AM
Well, almost a week later and I figured out that I had it fixed before I even posted on this forums, but I forgot to comment out one line. The problem was mod_security being overly tight-assed about the POST requests. Problem solved, and now I can sleep. :)

aceat64

I disabled mod_security entirely, but was still loading the module. I'll try and figure out the exact setting that causes the problem when I get a chance later. Work is piling up on me at the moment. :)

For now if you just take out the LoadModule and conf files for mod_security things should work.

Advertisement: