Redirect and 403 Forbidden on accessing Forum first time

Mareid · August 25, 2014, 12:21:53 PM

I'm using SMF 2.08, Firefox 31.0 on Windows 7, SP1, all patches up to date

This started happening about 2 months ago (I'm not exactly sure but recently, and I had never had a problem before)

I get the following error message the first time I try to access my forum with a new browser session. If I open another tab and do exactly the same thing in the same browser session, it works. If I open another browser, after having it work in the first one, it works. I'm using Firefox and my users are using other browsers and my users are spooked.

Forbidden

You don't have permission to access /wgri-forum/index.php on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

The url shows that there's a redirection happening (that I didn't implement); the actual typed in URL is www.wgri.org/wgri-forum/index.php

which gets changed in the browser address line to:

http://www.wgri.org/wgri-forum/index.php?PHPSESSID=ceb013bf99321a02132aa6084880eaff;wwwRedirect

the second time it gets changed to:
http://www.wgri.org/wgri-forum/index.php?wwwRedirect

I'm not a very sophisticated administrator, I haven't made installed any mods, but I've installed all the update patches. I did see some reference to .htaccess files, in the forum, and I've listed them here, but none are in the root of the forum and I didn't install them. There is also one in the root of public_html. I didn't put any of them there, and deleting the one in /public_html didn't seem to change anything. Help Please !

ETA: There seems to be some caching happening too, because if I close the browser, after closing a forum session tab first, the next time I open a new browser, and bring up a new tab with my forum, it works. Sometimes. Even after a reboot it sometimes works properly. I'm just totally confused.

/public_html/.htaccess
/public_html/wgri-forum/attachments/.htaccess
/public_html/wgri-forum/Smileys/cache/.htaccess
/public_html/wgri-forum/cache/.htaccess
/public_html/wgri-forum/Packages/.htaccess
/public_html/wgri-forum/Packages/backups/.htaccess

Arantor · August 25, 2014, 12:38:56 PM

As a first step, ask your host to turn off mod_security.

Kindred · August 25, 2014, 12:40:36 PM

also, if you are getting the wwwRedirect added to your urls --- then either
a) your forum url is www.wgri.com and you are ACTUALLY typing wgri.com
or
b) your forum url is wgri.com and you are ACTUALLY typing www.wgri.com

that's what the redirect does.

and yes, if you have set caching to ON, then the forum will cache pages... and your browser does as well.

you don't want to delete htaccess files.... really... don't do it unless you know whats in them first. They protect various directories and, in the root, can help protect your whole site.

Arantor · August 25, 2014, 12:43:25 PM

Yes, that's the redirect might do - but that also doesn't explain why it doesn't work the first few times and then does. It only starts working consistently when PHPSESSID isn't in the URL, which is cookie related.

Personally I'd love to see that be dropped in 2.1 but if not, it needs to be dead and buried for 3.0, it causes so many problems it isn't funny.

Mareid · August 25, 2014, 01:13:57 PM

Quotea) your forum url is www.wgri.com and you are ACTUALLY typing wgri.com
or
b) your forum url is wgri.com and you are ACTUALLY typing www.wgri.com

What I'm using is a button that has a fixed url of http://wgri.org/wgri-forum/index.php
I don't get any redirects when I type in wgri.org, nor when I type in www.wgri.org, they both point to the same place on the server as far as I can tell. And of course, now I can't get it to fail. Clearing the cache doesn't work consistently.

QuoteAs a first step, ask your host to turn off mod_security.

What does this do?

Arantor · August 25, 2014, 01:16:25 PM

No, they are not the same thing.

Your forum is configured to use www.wgri.org and if the user enters a URL that is *not* that, it will redirect itself without .htaccess.

mod_security is a thing for doing checks on what the user does and tries to block out bad users, except it has a habit of blocking so much more legitimate use (when SMF will take care of everything else itself), and the symptoms are somewhat consistent.

Mareid · August 25, 2014, 01:23:30 PM

I'll ask the host to turn mod_security off and see if that helps.

Mareid · August 25, 2014, 01:32:33 PM

Caching must be server side, because I can't get it to fail using Chrome, or IE, which shouldn't have any cache since I never use them. I will change the forum url to www, but it failed when it was a relative address to www.wgri.org, so I am not hopeful.

I have asked the host to turn off mod_security.

Is there a way to turn caching off so I can force it to fail and debug it?

Arantor · August 25, 2014, 01:38:23 PM

It's not caching related. Appears to be working for me as expected now?

Mareid · August 25, 2014, 01:59:37 PM

it's intermittent. Sometimes it works for weeks at a time, then suddenly stops and I get the error message. A new user (using ie) tried logging in this morning and got the error. I told her to try again and it worked for her, but this isn't a very satisfactory situation and I can't figure out what is happening.

Kindred · August 25, 2014, 02:27:44 PM

the issue is probably some string inside the phpsessionid... which causes mod_security to choke. By forcing a reload of the page, either the session ID gets removed from the URL or the session ID gets regenerated for a new session (depending on your session settings)

Basically, it happens because your host has mod_security configured stupidly...

Mareid · August 25, 2014, 05:37:21 PM

I finally got it to fail again, this time the url was explicitly http://www.wgri.org/wgri-forum/index.php

before when it failed it was http://wgri.org/wgri-forum/index.php

the first time it failed, I thought it might be because it was a relative address, so put in the full path.

so it fails in both cases. I have asked the host to remove mod_security but nothing has happened yet

Kindred · August 25, 2014, 05:48:36 PM

right.... so I explained that the redirect is due to a difference between the typed address and your actual set site address.

As Arantor explained - the mod_security issue is triggering because of the phpsessionid...

Arantor · August 25, 2014, 05:54:27 PM

I didn't say for definite, more a case of speculating a possible cause, but if disabling mod_security doesn't fix it... I'd be asking the host what the error log says.

Mareid · August 26, 2014, 07:19:02 AM

Quoteand yes, if you have set caching to ON, then the forum will cache pages... and your browser does as well.

How do I set caching to "off"? I couldn't find it.

Quote
a) your forum url is www.wgri.com and you are ACTUALLY typing wgri.com
or
b) your forum url is wgri.com and you are ACTUALLY typing www.wgri.com

Maybe I'm missing something, but it fails on both addresses, with and without the www.

Arantor · August 26, 2014, 07:27:51 AM

I said it before, I will say it again, it is nothing to do with caching.

You need to ask your host what the error log is saying - right now it's giving a Forbidden response without any *reason* for it to do so and I guarantee you turning off SMF caching will make precisely zero difference to that.

Mareid · August 26, 2014, 07:35:46 AM

I know the problem has nothing to do with caching, but if I can turn caching off, then I maybe I can make it fail consistently enough that I can do so debugging.

Arantor · August 26, 2014, 07:39:57 AM

That isn't how it works.

Mareid · September 08, 2014, 05:02:39 PM

looks like it was a problem with security implementation on the host.

News:

Redirect and 403 Forbidden on accessing Forum first time