URL undesirably appended with "?i=1"

Feargan · June 02, 2020, 09:06:14 AM

Greetings,

I have just migrated to a new server and I'm encountering something I don't understand how to fix.
Instead of going straight to SimplePortal / index.php the page loads to the url with " ?i=1 " appended. (i.e. - mysitedotnet/?i=1 )
After clicking on any link or button on the content-less page, the website loads as normal from then until the browser is closed (the browser is set to private and clears history, etc.).
I'd like to fix this and understand why it is happening. Any help would be greatly appreciated.

Deaks · June 02, 2020, 09:08:46 AM

Have you tried running repair_settings.php?

What is repair_settings.php?

Arantor · June 02, 2020, 09:17:39 AM

There is no stock part of SMF (or SP from what I remember of it) that does this.

I would suspect it is something your host is adding, or if you have WordPress in a folder above SMF, it could be that.

Feargan · June 02, 2020, 09:22:04 AM

Quote from: Deaks on June 02, 2020, 09:08:46 AM
Have you tried running repair_settings.php?

What is repair_settings.php?

Yes; all options look sound and I tried turning "Queryless URLs" off and on; same trouble.

Feargan · June 02, 2020, 09:40:18 AM

Quote from: Arantor on June 02, 2020, 09:17:39 AM
There is no stock part of SMF (or SP from what I remember of it) that does this.

I would suspect it is something your host is adding, or if you have WordPress in a folder above SMF, it could be that.

Thank you for your response. Wordpress is not present.
Further detail: Other browsers that don't use private mode (i.e.- Edge) only do this once and then redirect properly.
I'm beginning to think this is somehow related to the SSL certificate addition done during the server migration. ... or maybe a DNS issue?
Upon entering mysitedotnet into a browser for the first time, it initially directs to http with the url and then switches to https with the /?i=1 appended.
Somewhat vexing.
Thank you to all who respond and have responded.

Arantor · June 02, 2020, 09:50:42 AM

It's certainly not an SMF behaviour. Whatever your host does for HTTP->HTTPS redirection might be relevant here... but I'd be asking them about it.

Feargan · June 02, 2020, 10:27:03 AM

Alright, then how can we make a work-around?
When this issue occurs, the theme header, banner, buttons, links, footer, etc. are retrieved.
So, this url ( whateverdotnet/?i=1 ) appears to be pointing at what I assume is a PHP reference to page 1 of... something.
Testing reveals that the same page is retrieved, regardless of what integer is passed to i.
So, SMF is receiving this "i=1" and doing something with it; which seems to be displaying the content it has for the theme.
What is getting this i =1? index.php? Could I make a file to which this "/?i=1" url actually points and have it redirect from there?

Thanks, as always, for any responses and assistance.

Illori · June 02, 2020, 10:31:52 AM

Are you using cloudflare or similar?

Feargan · June 02, 2020, 10:36:31 AM

Quote from: Illori on June 02, 2020, 10:31:52 AM
Are you using cloudflare or similar?

Thank you for your question. Cloudflare and similar services are not enabled.

Arantor · June 02, 2020, 10:43:24 AM

Quote from: feargan on June 02, 2020, 10:27:03 AM
Alright, then how can we make a work-around?
When this issue occurs, the theme header, banner, buttons, links, footer, etc. are retrieved.
So, this url ( whateverdotnet/?i=1 ) appears to be pointing at what I assume is a PHP reference to page 1 of... something.
Testing reveals that the same page is retrieved, regardless of what integer is passed to i.
So, SMF is receiving this "i=1" and doing something with it; which seems to be displaying the content it has for the theme.
What is getting this i =1? index.php? Could I make a file to which this "/?i=1" url actually points and have it redirect from there?

Thanks, as always, for any responses and assistance.

You're trying to solve the problem in the wrong place. SMF does not add this, it does not use this, it does not care about it one bit.

Ask your hosting company. This is something the server is doing, not the application.

Illori · June 02, 2020, 10:44:13 AM

Are you using infinityfree? If so that is why. They add this.

Kindred · June 02, 2020, 01:49:35 PM

instead of "whatever dot net" how about telling us the ACTUAL URL so we can look...

However....yeah, this.

Quote from: Arantor on June 02, 2020, 10:43:24 AM
You're trying to solve the problem in the wrong place. SMF does not add this, it does not use this, it does not care about it one bit.

Ask your hosting company. This is something the server is doing, not the application.

Quote from: Illori on June 02, 2020, 10:44:13 AM
Are you using infinityfree? If so that is why. They add this.

Feargan · June 02, 2020, 05:28:52 PM

Quote from: Arantor on June 02, 2020, 10:43:24 AM
You're trying to solve the problem in the wrong place. SMF does not add this, it does not use this, it does not care about it one bit.

Ask your hosting company. This is something the server is doing, not the application.

You're mostly right. Respectfully, as it turns out, this is the only place solve the problem, which I have done as you'll see below.

Quote from: Kindred on June 02, 2020, 01:49:35 PM
instead of "whatever dot net" how about telling us the ACTUAL URL so we can look...
...

One cannot post external URLs here.

Quote from: Illori on June 02, 2020, 10:44:13 AM
Are you using infinityfree? If so that is why. They add this.

Thank you for your response. Yes, that is the origin of the problem. Your input has been has been most productive and is sincerely appreciated.

Returning to the effort to create a work-around / solution:

QuoteFROM THE INFINITYFREE KNOWLEDGE BASE

What causes the ?i=1 suffix?
This extra URL parameter is caused by a security system we use to protect your website. This security system ensures that your website can only be accessed through regular web browsers. Read more about this security system.

What does the ?i=1 suffix do?
The ?i=1 suffix is a counter. When you first load your website, some Javascript will be sent to your browser to verify it can execute the code and store a cookie. The page will then reload with the ?=1 suffix. On the next request, the server checks if your browser has the security system cookie. If not, your browser will get a new security challenge to set the cookie again, and be redirected to a URL with suffix ?i=2. If the counter hits 3 and your browser still doesn't send a valid cookie, you'll be redirected to a page with instructions on how to enable cookies in your browser. This way, your browser will not get stuck in a redirect loop.

Can I remove the ?i=1 URL suffix?
The security system responsible for the ?i=1 suffix is mandatory on all websites. Because of that, the security system cannot be disabled, so neither can the URL suffix.

Unfortunately, my searches on the Internet at large, InfinityFree's community forums, their website, etc. for the root cause were not productive; the above entry for this is the very last entry in the next to last category of the InfinityFree knowledge base.
Also, the host is not contactable without a premium account.

QuoteHow can I contact support?
Please note that InfinityFree does not provide any one-on-one technical support for free hosting.

We are now to where this thread would have begun if I had found that knowledge base article earlier.

Given the source of the problem, we can create a notification message and redirect that will help handle this issue.
Why? We aren't the only people cutting hosting costs amidst the current global health issue; I hope this will be helpful to others at some point.

My PHP skills are rusty, so please forgive any inefficiencies and included formatting; it's been a long time since I've written code in it and I'm reacquainting myself as I go.

The idea is to use the value of "i" and output a message and/or trigger a redirect.
So... I did both.

Code Select


// ************CODE FOR INFINITYFREE HOSTING SECURITY SUPPORT MODIFICATION*****************
	if ($_GET["i"] && $_GET["i"] < 3)
	{
		echo '</br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br>';
		echo '<div style="text-align: center; font-size:200%;"><h2>Web Host Security Check</h2></br></br>May require enabling cookies and/or Javascript</br></div>';
		echo '<div style="text-align: center; font-size:180%;"></br><u><a href="httpsYourSiteDotNet">Please click here if you are not automatically redirected</a></u></br></br></br></br></div>';
		header("Location: httpsYourSiteDotNet");
	}
	elseif ($_GET["i"] >= 3)
	{
		echo '</br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br>';
		echo '<div style="text-align: center; font-size:200%;"><h2>Web Host Security Check and Redirect Failed</br></br></br></h2>Please try enabling cookies and/or Javascript</br></br></br></div>';
		echo '<div style="text-align: center; font-size:180%;"><u><a href="httpsYourSiteDotNet">Click here to try again</a></u></br></br></br></div>';
	}
// ************END CODE FOR INFINITYFREE HOSTING SECURITY SUPPORT MODIFICATION*************

I placed the above code snippet in index.php just before the load of SimplePortal and after the "//Do some logging" section as shown below. The code below is from index.php using SMF 2.0.17 with SimplePortal 2.3.7 installed.

Code Select


// Do some logging, unless this is an attachment, avatar, toggle of editor buttons, theme option, XML feed etc.
	if (empty($_REQUEST['action']) || !($_REQUEST['action'] == 'portal' && isset($_GET['xml'])) && !in_array($_REQUEST['action'], array('dlattach', 'findmember', 'jseditor', 'jsoption', 'requestmembers', 'smstats', '.xml', 'xmlhttp', 'verificationcode', 'viewquery', 'viewsmfile')))
	{
		// Log this user as online.
		writeLog();

		// Track forum statistics and hits...?
		if (!empty($modSettings['hitStats']))
			trackStats(array('hits' => '+'));
	}
//******************INSERT INFINITYFREE HOSTING MODIFICATION CODE HERE**************
//**********************************************************************************
	// Load SimplePortal.
	sportal_init();

	// Is the forum in maintenance mode? (doesn't apply to administrators.)

Remember to change "httpsYourSiteDotNet" to the full URL and expect to change the formatting to suit the theme/layout if desired, though the echo text will probably never be seen.
It would be excellent if someone is able to share a better location to insert this code or any improvements to it, but it does work as it is here.
I imagine that this modification might have to be manually removed and re-added when applying any upgrades to SMF.
It is unlikely that I will take the time to make this a full mod. Anyone is welcome to use this solution as they see fit.

Problem solved. I hope you all stay well.

Kindred · June 02, 2020, 05:56:10 PM

Glad you got it worked out... however, to answer one point.

one most certainly CAN post external URLs.... one just must have enough posts (2 or 3 I think) to have proven that one is not a spambot

even then, you could have posted the site URL separated with spaces.

Arantor · June 02, 2020, 05:57:52 PM

So aside from your host being incompetent, they're also borderline illegal in the EU.

Honestly, I'd suggest you find a better host, there are other free ones that don't have this problem (and it is a problem, because this has other consequences for your site)

If you are going to persist with this code, however, and I firmly don't recommend it, you might want to change it to the following.

Code Select

// ************CODE FOR INFINITYFREE HOSTING SECURITY SUPPORT MODIFICATION*****************
	if (isset($_GET["i"]) && $_GET["i"] < 3)
	{
		echo '<div style="text-align: center; font-size:200%;"><h2>Web Host Security Check</h2> May require enabling cookies and/or Javascript</div>';
		echo '<div style="text-align: center; font-size:180%;"><a class="bbc_link" href="httpsYourSiteDotNet">Please click here if you are not automatically redirected</a></div>';
		header("Location: httpsYourSiteDotNet");
		exit;
	}
	elseif (isset($_GET["i"]) && $_GET["i"] >= 3)
	{
		echo '<div style="text-align: center; font-size:200%;"><h2>Web Host Security Check and Redirect Failed</h2> Please try enabling cookies and/or Javascript</div>';
		echo '<div style="text-align: center; font-size:180%;"><a class="bbc_link" href="httpsYourSiteDotNet">Click here to try again</a></div>';
	}
// ************END CODE FOR INFINITYFREE HOSTING SECURITY SUPPORT MODIFICATION*************

This way you don't get errors in the error log every time someone visits without ?i=1 in the URL, you shouldn't artificially inflate your stats with double counting and you also don't get subjected to any other behaviours under the category of execute-after-redirect vulnerabilities. It's also not going to endear you to your users, who will probably be confused that they have to click extra things and assume your site is broken because other sites don't work this way.

I did also remove the those closing br tags, they mean nothing in HTML and I removed the underline from the link because links should generally be underlined by way of the styles of the theme (in this case using the bbc formatting to be consistent) rather than hard-implemented with a deprecated tag.

News:

URL undesirably appended with "?i=1"