First login fails

[Sir Osis of Liver]

Forum recently upgraded from 2.0 to 2.1.3, no mods.  First login attempt fails with this -

  You cannot view this attachment.

Click on 'Sign up' then 'Login', works normally after that until browser is closed/cleared.  Go back to forum, login fails.  No errors in forum or server logs.  Forum running normally otherwise.

Version Information:
Forum version: SMF 2.1.3 (more detailed)
Current SMF version: SMF 2.1.3
GD version: 2.3.3
MySQL engine: MariaDB
MySQL version: 10.5.19-MariaDB-cll-lve
SMF file based caching: 2.1.3
SQLite3 database based caching: 3.39.4
PHP: 7.4.33 (more detailed)
Server version: LiteSpeed

[Doug Heffernan]

I have encountered this before and the cause was the https conversion was not set up properly.

That being said, is there any error logged in either at the forum error log or the server error?

[Sesquipedalian]

• To clarify, is this happening when the popup first appears, or after you click the button inside the popup in order to submit the login credentials?
• What do you see if you follow all the steps to produce the problem, except that instead of using the popup you go to ?action=login directly in the browser's address bar? I ask because the full UI might show more information to help diagnose the issue.

[Sir Osis of Liver]

The error is displayed when I click 'Login'.  ?action=login opens login window and works normally.  Nothing in logs.  Forum url was http, all other paths https, fixed that, no change.  SSL was disabled in server settings, changed to force SSL, doesn't help.  Couple times now none of the usermenu dropmenus would open after login, had to close browser to clear.  Thought it might be .htaccess causing the problem, but disabled it no effect.  Only thing I see that's different is he's running five websites in five domains in /public_html, with forum in /public_html/forum/, but it all the websites load.  In cpanel main domain (not forum) redirects to http but loads in https.

Gotta go, won't get back to this til tomorrow.  You can try it here -

https://www.papermodelforum.com/

[Sesquipedalian]

Browser error console shows this when the popup opens:

Code Select Expand

[Error] Origin https://www.papermodelforum.com is not allowed by Access-Control-Allow-Origin. Status code: 204

[Error] XMLHttpRequest cannot load https://papermodelforum.com/index.php?action=login;ajax due to access control checks.

[Error] Failed to load resource: Origin https://www.papermodelforum.com is not allowed by Access-Control-Allow-Origin. Status code: 204 (index.php, line 0)

That indicates that something is misconfigured in the Cross Origin Resource Sharing section of the settings in Administration Center ► Server Settings ► Security. Under any normal circumstances, CORS should never deny requests that come from the same origin, but that's what is happening here. Whatever is in those settings is messed up.

EDIT: I just noticed that the second error message doesn't include the "www." in the URL. That raises the possibility that there is some poorly configured URL redirection/rewriting happening here. It might also be worth checking whether SMF's $boardurl setting is 100% consistent with the CORS settings.

[Sir Osis of Liver]

CORS settings are all blank (default). 

.htaccess in /public_html/forum is generic cpanel handler -

Code Select Expand


AddType application/x-lsphp81
# php -- BEGIN cPanel-generated handler, do not edit
# This domain inherits the "PHP" package.
# php -- END cPanel-generated handler, do not edit


.htaccess in /public_html contains redirects -

Code Select Expand


# php -- BEGIN cPanel-generated handler, do not edit
# This domain inherits the “PHP� package.
# php -- END cPanel-generated handler, do not edit

RewriteCond %{HTTP_HOST} ^davesdesigns\.ca$ [OR]
RewriteCond %{HTTP_HOST} ^www\.davesdesigns\.ca$
RewriteRule ^/?$ "http\:\/\/davesdesigns\.ca\/dcc\/" [R=301,L]

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]


No effect if I disable it.

Forum admin says he is getting "a page of code" on first login.

[Sesquipedalian]

Well, something is causing a CORS restriction to be triggered, which is weird since it is the same origin.

It might be worthwhile checking and adjusting the cookie settings, particularly the settings for global and local cookies. If those are weird, it's possible that they are affecting this. I'm just making an educated guess with this suggestion, though.

If fiddling around with the cookies doesn't help, I suppose you could try enabling CORS in SMF's settings and then explicitly allowing requests from the site's own domain. In theory that should never be necessary, but in theory this should never be happening to begin with. This would be a long shot, but worth trying I guess. Even if it works, though, you should still look into the next thing in this list.

If cookies aren't the problem, then you'll want to investigate the underlying server software to see if there's something in its configuration that is causing requests from the same origin to be treated as if they were from a different origin. Somehow that is what is happening, and it's weird, so there must be an underlying cause somewhere.

[Diego Andrés]

This is a common support request, it's just like @Doug Heffernan said.

If you use https://papermodelforum.com/ instead of https://www.papermodelforum.com/ it will work.
The solution is to force redirect to the correct address the forum is using.

[Sir Osis of Liver]

That was it, Diego.  Cpanel redirect was not working, so did it in .htaccess.  My bookmark was to https://www.papermodelforum.com/.  I've seen this before, but it usually causes a referring url error, not the non-specific error message.  AFAIK it wasn't happening in 2.0, only after he upgraded to 2.1, but don't see how that would make any difference.