HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS. ocPortal 9 is superseded by Composr 10.

Head over to compo.sr for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.


Login redirect warning exposing config editor link

Login / Search

 [ Join | More ]
 Add topic 
Posted
Rating:
#111881 (In Topic #22490)
TQ
Avatar

Honoured member

Coinciding with updating to version 9.0.36 I removed the SSL add-on. Not long after, I noticed the following message when I logged in and I thought I'd caused it.
A problem has been detected with your web server that may cause your login to fail – if it does, click back and read the rest of this message. Some servers are poorly configured, and invisibly redirect traffic from one URL to another, and this invisible redirection results in lost submitted form data. Try changing your base URL in the config editor so that it contains www. then come back to this URL (make sure to refresh the page) and try again. There can be other causes, such as your server blocking web requests to itself. If problems persist, contact your web host.
It would appear that my users are also seeing this message so I reinstalled the add-on, cleared the caches etc but it's still there.

I'm particularly concerned now I know that all users see this message which provides a link to the config editor.

I use IIRF to redirect all pages to HTTPS which is why I removed the add-on (on Chris's advice in another post).

I have been messing with SSL/HTTPS settings as a result of Firefox removing the root certificate from my previous certificate provider (StartSSL).

Have I caused this problem or is it the result of some change in v9.0.36?

TQ
Back to the top
 
Posted
Rating:
#111882
TQ
Avatar

Honoured member

I have edited the language entry as a temporarily workaround but the question still stands.

TQ
Back to the top
 
Posted
Rating:
#111883
TQ
Avatar

Honoured member

As I have little confidence in my own abilities when surrounded by such giants, I always suspected it's something I've done wrong not outside influences, but I'm now beginning to wonder otherwise on this occasion.

It was drawn to my attention a couple of days ago that the site was displaying a Symbol is missing: FB_CONNECT_UID. This went undetected by me as it was only displayed for Guest users but was confirmed to have been around for a while because a search on Google reveals that Google is well aware of it in relation to my site.

This was resolved by installing and removing the Facebook Connect add-on.

Looking back at this post I made a while ago, this was also resolved by adding and removing a plug-in.

Add to that, I've just had to reinstall my banner plug-in and there looks like a trend is building up.

I think I'm screwing up the site when I do an upgrade. I DO use the upgrader and NOT extract the updates to the appropriate folders but it seems that the upgrades are seeing OLD add-on installs that I've subsequently removed as still needing upgrading so files or reference to files are being added to the site.

Is this even possible?

With regard to the SSL redirect issue, I have now unwound all the possible changes I might have made and the problem is still there.

My IIRF redirect has been in place for a couple of years and had previously been transparent. I have removed all the performance changes I made (wincache, memcache & OPCache) but still the problem persists.

Could the redirect issue also be as a result of a legacy add-on that I've removed but the upgrade was unaware of?

TQ
Back to the top
 
Posted
Rating:
#111885
Avatar

I think I'm screwing up the site when I do an upgrade. I DO use the upgrader and NOT extract the updates to the appropriate folders but it seems that the upgrades are seeing OLD add-on installs that I've subsequently removed as still needing upgrading so files or reference to files are being added to the site.

Is this even possible?

If you have a sources/hooks/systems/addon_registry/whatever.php file that's been put back for an uninstall addon(s) somehow, then an upgrade will assume the addon is still installed and put all it's files back. These files mark if a bundled addon is installed or not. Perhaps at some point you uploaded an upgrade wrong and now have all those files and bit-by-bit the upgrades are putting changed files in you shouldn't have, as we change them across releases. The integrity checker should help tell you about that kind of thing.

Anyway, this is unlikely to be related to the error your getting. Chances are it's a problem with HTTPS in your PHP install. We find very often PHP can't do HTTPS properly, e.g. due to outdated or broken OpenSSL installs. I seem to recall you having an issue like that before.

I'll have a look on your site and see what I can see.


Become a fan of Composr on Facebook or add me as a friend. Add me on on Twitter. Support me on Patreon
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about Composr whenever you see the opportunity or support me on Patreon.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying Composr on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#111886
Avatar

Ok, we hadn't updated our certificate chain trust file in 3 years, and your server's certificate is signed by a certificate just 3 years old. (Usually the trusts are established longer, but we do need to remember to keep this updated)
Should be fine now.


Become a fan of Composr on Facebook or add me as a friend. Add me on on Twitter. Support me on Patreon
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about Composr whenever you see the opportunity or support me on Patreon.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying Composr on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#111889
TQ
Avatar

Honoured member

Hi Chris,

Chris said

Ok, we hadn't updated our certificate chain trust file in 3 years
That did the job!

As I mentioned, I edited the Language entry for this error. The reason I did so was because it exposed a link to the config editor, will this still be exposed to GUESTS if the error occurs again? If it will, I will not return the original text to the Language entries.

Chris said

The integrity checker should help tell you about that kind of thing.
Unfortunately, I haven't used the integrity checker for some time and it has exposed more than a few problems.

Before I get going on the supposedly missing files it lists, I need to get a grip on this particular problem.

I have a few edited versions of PHP files in the /sources_custom/ folder that's stopping the newer version of the files from being used.

The first one I've tried to update is ocf_join.php. I've copied the changes into a copy of the original file from /sources/ then saved it into the /sources_custom/ folder but the integrity checker is again saying "The following files have been superseded by new versions ..." for the ocf_join.php file.

What am I doing wrong?

Thank you Chris for your detailed overnight responses to both of my ongoing posts, I will return to them when I've resolved my integrity issues as it may well influence the state of play.

TQ
Back to the top
 
Posted
Rating:
#111890
TQ
Avatar

Honoured member

Continuing from my last post ...

I installed WinMerge (great tool, wish I'd taken you advice sooner) and stepped through the 5 files that were "superseded by new versions" but they are all still listed as "overrides/customisations blocking the new versions", I just don't understand why.

I've resolved the 'missing' files by either copying them from the full install package or removing the add-on. Pretty sure now that I will have caused this problem sometime in the past but don't remember manually copying over an update.

Last thing in my integrity check is the "Alien" files. It would be nice to NOT display the files that I have intentionally added eg. I have a whole bunch of icon files for Android, ipods etc. and my Miniblocks are also listed.

Is it possible to tell the integrity checker to ignore these files by listing them somewhere? It would be nice if there were as they overwhelm my view (being dyslexic) and I wonder if I might miss something that shouldn't be there.

Another irritating problem that has crept in recently is that, if I need to verify my login when editing a download, it doesn't return me to the download. This also applies to editing (which I do a lot when I am validating), when I save the edit, the site returns to the home page (almost always) rather than the Home → Content Management → Downloads → Edit download → Done screen.

Thank you as always.

TQ
Back to the top
 
Posted
Rating:
#111891
Avatar

As I mentioned, I edited the Language entry for this error. The reason I did so was because it exposed a link to the config editor, will this still be exposed to GUESTS if the error occurs again? If it will, I will not return the original text to the Language entries.

Yes, in v9 (we moved the check to a new checking system for v10). I understand it's not great to expose this kind of thing to guests, but it isn't a security risk as the config editor login is very secure. Editing the language string is a good idea.
If you want you could set an additional HTTP-authentication password on the config_editor.php script in IIS.

Before I get going on the supposedly missing files it lists, I need to get a grip on this particular problem.

That is evidence addons are partly-installed like I mentioned was a possibility in my previous post. But I see from your next post you've cleaned it up.

I have a few edited versions of PHP files in the /sources_custom/ folder that's stopping the newer version of the files from being used.

The first one I've tried to update is ocf_join.php. I've copied the changes into a copy of the original file from /sources/ then saved it into the /sources_custom/ folder but the integrity checker is again saying "The following files have been superseded by new versions …" for the ocf_join.php file.

What am I doing wrong?

It can't know, it just knows the file is not an original. Because it's inside the upgrader the text is assuming that you've just upgraded and thus your override code is older than the latest.
Take it as guidance, not an error.

Last thing in my integrity check is the "Alien" files. It would be nice to NOT display the files that I have intentionally added eg. I have a whole bunch of icon files for Android, ipods etc. and my Miniblocks are also listed.

Is it possible to tell the integrity checker to ignore these files by listing them somewhere? It would be nice if there were as they overwhelm my view (being dyslexic) and I wonder if I might miss something that shouldn't be there.

Why not copy and paste the list into a text file, then remove lines for stuff that you are going to delete. Then you have a file of just stuff you intentionally want there. Then you can use WinMerge against this next time you run the integrity checker and it will highlight the "inserts" (i.e. new alien files).

Another irritating problem that has crept in recently is that, if I need to verify my login when editing a download, it doesn't return me to the download. This also applies to editing (which I do a lot when I am validating), when I save the edit, the site returns to the home page (almost always) rather than the Home → Content Management → Downloads → Edit download → Done screen.

Nasty little bug with an https base URL. Fixed.


Become a fan of Composr on Facebook or add me as a friend. Add me on on Twitter. Support me on Patreon
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about Composr whenever you see the opportunity or support me on Patreon.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying Composr on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#111892
TQ
Avatar

Honoured member

Hi Chris,

Thanks as always for the detailed reply.

It can't know, it just knows the file is not an original. Take it as guidance, not an error.
OK, that's what I wondered. Now I know, I'll do a comparison each update and expect to see them in the list.
Nasty little bug with an https base URL. Fixed.
Thank you so much. It really has made a difference.

Thanks again.

TQ
Back to the top
 
There are too many online users to list.
Control functions:

Quick reply   Contract

Your name:
Your message: