Settings in htaccess causing login and upgrading problems?

For questions and problems with the CMS core. This board is NOT for any 3rd party modules, addons, PHP scripts or anything NOT distributed with the CMS made simple package itself.
Locked
User avatar
Trenia
Forum Members
Forum Members
Posts: 81
Joined: Thu Dec 11, 2008 12:48 pm
Location: Norway

Settings in htaccess causing login and upgrading problems?

Post by Trenia »

Hi

Everytime I manage to log into admin again after I`ve had to restore everything (exept db) using a backup from january 27., I am locked out again after a few days (this time it took 9 days). During the time when I am actually able to log in, it`s not possible to do an upgrade. So something is definitely wrong. No entry in error log, and host can`t find anything wrong either.

Strange thing is that the only backup that works, is the one from january 27., an none of the newer ones. I am beginning to wonder if settings in my htaccess might actually cause the problem, because everytime after I`ve done a restore, I update the htaccess with my present settings.

I have two cmsms installations; one on the main domain and a mobile version on a sub domain to the same domain. When I get locked out it happens both places at the same time. Because of that, I wonder if the htaccess file on the main domain has a setting that affects both installations. I am not sure.

Is that a plausible cause for the problems I am describing? I would really appreciate any help with this.

Here is the htaccess file in question:

Code: Select all

# BEGIN VALIDATE SSL
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^.well-known/pki-validation/fileauth.htm$ validate-ssl.txt [END]
</IfModule>
# END VALIDATE SSL

DirectoryIndex index.html index.php
Header set Connection keep-alive
Header append Vary: Accept-Encoding, User-Agent

# Control amount of info included by browser
Header always set Referrer-Policy: strict-origin-when-cross-origin

# Only allow Iframe from the same domain
Header set X-Frame-Options "SAMEORIGIN"

# Prevent mime based attacks
Header set X-Content-Type-Options "nosniff"

# Turn on IE8-IE9 XSS prevention tools
Header set X-XSS-Protection "1; mode=block"

#Security disable headers
Header unset X-powered-by
Header unset Server

# Disable all cookies
Header unset Cookie
Header unset Set-Cookie

# Create the ETag (entity tag) response header field
FileETag MTime Size

# 1 YEAR
<FilesMatch "\.(ico)$">
Header set Cache-Control "max-age=29030400, public"
</FilesMatch>
 
# 1 WEEK
<FilesMatch "\.(jpg|jpeg|png|gif|svg|pdf|css|js)$">
Header set Cache-Control "max-age=604800, public"
</FilesMatch>
 
# 5 HOURS
<FilesMatch "\.(xml|txt|html|htm|php)$">
Header set Cache-Control "max-age=18000, public"
</FilesMatch>

SetEnvIfNoCase User-Agent "^libwww-perl*" block_bad_bots
Deny from env=block_bad_bots

RewriteEngine On
# Redirect http://webpage to www.webpage
RewriteCond %{HTTP_HOST} !^www.webpage.no$ [NC]
RewriteRule ^(.*)$ http://www.webpage.no/$1 [L,R=301]
# Redirect server-IP to domain name
RewriteCond %{HTTP_HOST} ^2xx\.1xx\.2xx\.xx
RewriteRule ^(.*) http://www.webpage.no/$1 [R=301,L] 

#Sub-dir e.g: /cmsms
RewriteBase /
# Rewrites urls in the form of /parent/child/
# but only rewrites if the requested URL is not a file or directory
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ index.php?page=$1 [QSA]

# prevent looping
RewriteCond %{HTTP_HOST} !^mobil.webpage.no/$

# if the browser accepts these mime-types, it's definitely mobile, or pretending to be
RewriteCond %{HTTP_ACCEPT} "text\/vnd\.wap\.wml|application\/vnd\.wap\.xhtml\+xml" [NC,OR]

# a bunch of user agent tests
RewriteCond %{HTTP_USER_AGENT} "sony|symbian|nokia|samsung|mobile|windows ce|epoc|opera" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "mini|nitro|j2me|midp-|cldc-|netfront|mot|up\.browser|up\.link|audiovox"[NC,OR]
RewriteCond %{HTTP_USER_AGENT} "blackberry|ericsson,|panasonic|philips|sanyo|sharp|sie-"[NC,OR]
RewriteCond %{HTTP_USER_AGENT} "portalmmm|blazer|avantgo|danger|palm|series60|palmsource|pocketpc"[NC,OR]
RewriteCond %{HTTP_USER_AGENT} "smartphone|rover|ipaq|au-mic,|alcatel|ericy|vodafone\/|wap1\.|wap2\.|iPhone|android"[NC]

# put your rewrite rules here
RewriteRule ^(.*)$ http://mobil.webpage.no/  [L,R=302]

#
# The following are higly recommended security settings for files in your CMSMS install that should not be browsed directly
#
<Files ~ "\.htaccess">
  Order allow,deny
  Deny from all
</Files>
<Files ~ "\.ini$">
  Order allow,deny
  Deny from all
</Files>
<Files ~ "\.log$">
  Order allow,deny
  Deny from all
</Files>
<Files ~ "config\.php">
  Order allow,deny
  Deny from all
</Files>
<Files ~ "/lib/*php">
  Order allow,deny
  Deny from all
</Files>

RedirectMatch 403 ^.*/lib/.*\.php$
RedirectMatch 403 ^.*/tmp/.*\.php$
RedirectMatch 403 ^.*/modules/(?!TinyMCE/responsive_filemanager/filemanager/).*\.php$
RedirectMatch 403 ^.*/uploads/.*\.php$

# Remove browser bugs
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

<Files 403.shtml>
order allow,deny
allow from all
</Files>
deny from 188.143.232.1
deny from 188.143.232.2/31
deny from 188.143.232.4/30
deny from 188.143.232.8/29
deny from 188.143.232.16/28
deny from 188.143.232.32/27
deny from 188.143.232.64/26
deny from 188.143.232.128/25

RewriteCond %{HTTP_REFERER} !^http://webpage.no/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://webpage.no$      [NC]
RewriteCond %{HTTP_REFERER} !^http://mobil.webpage.no/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://mobil.webpage.no$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.webpage.no/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.webpage.no$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.mobil.webpage.no/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.mobil.webpage.no$      [NC]
RewriteCond %{HTTP_REFERER} !^https://webpage.no/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^https://webpage.no$      [NC]
RewriteCond %{HTTP_REFERER} !^https://mobil.webpage.no/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^https://mobil.webpage.no$      [NC]
RewriteCond %{HTTP_REFERER} !^https://www.webpage.no/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^https://www.webpage.no$      [NC]
RewriteCond %{HTTP_REFERER} !^https://www.mobil.webpage.no/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^https://www.mobil.webpage.no$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp)$ - [F,NC]


LiteSpeed Server 6.10
Php 7.0
MySQL 5.6.35
CMS Made Simple version 2.1.6
All modules are latest versions:
AdminSearch
Captcha
CGExtensions
CMSContentManager
CMSMailer
DesignManager
FileManager
FormBuilder
Gbook
MenuManager
MicroTiny
ModuleManager
Navigator
News
Search
SiteMapMadeSimple
TinyMCE
Last edited by Trenia on Fri Mar 03, 2017 7:09 pm, edited 1 time in total.
calguy1000
Support Guru
Support Guru
Posts: 8169
Joined: Tue Oct 19, 2004 6:44 pm
Location: Fernie British Columbia, Canada

Re: Settings in htaccess causing login and upgrading problem

Post by calguy1000 »

Simple rule: Rules specified in .htaccess files apply to the directory of the .htaccess file AND all subdirectories.

So if you have one .htaccess file to cover multiple domains... then yeah, one .htaccess file could be causing your problem. But then, you haven't explained exactly what problem you are having. So I don't know.

If you suspect that something in your .htaccess is causing you problems then isolate the issue. Replace your .htaccess file with the sample one we provide. Or remove it all together (up to you).

One hint: don't cache php files.
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
User avatar
Trenia
Forum Members
Forum Members
Posts: 81
Joined: Thu Dec 11, 2008 12:48 pm
Location: Norway

Re: Settings in htaccess causing login and upgrading problem

Post by Trenia »

Thank you calguy1000 :) Much appreciated.

I do have a htaccess file for the sub domain as well, but didn`t think of mentioning that. Sorry. Didn`t know about not caching php files. Good to know. I will update. Thanks.

What do you mean I didn`t exactly explain my problem? Please tell me what you would like to be specified. Trying my best here since I don`t really know what`s causing it (login and upgrading problem).
User avatar
Trenia
Forum Members
Forum Members
Posts: 81
Joined: Thu Dec 11, 2008 12:48 pm
Location: Norway

Settings in htaccess causing login and upgrading problems?

Post by Trenia »

SOLVED (?)

I had this setting in my htaccess that was causing login problems:

# Disable all cookies
Header unset Cookie
Header unset Set-Cookie

After removing both lines I was able to log again, also the mobile version on the sub domain.

When I run a website speed test at pingdom, I now get this: "Serve static content from a cookieless domain" Grade D (69/100)

Is there any other way to disable cookies, or maybe set cookies only for the admin login page or something? Or is cmsms dependent on setting cookies to work correctly?
calguy1000
Support Guru
Support Guru
Posts: 8169
Joined: Tue Oct 19, 2004 6:44 pm
Location: Fernie British Columbia, Canada

Re: Settings in htaccess causing login and upgrading problem

Post by calguy1000 »

Or is cmsms dependent on setting cookies to work correctly?
This has been asked and answered many times, many ways before... but I'll do it one more time.

CMSMS uses session cookies. Both on the frontend and on the backend.

These cookies are absolutely required for the admin login and for installation and upgrades.

For the frontend... well, it depends on your site, and the functionality you are using. You would need to have intimate knowledge of each module you are using and whether or not it uses the session before you could determine whether you could disable all cookies (including the harmless session cookie) that CMSMS creates automatically.
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
User avatar
Trenia
Forum Members
Forum Members
Posts: 81
Joined: Thu Dec 11, 2008 12:48 pm
Location: Norway

Re: Settings in htaccess causing login and upgrading problem

Post by Trenia »

Thank you for taking the time to explain it once more :) I should have done a better job checking. Very relieved to have finally figured out what the problem was. Thank you for all help and patience.

Tom
Locked

Return to “CMSMS Core”