Ok, sorry because I had to read that sticky post first. Let me rewrite the question:
Environment:
I'm using Linux Debian 4.0 testing with kernel 2.6.21.3, cms made simple 1.1, mysql 5.0.32-7, php5 version 5,2,3-1, webserver cherokee 0.5.5.dfsg-2 using php as cgi, browsers used iceweasel, opera (both on linux)
CMS Made Simple is installed in my own computer, as a virtual host defined in Cherokee conf file and with hostname defined in hosts file. Installation finished ok with only yellow ball warning about sessions. All browsers tested support sessions (iceaweasel (firefox) and opera)
Installation process:
Check page (the one checking items and making it with red, yellow or green balls) says all is ok (green balls) except sessions wich are marked with yellow ball. This is strange because sessions are enabled in php.ini, but check page says this is not a needed feature and let you continue with installation, so I proceed with installation and it finished ok, that is successfully. I can view my cms home page.
The problem:
After installation you get a cms home page with a welcome text, in forth paragraph you can read 'If you are right now on your own default install, you can probably just click this link.' when clicking on link you are redirected to a login page asking for user and password, there I try to login as 'admin' ('admin' is the user I set up in installation process as admin user), type in right user name and password but login page does not rediret me to admin page but redirects again to login page, and this for ever and ever
I can hack this behaviour if I edit file admin/login.php and include a sentence to send text to browser first, for example "echo 'hello';". Doing this login page now redirects properly when loging in as admin.
But now standing at admin page when I try to logout it doesn't redirect me to login page but still continues redirecting me to admin home page.
I can only force redirection from admin page to login page after a logout if I remove session file from session path defined in php.ini OR if i delete the cookie from the cms made simple site.
How to reproduce:
1 - write url to your installation of cms made simple in your browser
2 - cms home page appear, now go to the link 'this link' in text 'you can probably just click this link.' just before title 'Learning CMS Made Simple'
3 - you go to login page 'Admin access to cms made simple' and you are requested to type in user and password
4 - type in user and password you've set up for admin access in your installation process and push send button
5 - you should be redirected to admin home page but you got trapped in login page (login.php)
More info:
I have tested phpBB version 3,0-RC4 and working ok, I also have coded a tiny php test 's.php' and running ok:
Code: Select all
<?php
session_start();
if (!isset($_SESSION['name'])) {
$_SESSION['name'] = 'a_name';
$_SESSION['count'] = 0;
} else {
echo $_SESSION['name'];
$_SESSION['count']++;
}
echo $_SESSION['count'];
?>
session id: <?php echo SID ?>
first time I load page s.php with no session file created and no cookies from this site, it shows:
0 sesion id: PHPSESSID=e71c88f839deb4f58d8c69cb4a2c42d7
which is ok. Further loadings of page s.php show incremented counter and no id (because it is stored in the cookie):
a_name1 sesion id:
If I first load page s.php with no session file but with a cookie from that site stored in my computer I got:
0 sesion id:
which means it gets the session id from the cookie but has no session file so it has no session var saved, that is the reason 'a_name' not appearing.
My php.ini settings about sessions I consider relevant for the problem are this:
session.save_handler = files
session.save_path = /var/lib/php5 # path to store session files, it is a sticky directory for all (permisions: rwx-wx-wt)
# (also tested changing this to /tmp/sessions (permisions: rwxrwxrwx) with same behaviour)
session.use_cookies = 1 # php code can use cookies to store session id
session.name = PHPSESSID # name for the cookie, but I've checked CMSMS uses CMSSESSIDe75759ff as cookie name
session.auto_start = 0 # this forces php code to explicity init a session
session.cookie_lifetime = 0 # this makes cookies alife unti browser is closed
session.use_trans_sid = 1 # trans sid activated (also tested setting this to 0 with same behaviour)
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=,fieldset=" # html tags to be rewritten using trans sid
As you can see I have sessions enabled using path /var/lib/php5 to store session files and also have cookies anabled to store sessions id. Life for a session is for ever (until you close the browser), sessions must be explicity initialized by php code and I'm using trans id to handle trasitively session id's
I think the problem is session file stored by CMS MS login page always contains the redirect url "/admin/login.php" rather than /admin/index.php as it should.
cookie stored:
redirect_url|s:16:"/admin/login.php";
Note:
My full php.ini settings about sessions are this:
session.save_handler = files
session.save_path = /var/lib/php5
session.use_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php
session.gc_divisor = 100
session.gc_maxlifetime = 1440
session.bug_compat_42 = 1
session.bug_compat_warn = 1
session.referer_check =
session.entropy_length = 0
session.entropy_file =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 1
session.hash_function = 0
session.hash_bits_per_character = 4
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=,fieldset="
