[TYPO3-dev] Debugging Problems with login and cookies

Tue Mar 31 19:33:01 CEST 2009

On T3BOARD09 I had the chance to talk to Ingmar about the Problem where 
users kept beeing kicked out of their login by TYPO3.

In this post I will describe the Problems we had and how we debugged them.

Chapter one: The mysterious Problem
We run two websites on different TYPO3 installations:

www.ourdomain.de T3 4.1.9
subdomain.ourdomain.de T3 4.2.6 (clean)

Problem was that people sometimes got kicked out of the backend. When 
they deleted their cookies it worked for a while (maybe a day, maybe 
only an hour).

Setting the Cookie-Domain and disabling the IP-Lock did not solve the Problem.

BTW: If the Backend-user is within a large company or a larger 
government organisation it can happen that his IP address changes 
during his session and he gets kicked out for that. Although the 
symptons are quite similar, the solution is to adjust the settings for 
IP locking (TYPO3->Installtool->all configuration). Don't confuse this 
with our Problem.

Chapter two: The reason for beeing kicked out
Ingmar explained to me that TYPO3 kicks users out when the Domain of a 
cookie the browser delivers differs from the domain TYPO3 expects. In 
our case the browser sent a cookie with the domain: ".ourdomain.de" 
where it should have been "www.ourdomain.de". To verify this you can 
check the cookies in your browser. Most likely you will find TWO 
cookies, a correct one and the faulty one. Depending on the browser the 
wrong cookie gets sent. This might even depend on what cookie was 
written first, thus the sporadic occurrance of the Problem.

By now you should be equiped with a firefox browser featuring firebug 
and firecookie.

If you can reproduce not beeing able to login try to delete the cookie 
that has the ".ourdomain.de" entry. You then should be able to login 
again.

Chapter three: Why did the cookie cross the web?
So where does the faulty cookie come from? For that we need the Firefox 
extension Live HTTP headers. This extension shows us exaclty what 
cookies are sent and received when going to the website.
In our scenario I cleared all the cookies, visited www.ourdomain.de 
(NOT the TYPO3 login!) and got two cookies, one of them with the wrong 
domain .ourdomain.de. BUT tracking the live HTTP headers showed that 
the cookie was not written by the responding server. How could that be? 
The reason for that was that the cookie was written on the client site 
by a outdated Javascript (efa fontsize used to do that for example). 
Disabling Javascript quickly proofed that the cookie does not get 
written any more (of cause I cleared the cookies in advance).

Chapter four: Solution?
The solution of this problem depends on where the faulty cookie comes 
from. What got me on the wrong trail for a long time was that both 
installations seemed to have the same Problem, although the 
subdomain.ourdomain.de was a clean installation with little extra 
stuff. Of cause this was not the case, since the faulty JS on 
www.ourdomain.de broke the other installation (just like any other 
installation under the same domain).

I hope this post provides a way for you to debug this complex problem. 
I would be glad if you could give feedback on how this post helped you 
and how you finally fixed the Problem. In my case I deactived the 
JS-Functions since they were legacy and not really needed any more.

Thanks again Ingmar for the support on this.