[TYPO3-dev] Debugging Problems with login and cookies
Volker Biberger
volker.biberge at websedit.de
Tue Mar 31 19:33:01 CEST 2009
On T3BOARD09 I had the chance to talk to Ingmar about the Problem where
users kept beeing kicked out of their login by TYPO3.
In this post I will describe the Problems we had and how we debugged them.
Chapter one: The mysterious Problem
We run two websites on different TYPO3 installations:
www.ourdomain.de T3 4.1.9
subdomain.ourdomain.de T3 4.2.6 (clean)
Problem was that people sometimes got kicked out of the backend. When
they deleted their cookies it worked for a while (maybe a day, maybe
only an hour).
Setting the Cookie-Domain and disabling the IP-Lock did not solve the Problem.
BTW: If the Backend-user is within a large company or a larger
government organisation it can happen that his IP address changes
during his session and he gets kicked out for that. Although the
symptons are quite similar, the solution is to adjust the settings for
IP locking (TYPO3->Installtool->all configuration). Don't confuse this
with our Problem.
Chapter two: The reason for beeing kicked out
Ingmar explained to me that TYPO3 kicks users out when the Domain of a
cookie the browser delivers differs from the domain TYPO3 expects. In
our case the browser sent a cookie with the domain: ".ourdomain.de"
where it should have been "www.ourdomain.de". To verify this you can
check the cookies in your browser. Most likely you will find TWO
cookies, a correct one and the faulty one. Depending on the browser the
wrong cookie gets sent. This might even depend on what cookie was
written first, thus the sporadic occurrance of the Problem.
By now you should be equiped with a firefox browser featuring firebug
and firecookie.
If you can reproduce not beeing able to login try to delete the cookie
that has the ".ourdomain.de" entry. You then should be able to login
again.
Chapter three: Why did the cookie cross the web?
So where does the faulty cookie come from? For that we need the Firefox
extension Live HTTP headers. This extension shows us exaclty what
cookies are sent and received when going to the website.
In our scenario I cleared all the cookies, visited www.ourdomain.de
(NOT the TYPO3 login!) and got two cookies, one of them with the wrong
domain .ourdomain.de. BUT tracking the live HTTP headers showed that
the cookie was not written by the responding server. How could that be?
The reason for that was that the cookie was written on the client site
by a outdated Javascript (efa fontsize used to do that for example).
Disabling Javascript quickly proofed that the cookie does not get
written any more (of cause I cleared the cookies in advance).
Chapter four: Solution?
The solution of this problem depends on where the faulty cookie comes
from. What got me on the wrong trail for a long time was that both
installations seemed to have the same Problem, although the
subdomain.ourdomain.de was a clean installation with little extra
stuff. Of cause this was not the case, since the faulty JS on
www.ourdomain.de broke the other installation (just like any other
installation under the same domain).
I hope this post provides a way for you to debug this complex problem.
I would be glad if you could give feedback on how this post helped you
and how you finally fixed the Problem. In my case I deactived the
JS-Functions since they were legacy and not really needed any more.
Thanks again Ingmar for the support on this.
More information about the TYPO3-dev
mailing list