[TYPO3-project-4-3] No longer able to login to trunk

Mon Sep 7 16:15:41 CEST 2009

Steffen Gebert schrieb:
> On Mon, 07 Sep 2009 15:20:22 +0200, Marcus Krause
> <marcus#exp2009 at t3sec.info> wrote:
> 
>> With a recently updated trunk, I'm no longer able to login.
>> @see http://img195.imageshack.us/img195/595/cookiesplease.png
>>
>>
>> The login form is in the sourcecode but unreachable.
>> Cookies *are working*!
>>
>>
>> I'm using a reverse proxy (providing SSL) and activated sysext:rsaauth.
>> Browser: FF 3.5
>>
>>
>> Where should a start to debug this misbehaviour? Thanks for any help.
> 
> Hi Marcus,
> 
> it's the new login screen, sure (#11370).
> 
> Cookies are unly checked using Javascript:
> 
> var cookieEnabled = (navigator.cookieEnabled) ? true : false;
>                
> if (typeof navigator.cookieEnabled == "undefined" && !cookieEnabled) {
>     document.cookie = "testcookie";
>     cookieEnabled = (document.cookie.indexOf("testcookie") != -1) ? true
> : false;
> }
> if (cookieEnabled) {
>     document.getElementById("t3-login-form-fields").style.display =
> 'block';
> }
> else {
>     document.getElementById("t3-nocookies-error").style.display = 'block';
> }
> 
> Could you please debug this code?
> (located in typo3/sysext/t3skin/templates/login.html)
> 
> This code is from Susanne (I think) - so I don't know, if this catches
> all browsers / addons / SSL /...

Found the reason for this problem:
I'm generally disallowing cookies. Only domains in a whitelist (which
the domain of my TYPO3 installation is in) are allowed to send/use cookies.

However, with using such whitelist navigator.cookieEnabled is always
false and the browser seems to be unable to create a "testcookie".

One option might be to actually test for be_typo_user cookie but this
isn't the optimal solution. With the $httponly flag in PHP setcookie()
calls, cookies won't be able to be accessed via TS. TYPO3 might use this
flag soon and php already allows to set this flag via php.ini
(session.cookie_httponly).

So with keeping this in mind, IMHO the cookie check doesn't make much
sense and I personally stick to the previous behaviour (no check but
always a notice to allow cookies).

Marcus.