@fungiboletus opened this Issue on November 7th 2018

A correct login/password redirects to the login page with a 302 HTTP code. No errors and no login.

The installation is a bit special, using AWS ECS (I know) and an AWS load balancer as HTTPS reverse proxy. The proxy does not support X-Forwarded-Host headers or similar, but it used to work.

[General]
assume_secure_protocol = 1
enable_trusted_host_check = 0
@tsteur commented on November 7th 2018 Member

Sorry I'm not quite understanding where the problem is. You log in, but nothing happens?

From which version did you update?

@fungiboletus commented on November 7th 2018

I login and I get the redirection after a successful login, but it's the
login page which is displayed again. I did debug the code a bit, it looks
like the session cookie is created but after the redirection, it has
disappeared.

Le mer. 7 nov. 2018 à 18:20, Thomas Steur <notifications@github.com> a
écrit :

Sorry I'm not quite understanding where the problem is. You log in, but
nothing happens?

From which version did you update?


You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/matomo-org/matomo/issues/13678#issuecomment-436705039,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AACyrBi_bywYwM9cwPCNFd44QtYZYWuOks5usxZxgaJpZM4YSlDg
.

@tsteur commented on November 7th 2018 Member

Is the proxy maybe configured to forward the previous cookie name but not the new cookie name (I think the cookie name changed but not sure)

@fdellwing commented on November 7th 2018 Contributor

Just a guess: Did you update to Firefox 63 at the same time the problem started appearing?

@fungiboletus commented on November 8th 2018

The proxy is configured to forward everything, it might have an issue though. I'm testing with various browsers without privacy extensions turned on.

After a successfull login, $_COOKIE looks like this:

Array
(
    [piwik_auth] => login=abcdef=:token_auth=abcdef==:_=abcdef
    [PIWIK_SESSID] => abcdef
)

So I guess the I was wrong, the cookie is correctly sent by the browser.

@fungiboletus commented on November 8th 2018

I tried to debug more, but I think it's related to #12208 and I'm giving up. This new secure session stuff feels a bit too complicated to me.

I understand it's good security practice to fail without error messages, but it's frustrating. I have no idea where the problem is and the code base is too complex to debug for external people.

I'm available if you need more information.

@fungiboletus commented on November 8th 2018

Well, my bad. The cookie was set correctly but the session fingerprint wasn't initialised because the Login plugin wasn't updated to 3.6.1. I updated the plugin and now it works. It also explain the lack of error messages, it was a weird configuration (3.6.1 core and 3.5.1 login plugin).

Cheers.

@tsteur commented on November 8th 2018 Member

Cheers for letting us know

This Issue was closed on November 8th 2018
Powered by GitHub Issue Mirror