Cannot Browse Server After upgrading to 3.5.5

Tags: #<Tag:0x00007ff5d8150b78>

After upgrading from 3.5.5 from 3.5.1 when I click on “Browse Server” it tells me I don’t have permissions. I’ve checked the permissions and everything is wide open.

Is there something from the upgrade that would’ve broken this?

@coderader In release 3.5.5. there is a change to the way that phplist names the php session. That affected the editor plugin, which was changed to be compatible.
Ensure that you close all browser windows after doing the upgrade to avoid a problem with the wrong session name.

Also, are you using a local copy of the kcfinder package, instead of that included in phplist?
Check this setting on the Settings page

This value means you are using the version included in phplist. If it is any other value then you are using a local copy and need to switch to use the version with phplist.

1 Like

That didn’t do it. I verified my plugin is the right one.

I’m using Chrome and closed it down and restarted it.

I also tried in the developer tools, clearing the cookie for my site and starting fresh.

I get the same problem. It happens with both “Browse Server” and over in the advanced when I try to “Send to Server.”

@coderader can you confirm the name of the cookie that you can see in the chrome developer tools. Look at the network tab after loading a page in phplist to see the cookies sent with that request.

phpListSession. It also creates browsetrail

That’s correct. Just to be clear, previously you were using phplist 3.5.1 and the browse server button worked correctly? You have not made any changes related to the phplist session.
The “permissions” don’t refer to file permissions but whether you are allowed to browse images.

It was 3.5.1 and the browse server button did work. So it isn’t working with the file permissions, but user permissions?

@coderader there shouldn’t be any permission problem. The message is issued by the image browser, kcfinder, when it thinks that it is not enabled. That enabling is done by the ckeditor plugin.
Can you let me have a look at your phplist? Send a private message with the URL and admin credentials.

I have the same problem. After upgrading from 3.5.4.
I can give admin access.

@igorz you can send me the admin access details in a private message by clicking my name (duncanc).

@igorz @coderader Did you update phplist using the automatic Updater? If so please can you manually update the ckeditor plugin.

On the Manage Plugins page enter this in the Plugin package URL field

Yes, update by automatic Updater. The plugins are still old. After updating CKEditorPlugin everything is fine.

@igorz thanks. There is a problem with the automatic updater not installing the latest plugins.

In release 3.5.5 the ckeditor plugin needs to be updated in line with the new phplist release. I will look at raising an issue with the updater.

1 Like

I had used the automated updater as well. Replacing manually fixed it. Thanks for the help Duncan.

Hi, we too had an automatic update from 3.5.4 to 3.5.5 and found the issue with the kcfinder plugin.
I have reinstalled phplist-plugin-ckeditor manually from the github zip file, and updated the Ckeditor url setting, but the function phplistSession still exit’s with “Not logged in”.

It seems that in our installation the session it’s not recovered in the popup, although the session id’s are the same.

In the function phplistSession, a var_dump($_SESSION); after @session_start(); returns array(0).

@glauco can you check what the value session.auto_start has in php.ini?

If you can give me access to your phplist then I can take a look. Send me a private message with the admin credentials and the URL.

Thank you for the hint, session.auto_start = 0; but sadly php.ini not owned by us (shared hosting).

I’ve tried to place ini_set('session.auto_start', 1); in phplist.php and init.php, before the other ini stuff, but don’t works as expected, the dump shows only few things:

array(1) { 
	["KCFINDER"]=> array(2) { 
		["stamp"]=> array(2) { 
			["ip"]=> string(11) "XX.XX.XX.XX" 
			["agent"]=> string(32) "a2de6400cde0533e396bb5b0f5b6ea3f" 
		["self"]=> array(1) { 
			["dir"]=> string(5) "files" 

@glauco session.auto_start = 0 is what I would want it to be, so the current setting is correct.
I did experiment with setting that to 1, but that worked anyway.
What is the hosting environment, and which version of php is being used?

@glauco You can try replacing the file plugins/CKEditorPlugin/kcfinder/integration/phplist.php to try to show which statements are failing


function phplistSession()
    // Use the same session initialisation as phplist in file init.php
    if (false === ini_set('', 'phpListSession')) {
        echo 'unable to set session name';
    if (false === ini_set('session.cookie_samesite', 'Strict')) {
        echo 'unable to set cookie_samesite';
    if (false === ini_set('session.use_only_cookies', 1)) {
        echo 'unable to set use_only_cookies';
    if (false === ini_set('session.cookie_httponly', 1)) {
        echo 'unable to set cookie_httponly';

    if (false === session_start()) {
        echo 'unable to start session';

    if (empty($_SESSION['adminloggedin'])) {
        die('Not logged in');

We use php 7.4 (i’ve tried every version, starting from 5.6)
With the new function no error was thrown, appartently a curl -I confirms that the ini_set’s are working.

HTTP/2 200
date: Sat, 25 Jul 2020 09:42:39 GMT
server: Apache
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
set-cookie: phpListSession=0e9fb958133f8609079b3dc49bb5835d; path=/; HttpOnly; SameSite=Strict
content-type: text/html; charset=UTF-8

but it still shows no adminloggedin var.