PHPList 3.6.16 upgrade issue - login but immediately ejected (solved)

Hi,

I just upgraded from version 3.6.12 to 3.6.16 (archive from SourceForge), and I am encountering a strange issue.

I installed the new source files and copied the configuration files.

When I log in, I reach the dashboard page and I see the message to upgrade the database, but the site immediately logs me out.

I then upgraded the database from the CLI, but the issue persists — I am still logged out automatically.

I also tried version 3.6.14 (archive from GitHub), but the same problem occurs: I briefly see the dashboard, but then I am immediately redirected back to the login page.

When I revert to 3.6.12, I can log in successfully, but the dashboard indicates the database version as 3.6.16.

I have CHECK_SESSIONIP = 0 in config.php and config_extended.php

but I received this email:

We noticed a login to your phpList installation at https://ml.xxxx.fr
from a new location. If this was you, you can delete this message.
If you do not recognise this, please login to your phpList installation
and change your password.

I tried too define(‘CHECK_REFERRER’, 0); no change

I smell the bug is about the language
I tried to capture snap screen and info box have “Initialising phpList in your language, please wait”
(my UI is configured to use french,
I tried to force to use English in config.php
with
$detault_system_language = ‘en’;
$language module = “english.inc”;

but no success

Do you have any idea how to solve this issue?
I tried to put some log but I had no success.

I also tried with another subdomain (as seen in a message on the forum)
I tried with different browser.

Best Regards
Fish

@fish This sort of problem is usually with the php session. If you have not already done so, close the browser, then re-open and clear cookies for phplist.

Release 3.6.15 added a table, admin_login. Check whether that exists, it shouldn’t as it will be created by the upgrade step which you have been unable to run.

Hi @duncanc
thanks but for your answer,

• close , browser, remove cookie had no effect

• I have admin_login table in my DB

I had run the DB update from the cli , and when I log with 3.6.12 UI I got DB version 3.8.16

Capture d’écran 2025-09-26 à 20.06.45301×1038 26.4 KB

That’s strange the data in remote_ip4 column are ip v6 address

Capture d’écran 2025-09-26 à 20.10.44997×221 26.7 KB

@fish I think that there is a problem with IP 6 addresses in that table, it is due to be fixed in the next release. You could install the release candidate version of 3.7.0 which should fix the problem. See Detect ip6 with admin login by michield · Pull Request #1084 · phpList/phplist3 · GitHub

You can download from phpList - Browse /phplist-development at SourceForge.net

I installed and upgraded the database from the CLI because I couldn’t log in.
There was no change (I used the 3.7.0-RC2 version from GitHub).

Tomorrow, I will try to purge the admin_login table.
Tonight, my hosting provider is experiencing issues, and I can’t access phpMyAdmin.

Enjoy your evening

@fish Try dropping the admin_login table, that will stop phplist trying to check whether a new IP address is being used.

Hi @duncanc

I"I looked at the table after installing 3.7 RC2— the IPv6 address is in the correct column,
but I still have no access.
When I cleared the table, a new access added a line, but I still couldn’t log in.
I tried several logins; the last login is marked as active in the table, and the previous one changes to inactive status.

Do you have any idea where I should look in the code?
I haven’t developed in PHP for a long time, but I could try to debug if you can point me in the right direction.

@duncanc I found it.
The issue was indeed related, as I suspected, to the language change.

Once logged in, I tried to change the language and got logged out.
But strangely, the UI remains in French and I was able to log in.
If I change the language to English, I get logged out, but I can log in again afterward

I am going to open an issue on GitHub

I set
define('LANGUAGE_AUTO_UPDATE', 0);
in my config file, and now I can log in.

Now I will try to recover my database.
Or do you think I could continue using RC2 while waiting for the stable version to be released?
Will there be an update from the development version to the stable database?"

@fish Glad that you found the cause.

It should be safe to remain on RC2.

@duncanc, in fact, this is not resolved.

I spoke too soon—I haven’t tested posting a campaign yet.

When I am on the dashboard, if I click on a link, I get logged out.
However, if the link is inside a button (for example, in the navigation bar or the process queue button), after logging in, I am redirected back to the dashboard page.

But if I click on a link that is not a button (the blue link), I get logged out. However, when I log in again, I am redirected to the page I wanted to access. This works correctly for example to go to the last campaign.

Capture d’écran 2025-09-27 à 19.40.441418×1102 157 KB

Capture d’écran 2025-09-27 à 19.37.401374×1058 146 KB

Capture d’écran 2025-09-27 à 19.35.381374×1058 140 KB

i am going to reinstall DB and 3.6.16. to see if not a RC2 issue.

→ Same error in 3.6.16

@fish Do you have any extra redirect rules in the .htaccess file?

You can revert to release 3.6.12 which you said was working. I don’t think that the database changes that were applied for 3.6.16 will cause any problems.

Also when logged-out the URL includes &err=1

That seems to be set in the function verifyCsrfGetToken() in file admin/lib.php and seems to mean that the php session is not working properly.

@duncanc I don’t have any particular .htaccess file.
I made a clean install from the source and just copied over my config.php and config_extended.php files.