Phplist/admin/?page=logout&err=1

santro · February 8, 2025, 3:34am

I have found some old threads on this, but none seem to give a solution
Brand-new fresh installation using installatron from cpanel
Version installed - v3.6.15
PHP version 8.2

I logon ok but as soon as I select a menu item I get asked to logon again and on the url bar have
phplist/admin/?page=logout&err=1

I have already gone into config and set
define(‘CHECK_SESSIONIP’, 0);

How do I resolve this

Crenel84 · February 8, 2025, 9:07pm

I’m not familiar with this specific problem, but it sounds like a session failure. Do you have any ad blockers or other things configured in a way that could disrupt session functionality? That would be my first thing to check. Since it’s a site you manage, I think it’s (generally) safe to have the browser trust it to ensure everything works right.

santro · February 10, 2025, 2:22am

Hi how do I “have the browser trust it to ensure everything works right.”

Also FYI
I have tried it on windows 7 firefox and chrome
And today on Windows Windows 11 Pro using firefox, google chrome and microsoft edge
All the same issue

How do I resolve this?

duncanc · February 10, 2025, 10:40am

@santro This is the phplist code that is causing that error

github.com

phpList/phplist3/blob/72dd0d6f21010571066260abcd622ba4ca249095/public_html/lists/admin/lib.php#L1852


      
          
          //# verify the session token on ajaxed GET requests
          function verifyCsrfGetToken($enforce = 1)
          { // enforce=0 allows checking "if exist"
              if (!defined('PHPLISTINIT')) {
                  die();
              }
              if ($GLOBALS['commandline']) {
                  return true;
              }
              if (isset($_GET['tk']) && isset($_SESSION[$GLOBALS['installation_name'].'_csrf_token'])) {
                  if (!hash_equals($_SESSION[$GLOBALS['installation_name'].'_csrf_token'], $_GET['tk'])) {
                      $_SESSION['logout_error'] = s('Error, incorrect session token');
                      Redirect('logout&err=1');
                      exit;
                  }
              } elseif ($enforce && isset($_SESSION[$GLOBALS['installation_name'].'_csrf_token'])) {
                  $_SESSION['logout_error'] = s('Error, incorrect session token');
                  Redirect('logout&err=1');
                  exit;
              }

It looks like the tk parameter is not present in the URL or its value does not match that held in the session variable. i don’t really know why either of those should fail.

You could try adding some var_dump() statements to see which of those two branches is failing, and what the tk parameter and session values are.

santro · February 10, 2025, 11:50am

@duncanc I have now tried it on 3 devices including a mobile phone and get the same problem
I have no idea why I am having this issue with a fresh new installation.

@Crenel84 Seemed to indicate I can somehow have the browser I am using trusted, any idea on how to do that?

Where do I add the var_dump() statements and where should I look to see the results

santro · February 10, 2025, 12:23pm

Just for some more info, I have installed this on another domain located on dreamscape / godaddy via cpanel and it works fine?

Could it be an option in php thats not selected, I am working on comparing the two now

duncanc · February 10, 2025, 2:00pm

Add these two lines to file admin/lib.php. The output will probably be at the top of the phplist page. You might need to view the html source of the page to see the values clearly.

    var_dump($_GET);
    var_dump($_SESSION[$GLOBALS['installation_name'].'_csrf_token']);

    if (isset($_GET['tk']) && isset($_SESSION[$GLOBALS['installation_name'].'_csrf_token'])) {

santro · February 11, 2025, 12:53am

First thank-you to those that tried to assist.
The hosting company has resolved the issue.

See solution is below for anyone that may have similar issues.
From what I understand, the installation via cpanel changed some settings which broke php.

Checking the public_html folder, I can see a few files that were changing the PHP settings for your website.

Within the .htaccess, php.ini, and user.ini files, were PHP configurations that changed the directory where PHP sessions are being saved.

This directory that was set was not accessible by your user which caused sessions to not be saved and the logout issue you are experiencing.

I have gone ahead and reverted them all back to defaults now - Testing the admin page again now, I am not being logged out after clicking on the menu buttons.

If you would like to make PHP configuration changes, I would recommend that you do so via the PHP selector tool within cPanel: