PHPList in an endless login loop

WestWing · March 24, 2026, 5:59am

Hello,

I’ve used PHPList for many years successfully. However, I have just installed a new copy of version 3.6.16 and I’m running PHP 8.2. I have tried PHP 7.4 too. I can login but when I select anything, I’m logged out again. I have tried every browser I have and indeed another computer. Its doing my head in as I need to do an urgent newsletter. All other instances of PHPList I have (probs older versions) work fine. Cookies and sessions cleared too … Happy to let someone login if it helps?

Thanks

WestWing · March 24, 2026, 7:11am

My other sites are running 3.6.14 all ok!

duncanc · March 24, 2026, 7:46am

@WestWing Check whether you have an IP V6 address. phplist 3.6.16 doesn’t handle that properly.

WestWing · March 24, 2026, 8:21am

Thanks for answering Duncan …. I have no IP V6 addresses … like I said, 3.6.14 works fine off the same server. I’m not sure how to install 3.7 yet …. I may have to try that. I certaintly will not upkrade any other sites to .16!

duncanc · March 24, 2026, 9:03am

@WestWing You can try renaming the admin_login table to something else. That would remove one possible cause of the problem.

When you are logged-out, does the browser URL have an “err=” parameter? Values of 1 and 2 have slightly different causes.
Also, look in the eventlog table to see whether phplist has logged anything.

WestWing · March 24, 2026, 8:00pm

Hi Duncan,

err=” parameter 1. is what i get. Nothing in the eventlog table ….

WestWing · March 24, 2026, 8:35pm

also, I renamed the admin_login table as you suggested to no effect … still being logged out!

duncanc · March 24, 2026, 10:36pm

@WestWing This is the code that issues err=1

if (isset($_GET['tk']) && isset($_SESSION[$GLOBALS['installation_name'].'_csrf_token'])) {
    if (!hash_equals($_SESSION[$GLOBALS['installation_name'].'_csrf_token'], $_GET['tk'])) {
        $_SESSION['logout_error'] = s('Error, incorrect session token');
        Redirect('logout&err=1');
        exit;
    }
} elseif ($enforce && isset($_SESSION[$GLOBALS['installation_name'].'_csrf_token'])) {
    $_SESSION['logout_error'] = s('Error, incorrect session token');
    Redirect('logout&err=1');
    exit;
}

That seems to indicate something wrong with the php session. The code is comparing the tk parameter from the URL with a session variable. The tk parameter was set from that session variable when the page was generated, so they should be the same.

WestWing · March 24, 2026, 11:27pm

Thanks Duncan …. not sure where to go next. I installed a fresh PHPList .16 on another site and its the same. Any idea when 3.7.0 will be released?

duncanc · March 25, 2026, 8:19am

@WestWing Are all your phplist installations on the same web hosting server? If not, can you see if there are any differences in php settings between them, specifically to do with the php session handling.

You can try to work around this problem by patching file lists/admin/lib.php. Look for these lines (they are at line 1844 in the version that I am looking at)

function verifyCsrfGetToken($enforce = 1)
{ // enforce=0 allows checking "if exist"

then add this immediately afterwards, which will bypass the check

return true;

WestWing · March 26, 2026, 2:38am

Tried your code alteration Duncan but still the same.

FYI, all my 5 instances of PHPList are on the same server.

Thanks for trying.

duncanc · March 26, 2026, 7:33am

@WestWing Try installing version 3.6.14 if that is working for other sites.