Phplist suddenly started redirecting me to the login form

pieffebi 2015-04-28 14:11:17 UTC #1

Hi,

I'm using phplist (3.0.12) to manage the message for a small conference.

The problem started today. Until yesterday everything worked fine.
I am still able to log into phplist. The usual username and password seem to work as always.
However, whatever operation I try after logging in (e.g. add a new user), phplist redirects me to the login
page.

Update it's not exactly the login page. It looks like it, but just above the login box the title of the action I wanted to performs appear. E.g. "SEARCH SUBSCRIBERS". If I log in again, the search subscribers page appears, but when I try another action I'm pushed back to the "login" page. Although very annoying, I could live with logging in at every operation. However, it does not work. For instance, when I try to add a new user, I cannot go past the "SUBSCRIBER PROFILE" page.

The only thing I have done different is introducing a slight change in the config file, which I shortly after restored.
This is because I use my private mail account to process bounces, and I do not like to leave my password in the config file, since other users could see it.
Therefore, whenever I need to process the bounces, I write the password in the config file, and after that I replace it with a meaningless 'pwd'. This never gave me any problem. On the other hand, I have always done this on older versions of phplist. Yesterday was probably the first time I did this with the new version of phplist (3.0.12).

The problem happens with firefox 37.0.1 and Safari 5.1.10 on a macbook with OS 10.6.8.

Can someone help me? I am not able to do anything right now....
Thanks a lot

anna 2015-04-28 14:49:28 UTC #2

Can you try undoing the change in the config and see if it fixes the issue?

pieffebi 2015-04-28 15:06:53 UTC #3

Hi Anna,

thanks for your suggestion. I did undo the change. I mean, the change only affected the "$bounce_mailbox_password" variable. Yesterday I set it to the password of my account (specified in the variables just above that).
Today I set it to 'pwd'. I am not sure this is causing the problem, though. Putting back my password does not change anything.

I found a post reporting a similar problem, in the old forum. However I doubt that this is a problem of changing IP. I'm pretty sure I'm on a static IP.
Anyway, following some suggestions in the post, I tried the following in the config file: define("CHECK_SESSIONIP",0); but to no avail.

Also, out of desperation, I tried $require_login = 0;.

The system lets me in without asking for username and password, but when I try to do anything I get the following error

Error: Invalid security token, please reload the page and try again

I hope you'll help me, this is driving me crazy.

Oh, the attribute for config.php are -rw-r--r--. That should be correct, right?

anna 2015-04-28 15:16:55 UTC #4

If there is any chance the issue could be your config file, I would try it with a fresh one. Save your old one, then edit only the minimum things. Don't even used advanced config, just the basic one.

I am really not an expert but 99% of the time it is the change, especially if 3.0.12 was working okay after update but before change...

pieffebi 2015-04-28 15:20:41 UTC #5

I'll try that, thanks.

Note that I added some detail about the problem in my original post.

Also, the problem could be caused by something else. Apparently the entire website hosting my webmail is experiencing some problems. A colleague just told me about problems with webmail.
She's waiting for a reply from the administrators.

danwaterloo 2015-04-28 17:59:55 UTC #6

I've had this happen to me, and when I changed this setting in the config.php file, it fixed the problem:

# to increase security the session of a user is checked for the IP address
# this needs to be the same for every request. This may not work with
# network situations where you connect via multiple proxies, so you can
# switch off the checking by setting this to 0
define("CHECK_SESSIONIP",1);

Uncomment that last line, and set CHECK_SESSIONIP to 1

pieffebi 2015-04-28 21:40:52 UTC #7

Hi danwaterloo,

thanks for your reply.

Actually define("CHECK_SESSIONIP",1) was the original setting in my config.php.
I do not remember setting it, but when I looked in my config.php, after the problem started, that was the situation.
I realize I might have not been very clear in my reply to Anna, but I set define("CHECK_SESSIONIP",0) following the suggestion in this old post.

Unfortunately, my problem seems insensitive to the value of CHECK_SESSIONIP. Either way, the system keeps asking me to log in. As I explained in the update above, I'm able to painfulliy get to several pages in phplist, but unable to perform operations such as creating new users.

I have just tried from home (different, dynamic IP), and the problem persists.

Can this be something on the server side?

pieffebi 2015-04-28 22:39:31 UTC #8

so, I tried writing the config.php from start.
I copied the config.php that I find in phplist-3.0.12/public_html/lists/config/ in my lists/config/ directory (making sure to have a backup of the old file).

I set the options in this new config.php copying them from the previous config.php.

The result is really depressing. With this new config.php I am not even able to log in any more. It says "wrong password" or something to that effect.

If I restore the config.php that worked until yesterday, I'm still able to log in, although the above problem persists.

There is something I noticed. The "blank" config.php I copied from phplist-3.0.12/public_html/lists/config/ starts with <?php but has no ending ?>. Is this all right?

The old config.php did have the closing ?>.

pieffebi 2015-04-29 08:57:23 UTC #9

Ok, today the problem "spontaneously" disappeared as it had appeared yesterday.
The config.php is the same as yesterday, and all works as usual.

I suspect the issue was with the server. In fact there still seems to be some trouble with email.

Thanks a lot for the support, and apologies for having perhaps been too solicitous for help.
The conference deadlines are approaching fast, and suddenly I found myself without a very useful tool.

susandiaz34 2015-04-29 09:52:41 UTC #10

Seems to have the same problem with me as well.. tried many other things around available on internet.. hoping to solve it by today necessary.

danwaterloo 2015-04-29 10:53:37 UTC #11

If there is a typo in the config.php file, the system might not work.

I usually start with the config_extended.php, move my settings into that, and then save as config.php

They system doesn't seem to care if there is a closing bracket, but I personally think that putting one there is a good programming style.

danwaterloo 2015-04-29 10:54:53 UTC #12

I have found that setting the
define("CHECK_SESSIONIP",1)
has fixed this issue for me.

pieffebi 2015-04-29 11:29:00 UTC #13

This thing remains a mistery to me.

The weird behavior I got seemed insensitive to the changes I made in the config.php.
For instance it did not seem to depend on the value of CHECK_SESSIONIP.

Yesterday night nothing worked. I restored my original config.php and went to bed.
This morning everything works again.

My conclusion is that the problem did not depend on any change I might have introduced in my config.php (anyway they were really minimal, and affected only the management of the bounces).

I assume it was a problem with my server, although I find strange that susandiaz34 (and perhaps danwaterloo) are experiencing the same problem at the same time (which, by the way, is more or less coincident to this big change in the php forum....)

I doubt that our phplists are "linked" to a central server. Or are they?

danwaterloo 2015-04-29 12:06:26 UTC #14

The only reason that phpList would require you to login is if it thought you were not logged in.
I believe it uses cookies and session ids to determine if you're logged in.
My theory is that somehow those session ids are either lost or regenerated by the server, and the session id on your client machine gets out or sync with the server's session id.

When I've set the sesion id = 1, that problem has always gone away.

It could be that your situation was different, and just required a server reboot, or some kind of reset like that, which only your hosting company would know for sure what they did.

Interesting question on whether we all connect to the 'mother ship'.... we can plumb those depths some other day

danwaterloo 2015-07-15 15:47:27 UTC #15

I'd also suggest setting this in your config.php file... it puts the session in a database table... that might help...

# you can store sessions in the database instead of the default place by assigning
# a tablename to this value. The table will be created and will not use any prefixes
# this only works when using mysql and only for administrator sessions
$SessionTableName = "phplistsessions";

phpvdn 2017-06-21 16:03:36 UTC #16

Setting $SessionTableName = "phplistsessions"; in the config file worked for me.

back to phpList.org