Topic: login repeats with every click

HI FA forum!
I just did an update from 2.4.10 to 2.4.11 
2.4.10 was working just fine

FA is running on debian 11 on a VitualBox VM

I can get logged in OK
but now every time I click on a new menu item I get kicked back to the login screen

but if I login from localhost it doesn't do that, FA works fine

Probably some hiccup with VirtualBox.

Any tips appreciated.

Merry Christmas 2021!

Re: login repeats with every click

Sometimes it happened, if you hosted it on web server and try to access from unstable internet.

Sometimes it happens with browser cookie or session level. So clear the cache and try again.

Sometimes it happens with program level. The php version also sometimes issues bug during creation of session.

Subscription service based on FA
HRM CRM POS batch Themes

Re: login repeats with every click

Thank You kvvaradha for your feedback.
I'll have a try at those suggestions.

The browsers, I did try 3 different ones and got the same results.
I put 2.4.10 back in and it started working fine again.

Thanks Again and Merry Christmas 2021!

Re: login repeats with every click

I am facing same problem here. Yesterday I upgrade 2.4.11 and since then it redirected me to the login page. Version 2.4.10 seems fine.

5 (edited by notrinos 12/23/2021 02:56:44 pm)

Re: login repeats with every click

The problem has been firing from this commit: https://github.com/FrontAccountingERP/F … 07ada68667
Someone who faced the same issue after upgrade FA to 2.4.11 can get solution by roll back the file session.inc to state it was before the commit.
Or just replace the session.inc with this file:
https://raw.githubusercontent.com/Front … ession.inc

Phuong

Re: login repeats with every click

Thanks notrinos!
Looks like that works.

Re: login repeats with every click

notrinos wrote:

The problem has been firing from this commit: https://github.com/FrontAccountingERP/F … 07ada68667
Someone who faced the same issue after upgrade FA to 2.4.11 can get solution by roll back the file session.inc to state it was before the commit.
Or just replace the session.inc with this file:
https://raw.githubusercontent.com/Front … ession.inc

Great, it's work

Re: login repeats with every click

It's worked. Great. Thank you notrinos.

Re: login repeats with every click

I recently made a fresh install and session.inc created continuous timeouts with redirects to the login page (ubuntu 20.04, PHP 7.4 as well as PHP8.0, FA 2.4.11). I was looking for hours at sessions with webservers and cookies but finally notrinos found the real culprit. Thanks.

WORKS:
$Session_manager->sessionStart('FA'.md5(dirname(__FILE__)));

CONTINUOUSLY TIMEOUTS SESSIONS:
$Session_manager->sessionStart('FA'.md5(dirname(__FILE__)), 0, '/', null, True);

Re: login repeats with every click

@joe: This needs to be automagically set based on PHP version or by a server wide config variable.

Re: login repeats with every click

Hello guys,

Thanks for reporting this issue.

I have asked Itronics to look into it and fix something.

Joe

Re: login repeats with every click

This change was introduced to enforce secure session in FA, so all works as expected if FA is accessed via https.
For rare situations when https is not available, additional configuration value could be handy, so we have added it.
Now, if you know what you are doing, you can switch off https cookies enforcing in session.inc.
Unfortunately  this option cannot be added in sysprefs/config.php because the settings are not available before session is started.
J.

Re: login repeats with every click

It is then better not to be hardcoded as a define but dynamically computed if https is in the URL. As it stands after the current commit, we still need to set the define manually.

Re: login repeats with every click

Effective workaround to use the newer commit only for https and not for http:

Replace hardcoded line 14 of includes/session.inc:

define('SECURE_ONLY', true);

to be

define('SECURE_ONLY', (parse_url($_SERVER['REQUEST_URI'], PHP_URL_SCHEME) == 'https'));

This way newer installs will not break when not using https. The last few times, the released versions seem to have some showstopper for existing users. This will only make existing users especially on legacy systems not to upgrade as that would warrant "consultant costs". FA should herd and retain it's flock as that is where the network wealth of the project lies - bulk satisfied standard users who can upgrade atleast in minor versions safely.

Re: login repeats with every click

Recognising http vs https is how it worked before the change.  But this means that once logged in to your installation via http, it willl be selected always on later logins (unless there is automatic http>https redirection). Logging via http means sending password in plain, which is completely unsecure and should be avoided if possible.
IMO user safety should be prioritized when dealing with sensitive data (like accounting), so sending cookies only via secure channel is just better policy  default. Admin choice to lower down security is now required to be made as conscious decision, and should not depend on arbitrary ISP server settings.
J.

Re: login repeats with every click

On http call, a check if https exists and if so an appropriate https redirection in FA would be good.