Troubleshooting Authentication Problems

From GeeklogWiki
Jump to: navigation, search

To protect against so-called Cross Site Request Forgery (CSRF) attacks, Geeklog 1.5.0 introduced a security token that is attached to each request on an Admin screen. In Geeklog 1.7.0, we then added an option to re-authenticate in case the token has expired.

If you're running into the problem that either

  • changes to a story, block, configuration option, etc. do not seem to be saved
  • you try to save a change but get a form that asks you to re-authenticate (even though it took you less than 20 minutes to make your change)

then please check the following settings:

Contents

Theme up to date?

The security token has to be embedded in each form. This required theme changes. So if you are using a theme that was made for an older version of Geeklog, you will be unable to save your changed.

Try switching to the Professional theme that shipped with your Geeklog version. If that fixes your problem, you need to update your theme.

Referrers not sent?

The so-called referrer (part of a standard HTTP header) is embedded in the security token. If it does not match, the token is considered to be invalid.

Check your browser settings to make sure it's sending a referrer. Some browsers offer a "safe browsing mode" or "surf anonymously mode" that is not sending referrers. Try switching that off.

Also, some routers and firewalls will filter referrers. Try disabling such an option.

Referrer Test Script

Here's a small script to test the referrer:

<?php

echo '<html><body>';
if (!empty($_SERVER['HTTP_REFERER'])) {
    echo '<p>Referrer: ' . $_SERVER['HTTP_REFERER'] . '</p>';
}
echo '<p><a href="ref.php">Click me!</a></p>';
echo '</html></body>';

?>

Save this piece of PHP code in a file ref.php, upload it to your site (into Geeklog's public_html directory) and call it up in your browser. When you click on the text "Click me!", it should display the URL that you just used to call up the script. If it doesn't then referrers are not working as expected.

ServerName

If you're using an Apache webserver, make sure that the ServerName directive in Apache config is set correctly, i.e. to the name of the webserver.

For example, if it is set to "localhost" (a common setting) but you call up your site under "example.com", then the referrer won't match.

Known Issues

OpenID

Re-authentication does not work for users that authenticate against OpenID (it does, however, work with other remote authentication modules like LDAP and LiveJournal).

localhost on Mac OS X

When using a server running as localhost on Mac OS X, the recreated request may fail due to the current IP address being ::1 in the session but 127.0.0.1 in the recreated request.

Solution: Use the machine's Bonjour name (xxx.local) instead of localhost.

Also See

Related discussions in the geeklog.net forums:

Personal tools
Namespaces

Variants
Actions
documentation
Tools