Comments on LnBlog 0.9.0 beta 1

  1. beta1 test

    Peter,

    I've installed 0.9.0beta in its own test directory; some success (subdomains function flawlessly), but also some very basic issues I somehow blame on rights issues, but I'm not yet sure how to solve them without making everything world writeable (which I'd rather like to avoid). I'd like to use the second option for file permissions, but seem to make some mistake:

    After I configured LnBlog and created a blog, I can administer the blog, but I can't reach LnBlog's administration panel. If I click the link (site administration), I get a login mask, when I log in there, I get referred back to the blog (the page I was previously viewing), but actually am logged *out*. To make this clear: I see every setup option I saw when I was logged in, but not the menu, just the page contents (like the blog's settings).

    Whatever happens here, am I right to think it's an issue with file permissions?

  2. Hard to say

    Hmm.... It *could* be file permissions, but for login problems, I would guess it's a cookie issue. Are the blog and the LnBlog directory on the same subdomain?

    First, let me get this straight. Your problem is:
    1) You log into the blog and everything works.
    2) You go to the main admin page and are prompted for a login.
    3) You get redirected back to the blog, but you have no administration section in the sidebar, i.e. you're logged out.

    After this, if you type the admin page URL into the address bar directly, are you still logged in there?

    The redirect to from the admin login page back to the blog is my fault. That page assumes that your login has expired and redirects you back to the referer. If, for some reason, you need to log in again, it doesn't account for that. I'll have to fix that.

    As for the login/logout, try checking your cookies or deleting them and trying again. The relevant cookies are named uName and uHash. I'm wondering if maybe the domain or path on them is wrong. They should be .yourdomain.com and / for the path. If you have any login options set in userconfig.cfg or userconfig.php (e.g. AUTH_USE_SESSION or LOGIN_EXPIRE_TIME), you might try unsetting those.

  3. Plausible

    I'll check the cookies and report back - since I have the LnBlog installation (still 0.8.1) on the same server, it's very probable that there'll be contradictions (it's a different subdomain, though). I'll be back with more information tomorrow.

  4. Long time since...

    Okay, I rechecked; the problem is that by logging into the admin panel OR the blog, I promptly get logged out from the other. Both function in their own right, but as an administrator of both, I seem to have two ways of access that exclude each other. It's consistent on all systems I tried it on, so it's got to have something to do with the installation. Cookies don't seem to be involved at all as far as the problem goes, though (I accessed from different systems, different browsers, and most of them get automatically reset any time the machines are booted - so, no cookies in the cache...). Except maybe that they don't get set - I did neither disable nor reject cookies from my site, but those you describe aren't there. I also accessed the blog from a freshly installed machine - same behaviour. And I didn't adjust the blog yet, so userconfig.cfg has no part in this (yet).

    I don't know if this rambling helps - I can clarify if need be...

  5. That's a weird one

    That is very strange. Authentication is all cookies and sessions, so if you're starting with clean cookies, it's hard to see how a problem like this could persist. I can't replicate that, either on my local machine or on my host, so I'm just going to throw out some ideas and information here.

    It might be a problem if you have the blog and your LnBlog installation on different subdomains. It that's the case, it's possible that the cookies are clobbering eachother, or that it's getting the cookies from the old version. I've managed to foul up my logins by experimenting with that. But if that were the case, deleting the cookies or switching to a different browser should fix it.

    As far as logins go, it's all just cookies and sessions. The only other thing that's required is that PHP be able to read your user files. LnBlog doesn't write anything to the server for login - the only thing that gets written is PHP's session data.

    You could always try setting AUTH_USE_SESSION = true in your userconfig.cfg and see if that makes a difference. That uses a slightly different authentication scheme, so it might be worth a shot. And, of course, it never hurts to crank up PHP's error_reporting to E_ALL, just in case there's an error message you're not seeing.

    Just for completeness, and in case it give you any ideas, here's how LnBlog handles authentication. There are two modes: one that uses PHP sessions and one that just uses cookies. The session mode is arguably more secure, but will cause your login to time-out when the session expires.

    The session mode is enabled when AUTH_USE_SESSION is enabled in userconfig.cfg and this writes three cookies: uName, lToken, and lastLTime. In this mode, the lToken is an authentication token based on the time you log in and your IP address, so when the server loses your login time, your login expires. In the non-session mode, which is the default, the cookies are uName and uHash. In this mode, the uHash is an authentication token based on your password hash and your IP address, so the login can last indefinitely.

    The cookies are all set to use '/' as the path. Also, if you gave a domain name in your initial setup, i.e. enabled subdomain support, then the cookie domain is set to your entire domain, such as ".skepticats.com", so that it is accessible to all subdomains.

  6. Subdomains

    I think the subdomain trace might actually be it; I've never worked with the subdomain feature before, and the blog actually has its own subdomain whereas LnBlog has not (just a subdirectory). The explanation actually might be that simple - I'll do a reinstallation omitting subdomain setting to look into that. The only strange thing that remains is that actually I didn't find any of those cookies yet - don't know why yet; but I'll have another go to see if the main issues can be fixed. However, this leads to the question if a blog on a subdomain should actually show the Site Administration link in its menu when logged in as site administrator. It actually doesn't have to, if you ask me... but then again, it'd be nice to have it.

  7. I agree, but...

    I agree, the subdomain blogs don't really *have* to show the administration link. But on the other hand, half the point of adding subdomain support is that it's a unified installation, so the same login should work the same on every subdomain.

    The cookie thing doesn't make any sense to me, though. If you don't have the cookies, then you shouldn't be logged in. It's that simple. They might be set for the subdomain or for the main domain, but if you're logged in, they should be there. I have no idea how you could be logged in without them.

  8. Reinstallation needed

    I'll do a complete reinstallation - actually, two of them, using beta2; the whole affair could well be due to a server quirk, so I'm doing one with a subdomain, one without, just to check. I'll report back next week (or maybe as early as Thursday night if I can manage to get some time away from ongoing stuff).

    I think you're on the right track with the whole thing, my proposal was just a weak attempt at solving a self-caused problem (at least most probably) ;)

Add your comments #

A comment body is required. No HTML code allowed. URLs starting with http:// or ftp:// will be automatically converted to hyperlinks.