Tiny Tiny RSS: Community

Can not log in my tt-rss site now


#21

Sorry, wasn’t my intention. Still learning git, but this was very educational :slight_smile:


#22

nothing hard about it,

  1. press f12 when tt-rss login screen is open so that error console opens
  2. try to login
  3. see if there’s anything yellow or red in the log window that opens below or at the side of screen

#23

Like this?


#24

PHP 5.6.38
mysql 5.6.41

only console warning/error I get on the login page when it’s not working is:
[Deprecation] Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user’s experience. For more help, check https://xhr.spec.whatwg.org/.


#25

thanks guys but neither of those things should break anything

i guess i’ll have to get php5 running and check there because so far i haven’t been able to reproduce anything


#26

thumbs up
Thanks for looking at it no matter what. If we can provide any other info just say the word.


#27

This may help:

I just updated as well (several changesets) and am able to sign in, but the session times out within 30 seconds to 1 minute and I have to sign in again.


#28

times out how? any errors? there’s not much here to go on tbh.


#29

The session times out. IE: it automatically goes back to the sign in page.

The error on the sign in page when it re-appears reads:

Session failed to validate.


#30

well, it doesn’t time out then, it fails to validate.

either your IP address changes (as reported by your web server) or your user agent (for whatever unknown reason), both of those are now checked for sessions.


#31

alright, i think i managed to reproduce this (the thread issue i.e. BLANK login form with no errors) in an old debian VM with php 5.6 and mysql.


#32

The IP address & user agent are unchanged.

The IP address is using Wi-Fi using a static IP address, and I am not changing the user agent.

Is there a way to disable both checks?


#33

there’s a separate thread about this specific thing you’re having on the forum front page, how about you post there instead?

anyway, re: thread issue

this should probably help. git pull, etc.


#34

I can confirm the issue on opensuse 42.3 with php 5.6 and mysql also here


#35

updated to 77aebd7e4a28ba10b07d8ec697cc84cc4a810777, it’s OK now.


#36

i’ve pushed some more changes which should properly enforce session ID regeneration while being compatible with php 5.x, report here if login process is wonky again.

FWIW i’ve tested on my old debian VM.


#37

I just updated and I noticed, the API is also affected. I can’t login at all with the Android app.

I really don’t see the point in IP verification, I personally am changing my addresses multiple times a day, so most likely I am going to disable it anyways, do I have to just specify define('_SKIP_SESSION_ADDRESS_CHECKS', true) is this already documented, I can’t find it in the wiki.

e: defining this variable breaks tt-rss --> blank page
API Error msg:

E_USER_WARNING (512)	classes/api.php:84	Failed login attempt for conrad from xxx.xxx.xxx.xxx. classes/api.php(84): user_error(Failed login attempt for conrad from xxx.xxx.xxx.xxx, 512)
2. api/index.php(81): login()
session_regenerate_id(): Cannot regenerate session id - session is not active

#38

yeah the API should be fixed in the current changeset which moves stale session check to a different place.


#39

thanks! API is fixed, but how can I disable the IP-check?


#40

use that hidden tweakable you’ve already found, it’s why it’s there.

the point to those checks is to make it harder for a third party to hijack your login session if your session ID leaks somehow.

e: i just don’t understand this session_regenerate_id() stuff. on php 5.6 it doesn’t work properly if session is active, on php 7 it’s seemingly broken in the other direction. gah.