Dirk: summarizing troubleshooting tips when the (re-)authentication doesn't work

2010-11-27T17:07:33Z

summarizing troubleshooting tips when the (re-)authentication doesn't work

New page

To protect against so-called Cross Site Request Forgery (CSRF) attacks, Geeklog 1.5.0 introduced a [[CSRF Protection|security token]] that is attached to each request on an Admin screen. In Geeklog 1.7.0, we then added an option to [[Re-Authentication for expired Tokens|re-authenticate]] in case the token has expired.

If you're running into the problem that either
* changes to a story, block, configuration option, etc. do not seem to be saved
* you try to save a change but get a form that asks you to re-authenticate (even though it took you less than 20 minutes to make your change)
then please check the following settings:

=== Theme up to date? ===
The security token has to be embedded in each form. This required theme changes. So if you are using a theme that was made for an older version of Geeklog, you will be unable to save your changed.

Try switching to the Professional theme that shipped with your Geeklog version. If that fixes your problem, you need to update your theme.

=== Referrers not sent? ===
The so-called referrer (part of a standard HTTP header) is embedded in the security token. If it does not match, the token is considered to be invalid.

Check your browser settings to make sure it's sending a referrer. Some browsers offer a "safe browsing mode" or "surf anonymously mode" that is not sending referrers. Try switching that off.

Also, some routers and firewalls will filter referrers. Try disabling such an option.

==== Referrer Test Script ====

Here's a small script to test the referrer:

<pre>
<?php

echo '<html><body>';
if (!empty($_SERVER['HTTP_REFERER'])) {
echo '<p>Referrer: ' . $_SERVER['HTTP_REFERER'] . '</p>';
}
echo '<p><a href="ref.php">Click me!</a></p>';
echo '</html></body>';

?>
</pre>

Save this piece of PHP code in a file <tt>ref.php</tt>, upload it to your site (into Geeklog's <tt>public_html</tt> directory) and call it up in your browser. When you click on the text "Click me!", it should display the URL that you just used to call up the script. If it doesn't then referrers are not working as expected.

=== ServerName ===

If you're using an Apache webserver, make sure that the <tt>ServerName</tt> directive in Apache config is set correctly, i.e. to the name of the webserver.

For example, if it is set to "localhost" (a common setting) but you call up your site under "example.com", then the referrer won't match.

=== Known Issues ===

==== OpenID ====

Re-authentication does '''not''' work for users that authenticate against OpenID (it does, however, work with other remote authentication modules like LDAP and LiveJournal).

==== localhost on Mac OS X ====

When using a server running as localhost on Mac OS X, the recreated request may fail due to the current IP address being ::1 in the session but 127.0.0.1 in the recreated request.

'''Solution:''' Use the machine's Bonjour name (''xxx''.local) instead of localhost.

== Also See ==

Related discussions in the geeklog.net forums:

* http://www.geeklog.net/forum/viewtopic.php?showtopic=83649
* http://www.geeklog.net/forum/viewtopic.php?showtopic=90835
* http://www.geeklog.net/forum/viewtopic.php?showtopic=85678

Troubleshooting Authentication Problems - Revision history

Dirk: summarizing troubleshooting tips when the (re-)authentication doesn't work