Automatic admin login on incorrect username/password

[vorr1234]

I was testing different user logins today and I have just noticed that if I enter a deliberate incorrect user name or password when I am logging in then it automatically logs me in as the administartor.

This is a major concern. What is going on??

Note that this happens under Firefox and not Explorer

[garvinhicking]

Hi!

Which serendipity version are you using? Which browser versions are you using, the recent ones?

This could happen if you previously logged in to serendipity with having the "Remember me" functionality enabled. Or it could also happen if you've got a custom .htaccess password protection on your blog.

Regards,
Garvin

[vorr1234]

Yes I am using Firefox 2.02 and I have the remember me option set - both on the login page and also via Firefox. I still do not understand though that if I actually enter an invalid user name or password why are they ignored and an earlier admin username and password used instead?

My version of Serendipity is 1.1.3

cheers

[garvinhicking]

Hi!

Do you have any custom .htaccess modifications in place? Did you ever move serendipity to a different URL, or installed a second s9y installation on the same URL? Do you have any s9y authentication plugins installed? Can/Do you access your blog with more than one URL? (like http://s9y.yourblog/ and http://yourblog/s9y)

The login procedure has been reworked (for plugin reasons) in the serendipity 1.2-beta releases, so it might also be that your current problem might not exist in other versions. Login problems like yours could definitely caused by issues stated above.

Best regards,
Garvin

[vorr1234]

Do you have any custom .htaccess modifications in place?
- No

Did you ever move serendipity to a different URL, or installed a second s9y installation on the same URL?
- No

Do you have any s9y authentication plugins installed?
-No I have the following plugins installed -
1) Choose Language
2) Weather
3) Upcoming Events
4) Blog administration
5) Quick search
6) Quick Link


Can/Do you access your blog with more than one URL? (like http://s9y.yourblog/ and http://yourblog/s9y)
- No

[garvinhicking]

Hi!

-No I have the following plugins installed -

That's a list of your sidebar plugins, can you list your event plugins as well?

Best regards,
Garvin

[vorr1234]

Here are the event plug-ins

1) Markup: Serendipity
2) Markup: Emoticate
3) Markup: NL2BR
4) Browser Compatibility
5) Spam Protector
6) Spartacus
7) Link List
Tagging of entries
9) My Calendar
10) Multilingual entries

[garvinhicking]

Hi!

Okay, none of these should cause it. I must assume that a misplaced cookie could be blocking your calls. Can you make sure your browser deletes all cookies that it has stored for your page, and then try to relogin?

I've never heard about this, and the only way that s9y is granting access is that there is some leftover cookie being submitted to your blog...

Best regards,
Garvin

[Kibiyama]

Heh, strange. I just noticed the same problem with my blog. But it's not explicitly admin access with any password, it just logs you in as whatever you've logged in as before. So not quite as worrying.

Steps taken to recreate bug:

• Login as anyone with correct password and "Save Information"
  Log out
  Go to serendipity_admin.php
  We're magically still logged in!

Firefox 2.0.0.6
(this does not happen in IE7 or IE Tab 1.3.3.x for Firefox)

This happens to me with both my tweaked, embedded install and a fresh install on another server.

Serendipity 1.1.2 and PHP 4.3.11
as well as
Serendipity 1.1.3 and PHP 5.2.3

Removing either of these two cookies prevents the automatic login until the next time you log in with "Save Information":
serendipity[author_information]
serendipity[author_information_iv]

Think it's a problem with Firefox?

[stm999999999]

perhaps a "problem" about the FF function to keep the right access data in mind?

I think threre was a similar question in the past.

[Kibiyama]

I think threre was a similar question in the past.

Did that question get answered?

[stm999999999]

did you try another firefox on another computer?

I think it could be FF knows the first correct login for you on this page (=amdin) and every time you login with wrong parameters, FF automaticaly uses these right ones.

[Michele2]

I downloaded my copy of Serendipity last week. What I'm seeing is that if I enter the URL for any of the pages for the admin area, including the login screen I am being taken directly to that page - don't even see the password prompt.

This is happening with FF. It does not happen with IE.

Remember me will cause this? How do I turn it back off?

[garvinhicking]

Hi Michele!

In the backend, click on "Log out" in the menu, this should drop your cookies.

Else, configure your FF and view your stored cookies. There delete the cookies saved for your blog and login again.

Regards,
Garvin

[Michele2]

I always "log out".

It would seem the cookies would have to be deleted every time I use my blog. While I use my own computer 99.9% of the time, I don't like having unfettered access to my blog dependent upon deleting cookies.

I seem to remember something similar happening with one of my other script driven sites and it was an issue with the .htaccess file. I've searched through their forum and can't find what it was that needed changing. Could this be a similar problem?