Cannot Log Out - Corrupt User

[johnywhy]

I installed with username admin.

Then i CHANGED the admin username to johnw, and i changed it's password as well

then, johnw could not log out.

i changed johnw back to admin, and changed the password back as well.

now admin can log out.

then i created a NEW user named johnw.

johnw cannot log out.

[johnywhy]

when johnw logs out, he gets the logged out screen, but on returning to the blog public page, it shows that he's still logged in. Then switching to the admin screen, johnw is still logged in.

[garvinhicking]

Hi!

Congratulations for quad posting:

1. here on the forums
2. On the SF.net bugtracker
3. On the SF.net mailinglist (twice)
4. to me privately

You forgot to post it another time as a PM to me on the forums.

I replied to you via email: This should be a cookie issue, because when you use the 'remember login' functionality s9y stores a cookie that might not get properly purged when you change the username+password of the user as you are currently logged in. In that case one might need to clear his cookies to resolve this situation.

Regards,
Garvin

[johnywhy]

drat, i can't believe i forgot to post a pm to you.

we'll never know if it was a cookie issue, because i reinstalled serendipity.

thanks for the response!

[johnywhy]

well, well, it happened again.

clearing cookies fixed it.

this IS a bug, right? no other software i use requires me to clear cookies every time i want to log out.

[garvinhicking]

Hi!

Yes, this is a bug, however a very tricky one. The login management is very complex and grew along those years. Changing the mechanism could lead to much more serious bugs, and I have not yet found the place where this happens.

If some developer can give a helping hand in finding it, this would be much appreciated. I currently need to focus my time on other aspects of s9y that have higher impacts on the user -- this bug should only occur rarely in real-life situations, and since there is a workaround it is not high-priority for me at the moment.

Best regards,
Garvin

[judebert]

Hey, I'm supposed to be good at debugging, right? Let's see what I can do.

johnywhy, I can't duplicate your problem on any of my sandbox servers. If I could, then I would do all the editing and such myself, instead of asking you to edit files and try things out. If you're willing, I'll walk you through the edits so we can see what's going wrong.

First, the background. When you click the LOGOUT link, s9y should call serendipity_logout. That sets a session variable indicating that we're logged out, destroys the session, and deletes the cookies.

In your case, it appears the cookies aren't being deleted. Possibly the session isn't being destroyed, either, but we'll cover that only if we must. First, we'll want to verify that your cookies aren't deleted, and make sure it's a Serendipity problem.

Before we can start, we'll want to make sure you're using a recent s9y version. Update to 1.3 or better.

The idea was going to be: verify you don't have serendipity[author_information] and serendipity[author_token] cookies. Log in, verify the cookies are set. Log out, verify the cookies are deleted. But my local Firefox browser doesn't delete the cookies, either, and I don't have your problem. It must be a session problem.

Instead, let's try this: log in. Delete the author_token cookie. Do you get logged out? Log in again; delete the PHPSESSION cookie. Do you get logged out?

Do you know how to access the session directory on your webhost? We'll probably need to go there next.

[garvinhicking]

Hi!

Just a quick question: Are you using "localhost" for your blogdomain? Localhost can make trouble with setting/clearing cookies. If you can, use your IP to install/use serendipity.

HTH,
Garvin

[raigl]

I have a problem that seems for me to be the same origin:

If I logged in as e.g. the admin user, logged out, and tried to log in as another user (e.g. with less privileges, or to help someone) I get logged in again as the previous admin user.

The cookies for Session and author etc still exist after logout.

And, which is worse, anybody can log in with whatever login data;
i.e. the logout does not work at all!

Version 1.3.1, freshly installed yesterday; Firefox 2.0.0.16

[raigl]

The cookies for Session and author etc still exist after logout.

This seems to be caused because I used a two-level domain (progruen-pb.de) instead of a three level domain; see also
http://board.s9y.org/viewtopic.php?p=57349#57349

Currently I am checking this.

[raigl]

This seems to be caused because I used a two-level domain

Confirmed, this was a two level domain problem.

So I have set the three-level domain www.progruen-pb.de under settings as home, and disabled the automatic host discovery.

[garvinhicking]

Hi!

I don't understand. s9y works fine with two-level domains, I use it on garv.in with no problems...

Regards,
Garvin

[raigl]

I don't understand. s9y works fine with two-level domains, I use it on garv.in with no problems...

Well, I just tried again, and it still fails on my site (PHP 4.4.9)
- under not yet fully explored situations.

I will report to the bug / developer blog when I found out the exact reason and conditions.

Otherwise, Serendipity works fine without problems.