Okay, interesting. That "didn't make sense" to me on two fronts: 1) Why the SID didn't end up appended to the redirect URL in the first place; and 2) Why a redirect URL without the SID would have resulted in 401 rather than just returning you back to the login form again.
But I do see where phpBB's session_begin() has a failure path, specific to the /adm/index.php case
, where if there isn't a SID in the URL, or if the SID in the URL doesn't match the SID phpBB learned from the "_sid"
cookie, phpBB will set status 401 and redirect to index.php without any parameters.
I'm not positive that the necessary clues will be visible this way, but because I can't otherwise debug directly against your ACP login, I'm wondering if you can show this ACP login sequence from the perspective of Chrome's F12 "Network" tab. Meaning you would:
- Login to the site as a normal user first.
- Open Chrome's developer view by pressing F12.
- Switch to the "Network" tab within the developer tools.
- Ensure the "Preserve log" checkbox is set, so that the "Network" tab contents are not reset when you navigate to a new page.
- Use the "Clear" icon to clear the "Network" tab, if you have a previous attempt's entries still showing.
- Now without closing the F12 view, click on the ACP link to start the ACP login process.
- Now perform the complete login process, including the failure page after the login, and finally going back to the board index and successfully accessing the ACP using the ACP link.
- Once successfully viewing the ACP index page, now enter "index.php" in the filter/search box above the "Network" tab logged items.
This will give you a short list of just the index.php page load attempts, similar to what's shown in my successful ACP login here:
Yours will of course have additional entries, from the 401 and also from having to visit the board index again before entering the ACP successfully. But we want to see this list, specifically the status being returned at each step as well as the URL parameters at each step. The intention here is to try and catch that "maybe there was
a redirect which included the new SID", but it failed for a different reason and ended up then hitting the session.php error path which returns 401 and no SID.
If you use the "down arrow" button (the one that shows "Export HAR" when you hover over it), this will allow you to export the "Network" tab contents to a json file. There shouldn't really be any sensitive information other than IP addresses, but if you're concerned about potential sensitive information, feel free to rename and PM this .HAR file to me as a .TXT file, and I'll see if there are any clues as to why we may have ended up in a state where phpBB wanted to return 401. (If that's what's even happening.) Or you can just put the file's contents in a
block here for anyone to analyze.
(The only "not as recommended" cookie setting I see is that "cookie_secure" is not enabled. But that's not a "will equal failure" situation, and just means the cookies are allowed to be sent even when not accessing the site over HTTPS. i.e. The cookie data is allowed to be exposed even over non-encrypted connections, if you were using one. Your current cookies are being successfully saved and sent, at least in my non-ACP-related access to your site. But that's one of the things the .HAR file contents are going to confirm during your ACP access attempt, too.)