ADM Console 401 error

Get help with installation and running phpBB 3.2.x here. Please do not post bug reports, feature requests, or extension related questions here.
User avatar
Mick
Support Team Member
Support Team Member
Posts: 21681
Joined: Fri Aug 29, 2008 9:49 am
Location: Cardiff

Re: ADM Console 401 error

Post by Mick » Wed Oct 16, 2019 9:04 pm

You’re right.
"The more connected we get the more alone we become" - Kyle Broflovski

User avatar
EA117
Registered User
Posts: 1081
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: ADM Console 401 error

Post by EA117 » Wed Oct 16, 2019 10:03 pm

Having the cookie domain set for ".softprocorp.com" means the browser will be willing to send these saved cookies for the softprocorp.com domain itself, or for any subdomain such as www.softprocorp.com, forums.softprocorp.com and yes, devforum.softprocorp.com. Having the cookie domain set to ".softprocorp.com" -- or even just "softprocorp.com" -- is not "wrong", nor creates any kind of non-working scenario.

And it's even what's explicitly required for cases like using both "domain.com" and "www.domain.com" to access a site. You must set "domain.com" as the cookie domain, in order for the web browser to be allowed to send those saved cookies for the www.domain.com subdomain, too.

This isn't just "theory", or something you need to take any person's or documentation site's word for. You can F12 your own access of this site after deleting your current cookies, and see the Set-Cookie directives coming in the HTTP response header from phpBB with ".softprocorp.com" set as the cookie domain. And then subsequently see your next page access send those "Cookie:" values in the HTTP request header, even though the domain you're accessing phpBB with is devforum.softprocorp.com and not softprocorp.com. All exactly as it's intended to work.

So changing the phpBB cookie domain to "devforum.softprocorp.com" is fine; provided OP doesn't access this same phpBB site with any other softprocorp.com-based domain. But this will only "fix" the cookie's compliance to the phpBB documentation. It doesn't change anything in terms of actual cookie behavior for the devforum.softprocorp.com site, nor will it enable cookies to be sent for a case where the cookies are not already being sent.

User avatar
david63
Registered User
Posts: 16718
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: ADM Console 401 error

Post by david63 » Thu Oct 17, 2019 1:47 pm

Could the problem be connected to using a dynamic DNS service?
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

User avatar
EA117
Registered User
Posts: 1081
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: ADM Console 401 error

Post by EA117 » Thu Oct 17, 2019 3:55 pm

david63 wrote:
Thu Oct 17, 2019 1:47 pm
Could the problem be connected to using a dynamic DNS service?
Maybe elaborate on the kind of issue you think this might create; but there isn't an obvious one already known to me, anyway.

The "cookie decision" is made by the web browser itself; i.e. "I have this cookie saved for the root path of softprocorp.com... so should I be sending this cookie for the current page request or not?" To make that decision, he's looking at the domain name and path he's being requested to access, and whether the connection is over HTTPS or not. So regardless of what calisthenics might be going on within the DNS service, the web browser is still making its decision based on what URL he's being requested to send this HTTP GET request to.

Something I don't know definitively is that if the DNS name was actually a CNAME for something else, which domain name would the web browser be basing its decision upon. It seems like from a management and design perspective they would have to still use the DNS name being resolved, and not the CNAME it resolved to; but I don't know nor have ever researched that. Regardless, devforum.softprocorp.com is just a direct A record to an IP address, with no CNAME involved.


Still interested to see what the actual requests, responses, and cookies are in the sequence that ends up hitting 401 for OP after the successful ACP login. As will hopefully be revealed in the .HAR file they generate from the Chrome F12 Network tab, if possible. A Wireshark LAN trace with the TLS decrypted would be clear on this point too, but seemed like the more difficult ask to make.

User avatar
david63
Registered User
Posts: 16718
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: ADM Console 401 error

Post by david63 » Thu Oct 17, 2019 4:36 pm

EA117 wrote:
Thu Oct 17, 2019 3:55 pm
Maybe elaborate on the kind of issue you think this might create; but there isn't an obvious one already known to me, anyway.
The site uses a dynamic DNS service which maps the domain name to the IP address of a computer. For more details try Google
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

User avatar
EA117
Registered User
Posts: 1081
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: ADM Console 401 error

Post by EA117 » Thu Oct 17, 2019 5:07 pm

david63 wrote:
Thu Oct 17, 2019 4:36 pm
The site uses a dynamic DNS service which maps the domain name to the IP address of a computer. For more details try Google
Maybe elaborate on the kind of issue you think this might create; because there isn't an obvious one already known to me, anyway.

User avatar
david63
Registered User
Posts: 16718
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: ADM Console 401 error

Post by david63 » Thu Oct 17, 2019 5:49 pm

When I have used it in the past there is a bit of software on the PC that auto refreshes every so often (cannot remember the timeframe) and remaps the domain name to the computer, so the actual IP address can change for the domain name within a session and that will certainly screw up cookies.

I am not saying that this is the problem but it is another "non standard" way of operating which has the potential to create problems.
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

softpronick
Registered User
Posts: 22
Joined: Tue Oct 08, 2019 9:14 pm

Re: ADM Console 401 error

Post by softpronick » Thu Oct 17, 2019 6:39 pm

EA117 wrote:
Wed Oct 16, 2019 10:03 pm
Having the cookie domain set for ".softprocorp.com" means the browser will be willing to send these saved cookies for the softprocorp.com domain itself, or for any subdomain such as www.softprocorp.com, forums.softprocorp.com and yes, devforum.softprocorp.com. Having the cookie domain set to ".softprocorp.com" -- or even just "softprocorp.com" -- is not "wrong", nor creates any kind of non-working scenario.

And it's even what's explicitly required for cases like using both "domain.com" and "www.domain.com" to access a site. You must set "domain.com" as the cookie domain, in order for the web browser to be allowed to send those saved cookies for the www.domain.com subdomain, too.

This isn't just "theory", or something you need to take any person's or documentation site's word for. You can F12 your own access of this site after deleting your current cookies, and see the Set-Cookie directives coming in the HTTP response header from phpBB with ".softprocorp.com" set as the cookie domain. And then subsequently see your next page access send those "Cookie:" values in the HTTP request header, even though the domain you're accessing phpBB with is devforum.softprocorp.com and not softprocorp.com. All exactly as it's intended to work.

So changing the phpBB cookie domain to "devforum.softprocorp.com" is fine; provided OP doesn't access this same phpBB site with any other softprocorp.com-based domain. But this will only "fix" the cookie's compliance to the phpBB documentation. It doesn't change anything in terms of actual cookie behavior for the devforum.softprocorp.com site, nor will it enable cookies to be sent for a case where the cookies are not already being sent.
Cookies have been updated to devforum.softprocorp.com didn't fix the main issue with redirect to the adm console.

User avatar
EA117
Registered User
Posts: 1081
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: ADM Console 401 error

Post by EA117 » Thu Oct 17, 2019 7:48 pm

softpronick wrote:
Thu Oct 17, 2019 6:39 pm
Cookies have been updated to devforum.softprocorp.com didn't fix the main issue with redirect to the adm console.
And just to be clear on this having been given it's fair shot, that's after you also deleted the cookies already saved in your local browser. (Since phpBB wouldn't have actually sent cookies with the new cookie domain, if the cookies with the softprocorp.com cookie domain specified still existed in the browser.)

Do you think you'll be able to use Chrome's F12 Network tab to save a .HAR file showing this sequence of events that occurs when logging into the ACP?

The other item that came up is whether you can post the contents of your web.config file at the root of the phpBB site (same directory as config.php). If you're concerned there is something sensitive added in there for posting publicly, feel free to rename it to .TXT and send it by PM instead; same as with the .HAR file.


david63 wrote:
Thu Oct 17, 2019 5:49 pm
I am not saying that this is the problem but it is another "non standard" way of operating which has the potential to create problems.
Okay, understood. That was what had prompted my description of the cookie decision process, since "keeping a consistent domain name even though the IP address may be frequently changing" is what dyndns.org-type services are about. And "the domain name which isn't changing" is what browsers are looking at as part of their cookie decision; so it wasn't obvious why there would be potential for an introduced issue there.

Note that Oracle/Dyn actually provides Oracle/Dyn managed DNS hosting too, and not just the "dynamic DNS" services that someone without their own domain name would typically subscribe to. That seems the more likely reason for seeing Oracle/Dyn servers behind softprocorp.com's DNS service; e.g. simply a DNS registrar or hosting provider who has selected Oracle/Dyn to provide the implementation of their managed DNS service.

Post Reply

Return to “[3.2.x] Support Forum”