txp_login cookie

jstubbs · 2009-08-20 20:53:22

Can someone remind me of the changes that took place in a recent TXP version concerning login, and in particular, the txp_login cookie?

Testing on a site that has aMember, ign_password_protect and rvm_priviliged rolled into one. I can get aMember and the others playing nice, but if I login to TXP Admin after first logging in via aMember (which issues a txp_login cookie thanks to their Textpattern plugin) I see a Restricted Area in Admin. Bah!

What happens is that two txp_login cookies are created, which I guess results in the error.

Bloke · 2009-08-21 08:49:22

jstubbs wrote:

Can someone remind me of the changes that took place in a recent TXP version concerning login, and in particular, the txp_login cookie?

I think from 4.0.7 (maybe 4.0.6?) onwards if you log in to the admin side from two identical logins your earliest session expires and you’re kicked out. Whether this is related to the duplicate txp_login cookies I don’t know offhand. I didn’t think that two cookies of the same name could exist but I’m not sure on this one. Perhaps the ‘2nd’ cookie of the same name is overwriting the first and since the nonces (or some other detail) don’t match the original, TXP thinks the login has been tampered with and bars you; clutching at straws here.

I’ve had odd problems in the past with ign_password_protect and TXP’s multiple login restrictions: from memory if you log in from the client side after you have logged in from the admin side using the same login credentials, the plugin goes mad and locks you out (no possibility of logging in) until you’ve manually killed the ign_login cookie. I think igner’s latest release addresses this but I’ve not had a chance to test it yet (I’m such a slacker).

Last edited by Bloke (2009-08-21 08:50:08)

ruud · 2009-08-21 09:30:41

Assuming your website is www.example.com with TXP installed at the root.

There are two cookies:

txp_login: valid for URLs inside www.example.com/textpattern/
txp_login_public: valid for any URL inside www.example.com/

Each login invalidates earlier logins for the same user. This is due to the way the nonce is created and stored in the user table (side-effect of making the authentication system more secure). The advantage is that if you forgot to logout while working on a public computer, you can simply login on another computer to remedy that.

These changes were made in TXP 4.0.6

Last edited by ruud (2009-08-21 09:39:21)

TheEric · 2009-08-21 18:36:09

It’s slightly annoying on occasion when testing admin UI in different browsers. I’ve come up with a few methods to get around it, but I think the Gmail/AOL method is best. “You are currently logged in on x number places. Log out these sessions or continue?”

ruud · 2009-08-21 18:54:17

Eric. In your case you can easily work around it by creating different users. One for each browser.

jstubbs · 2009-08-21 20:46:25

Have there been any changes in 4.06+ to this? I am testing two installs – one 4.06 and the other 4.2.0rc1.

In both, I am using aMember with ign_password_protect. Theoretically they should share the same login (thanks to the aMember Textpattern plugin, which puts aMember records either in the txp_users or ign_users table) but for some reason they don’t.

Example 1 – TXP 4.06 and ign_pw 0.5b7

Login first via aMember but not able to see ign_password_protect pages. Subsequent login via an ign_pw form displays the ign_pw protected pages. Success, but requires two separate logins.

Example 2 – TXP 4.2.0rc1 and ign_pw 0.5b11c (from GitHub)

Login first via aMember but not able to see ign_password_protect pages. Subsequent login via an ign_pw form initially displays the ign_pw protected pages but after visiting another page am required to login again. aMember protected pages ok.

Example 3 – TXP 4.2.0rc1 and ign_pw 0.5b11c – BUT NOW use txp_users table instead of ign_users

Login via aMember and able to see both aMember AND ign_password_protect pages. Success – but who wants to use the txp_users table with hundreds of users?!!

Perplexing – the objective is to have a combined login via aMember and then seen on both ign_pw and aMember protected pages.

Bloke · 2009-08-21 21:47:14

jstubbs wrote:

who wants to use the txp_users table with hundreds of users?!!

The table on the Admin->Users tab is subject to the usual paging thing of showing ‘n’ records per page so it’s a bit more manageable than it used to be. And the multi edit ability helps. Or is that not what you meant?

jstubbs · 2009-08-22 06:20:46

No, my point is that txp_users is better served for site users (admins and the like), while the 100’s of site members should be in another table, like ign_users.

ruud · 2009-08-22 11:08:43

txp_users is used only for users that can login on the admin side of TXP.
If plugins use it for other purposes, that’s not something TXP can prevent.

TheEric · 2009-08-22 15:59:54

I know I could, but really, I’m lazy. I don’t like multiple logons.

jstubbs · 2009-08-22 16:00:16

aMember sets three cookies: amember_nr, txp_login and txp_login_public.

ign_password_protect sets two cookies: ign_login and ign_stay.

Jeremy (igner) says that ign_password_protect recognises the txp_login_public cookie, so that should mean that if someone logs in to aMember then the member should be recognised immediately if visiting a ign_pw protected page, regardless of whether the authentication was made against txp_users or ign_users.

Or am I mistaken?

Textpattern CMS

Textpattern CMS support forum

#1 2009-08-20 20:53:22

txp_login cookie

#2 2009-08-21 08:49:22

Re: txp_login cookie

#3 2009-08-21 09:30:41

Re: txp_login cookie

#4 2009-08-21 18:36:09

Re: txp_login cookie

#5 2009-08-21 18:54:17

Re: txp_login cookie

#6 2009-08-21 20:46:25

Re: txp_login cookie

#7 2009-08-21 21:47:14

Re: txp_login cookie

#8 2009-08-22 06:20:46

Re: txp_login cookie

#9 2009-08-22 11:08:43

Re: txp_login cookie

#10 2009-08-22 15:59:54

Re: txp_login cookie

#11 2009-08-22 16:00:16

Re: txp_login cookie

Board footer