Security error for customer login after host server change

[sparrowce]

I have been reading multiple threads on this issue, and also have read the tutorial recommended here:

https://www.zen-cart.com/tutorials/i...hp?article=312

My ZenCart is v1.3.9h, am using Bookshelf template and do not have the files in the location referenced by the tutorial.

- /includes/templates/YOUR_TEMPLATE/templates/tpl_login_default.php
- /includes/templates/YOUR_TEMPLATE/templates/tpl_timeout_default.php

A FileZilla search found them here:
/includes/templates/template_default/templates

I downloaded a fresh 1.3.9 and overwrote those files in above location, but still getting error.

The web host recently upgraded their servers (this link is very similar to my problem, same host - http://www.zen-cart.com/forum/showthread.php?t=183028)

However the SSL certificate on the site is dedicated, not shared, purchased about a month before they moved their servers. Their support has been very kind, fixing other issues that have cropped up with the SSL, but can't seem to find cause of this one.

Also when I login to ZenCart admin area from a fresh browser, it tells me there was a security error when trying to login to Admin, though when I click login, it takes me to admin area.

I am stuck with these last 2 security issues, and will be glad to go back to host if someone could help point me in the right direction of what to check.

I have also tried switching to the Classic template, that did not change anything, so it's switched back to Bookshelf.

Thank you!

[sparrowce]

Bump . . . any ideas? Thank you!

[DrByte]

but still getting error.

What exact error?

However the SSL certificate on the site is dedicated, not shared

So, does this mean that if you set your ENABLE_SSL setting to 'false' that the problem goes away?

Also when I login to ZenCart admin area from a fresh browser

What exactly do you mean by "a fresh browser"?

it tells me there was a security error when trying to login to Admin, though when I click login, it takes me to admin area.

That sounds exactly like the page was cached in your browser and the old security token had been set there, and thus your attempted login was using the cached token. Then when you get the login error and click submit again, it is successful because a new fresh unexpired token has been generated for the page.
You might be able to prevent this caching by setting your *admin* configure.php's HTTP_SERVER url to an https address instead of an http address. This would have the beneficial side effect of protecting your entire admin with SSL, which is a good thing.

[sparrowce]

What exact error?
So, does this mean that if you set your ENABLE_SSL setting to 'false' that the problem goes away?
What exactly do you mean by "a fresh browser"?That sounds exactly like the page was cached in your browser and the old security token had been set there, and thus your attempted login was using the cached token. Then when you get the login error and click submit again, it is successful because a new fresh unexpired token has been generated for the page.
You might be able to prevent this caching by setting your *admin* configure.php's HTTP_SERVER url to an https address instead of an http address. This would have the beneficial side effect of protecting your entire admin with SSL, which is a good thing.

Thank you, I have not tried setting the ENABLE_SSL to false, didn't think of that.

The error message says "There was a security error when trying to login" (this is at customer login)

Fresh browser means clear cache, close browser, re-open. Tried on 3 different browsers on PC and 2 on mac, clearing cache, etc. - just tried setting ENABLE_SSL to false, cleared the cache, closed/re-opened browser, but no change on either matter.

Here is what is in my store/includes/configure.php:
define('HTTP_SERVER', 'http://mydomain.com');
define('HTTPS_SERVER', 'https://www.mydomain.com/');

// Use secure webserver for checkout procedure?
define('ENABLE_SSL', 'true');

And this is the admin/includes/configure.php:
define('HTTP_SERVER', 'http://mydomain.com');
define('HTTPS_SERVER', 'https://mydomain.com/');
define('HTTP_CATALOG_SERVER', 'http://mydomain.com');
define('HTTPS_CATALOG_SERVER', 'https://mydomain.com/');
// Use secure webserver for catalog module and/or admin areas?
define('ENABLE_SSL_CATALOG', 'true');
define('ENABLE_SSL_ADMIN', 'true');


Really appreciate the help, thank you.

[DrByte]

Why do you have the "www." in your HTTPS_SERVER setting when all the rest don't?

[sparrowce]

Why do you have the "www." in your HTTPS_SERVER setting when all the rest don't?

Good question . . . don't know what I'm doing, that's for sure. I removed the www, but it didn't change anything, unfortunately.

[sparrowce]

Still not resolved - saw this post, http://www.zen-cart.com/forum/showthread.php?t=180742, and am checking in my configuration/sessions settings, but do not know what I'm looking for. The directory seems to match what the host says, and the Check SSL Session ID is set to false, and recreate sessions is set to true. Any thing in these settings that could help? Thank you!

[DrByte]

I would start with a fresh install of Zen Cart on your new server. Check whether *that* works. THEN start customizing it akin to what you have now. Keep testing its functionality. Finally, when you've got it working right, import your database and test again.

[sparrowce]

Thank you, I may try that, have so many customizations and a very short deadline, and had to troubleshoot so many things along the way, am concerned it might change the product links, which are heavily referenced on some other pages, and may break something else that's been customized, such as the free shipping and add-on's, such as hidden categories, easy populate, etc. Since it was working great before the server move, and not now, will go back to host and take a fresh look on that side. Appreciate the help, thank you.

[sparrowce]

To update if anyone else has this issue, the host support found the cause of the problem. The code correction mentioned in the tutorial was added to this page:

includes\modules\pages\login\header_php.php

All is well now. I had not seen this page mentioned in any of the tutorials or the posts I'd found on this same issue, hope their diligence in finding the problem will be of help, thank you.