Two Sign-ins Required to Access store Admin

[KenBaker]

An odd development:

I have two ZC installations, both functioning through subdomains on my main domain. For both installations, I use the same username but different passwords to access the Admin panels. About two weeks ago, I noticed that both ZC installations simultaneously started requiring me to enter my username and password twice before the systems will grant me access to my Admin panels. For both installations, after I type my username and password the first time and hit enter, the screen cycles a few seconds then returns to the login screen (no error message about wrong username or password). When I retype my username and password the second time and hit enter, the systems open my Admin panels.

I thought at first that the glitch must be originating with my hosting service (HostGator), but other password protected units of my domain don't show the same issue (they work as expected, in other words). I contacted HostGator anyway, and (after some checking) the tech rep assured me that the glitch isn't originating with the hosting service.

To the best of my knowledge, I haven't changed any basic configuration parameters that would have caused this glitch. Quite obviously, though, I've done *something* untoward to bring about this problem. I would appreciate any suggestions for identifying and correcting the cause of this login double entry. In and of itself, it's just a minor irritation, but I worry that it may be indicative of a more serious underlying problem.

Ken Baker

[lat9]

What are your settings in Configuration->Sessions for each of the subdomains?

[KenBaker]

lat9,

Thanks for your attention. I've never (ashamed to say) even looked at the Configuration > Sessions module. The settings for both domains are identical (save the Session Directory, of course), as follows:

Session Directory: [path from home to]/catalog/cache
Cookie Domain: True
Force Cookie Use: False
Check SSL Session ID: False
Check User Agent: False
Check IP Address: False
Prevent Spider Sessions: True
Recreate Session: True
IP to Host Conversion Status: True
Use root path for cookie path: False
Add period prefix to cookie domain: True

In my original post, I forgot to mention this bit of information, which may or may not be important: After I enter my login information twice to initially gain access to my Admin panels, I don't have to do so for subsequent logins after getting 15-minute boots from the server. That is, if I get disconnected from my Admin panels after 15 minutes of server inactivity, I only need enter my login information once to reconnect to the Admin panels.

Thanks again for looking at this issue.

Ken Baker

[lat9]

Using Firefox, go to each of your subdomains, click on the little symbol next to your site's URL, click "More Information" and you'll get to a menu where you can click another button to view the cookies associated with that site. Are the cookies for both subdomains the same?

[KenBaker]

lat9,

These little imbroglios certainly do lead to interesting knowledge. I wasn't sure if you meant for me to collect the cookie information for my site as viewed by visitors or for my Admin panels, so I checked both sets. In both cases:

• the session cookies are different;
• the cookies expire at the end of the session; and
• the site visitor cookies are labeled "zenID" and the Admin panel cookies are labeled "zenAdminID".

Ken Baker

[lat9]

lat9,

These little imbroglios certainly do lead to interesting knowledge. I wasn't sure if you meant for me to collect the cookie information for my site as viewed by visitors or for my Admin panels, so I checked both sets. In both cases:

• the session cookies are different;
• the cookies expire at the end of the session; and
• the site visitor cookies are labeled "zenID" and the Admin panel cookies are labeled "zenAdminID".

Ken Baker

As you can probably tell with the additional questions, I'm no closer to an answer ... but

The cookie in question for each site is the zenAdminID one. I'm guessing that since the cookies' values are different that the Path shown for each cookie is also different while the Cookie Domain is the same. Please verify.

Re-reading your original post, I can say that I normally use Firefox and have seen (although I can't pin down the symptom) the occasional case where I enter the correct admin ID/password and have it rejected as you indicated (no message), only to have the exact-same values accepted on the next try. For these cases I, too, have the same admin ID but different passwords and attempting to log into more than one admin console, but I don't think that that has anything to do with the issue.

Although I have not gone down into the code to verify, I believe that the double-entry has something to do with a previous session timeout, i.e. you were previously logged into the admin console so there is a valid cookie that has timed-out when you attempt login pass 1. I'm thinking that pass 1 of the login process sees the zenAdminID cookie and attempts to use it, finds out that it's timed out, regenerates the cookie and redisplays the login display. That's what allows pass 2 to complete successfully.

What version of PHP is being run on those subdomains? I've got PHP 5.4.8 running locally and 5.4.26 on my personal hosted sites.