Admin login fails without any error message.

[ventilator]

IF your site is Joseph Harley Flowers, it is not secure and you have some problems with your configure.php files as trying to force https causes the template to disappear.

You mentioned the .htaccess file. There is not one in the root of an initial install UNLESS cpanel adds it to establish your site's PHP level. Sometimes a 301 redirect is added later in the process.

I would attach both configure.php files and the root's .htaccess here using the # (button on the button bar) to show them. Be sure to remove admin directory names and DB access info. I bet we find something in one of those.

IF your site is XXXX, it is not secure and you have some problems with your configure.php files as trying to force https causes the template to disappear.

You mentioned the .htaccess file. There is not one in the root of an initial install UNLESS cpanel adds it to establish your site's PHP level. Sometimes a 301 redirect is added later in the process.

I would attach both configure.php files and the root's .htaccess here using the # (button on the button bar) to show them. Be sure to remove admin directory names and DB access info. I bet we find something in one of those.

OK - yes, the .htaccess files are set by the host to determine PHP version, plus they rewrite to SSL

configure.php in includes:

Code:

<?php
/**
 * @package Configuration Settings
 * @copyright Copyright 2003-2018 Zen Cart Development Team
 * @copyright Portions Copyright 2003 osCommerce
 * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
 * File Built by Zen Cart Installer on Mon Nov 25 2019 15:13:22
 */

/*************** NOTE: This file is VERY similar to, but DIFFERENT from the "admin" version of configure.php. ***********/
/***************       The 2 files should be kept separate and not used to overwrite each other.              ***********/

/**
 * Enter the domain for your store
 * HTTP_SERVER is your Main webserver: eg-http://www.yourdomain.com
 * HTTPS_SERVER is your Secure/SSL webserver: eg-https://www.yourdomain.com
 */
define('HTTP_SERVER', 'https://mysitesdomain.co.uk');
define('HTTPS_SERVER', 'https://mysitesdomain.co.uk');

/**
 *  If you want to tell Zen Cart to use your HTTPS URL on sensitive pages like login and checkout, set this to 'true'. Otherwise 'false'. (Keep the quotes)
 */
define('ENABLE_SSL', 'true');

/**
 * These DIR_WS_xxxx values refer to the name of any subdirectory in which your store is located.
 * These values get added to the HTTP_CATALOG_SERVER and HTTPS_CATALOG_SERVER values to form the complete URLs to your storefront.
 * They should always start and end with a slash ... ie: '/' or '/foldername/'
 */
define('DIR_WS_CATALOG', '/');
define('DIR_WS_HTTPS_CATALOG', '/');

/**
 * This is the complete physical path to your store's files.  eg: /var/www/vhost/accountname/public_html/store/
 * Should have a closing / on it.
 */
define('DIR_FS_CATALOG', '/var/sites/j/mysitesdomain.co.uk/public_html/');

/**
 * The following settings define your database connection.
 * These must be the SAME as you're using in your admin copy of configure.php
 */
define('DB_TYPE', 'mysql'); // always 'mysql'
define('DB_PREFIX', ''); // prefix for database table names -- preferred to be left empty
define('DB_CHARSET', 'utf8mb4'); // 'utf8mb4' or older 'utf8' / 'latin1' are most common
define('DB_SERVER', 'XXX');  // address of your db server
define('DB_SERVER_USERNAME', 'XXX');
define('DB_SERVER_PASSWORD', 'XXX');
define('DB_DATABASE', 'XXX');

/**
 * This is an advanced setting to determine whether you want to cache SQL queries.
 * Options are 'none' (which is the default) and 'file' and 'database'.
 */
define('SQL_CACHE_METHOD', 'none');

/**
 * Reserved for future use
 */
define('SESSION_STORAGE', 'reserved for future use');

/**
 * Advanced use only:
 * The following are OPTIONAL, and should NOT be set unless you intend to change their normal use. Most sites will leave these untouched.
 * To use them, uncomment AND add a proper defined value to them.
 */
// define('DIR_FS_SQL_CACHE' ...
// define('DIR_FS_DOWNLOAD' ...
// define('DIR_FS_LOGS' ...

// End Of File

configure.php in admin/includes:

Code:

<?php
/**
 * @package Configuration Settings
 * @copyright Copyright 2003-2018 Zen Cart Development Team
 * @copyright Portions Copyright 2003 osCommerce
 * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
 * File Built by Zen Cart Installer on Mon Nov 25 2019 15:13:22
 */


/*************** NOTE: This file is VERY similar to, but DIFFERENT from the "store" version of configure.php. ***********/
/***************       The 2 files should be kept separate and not used to overwrite each other.              ***********/

/**
 * Enter the domain for your Admin URL. If you have SSL, enter the correct https address in the HTTP_SERVER setting, instead of just an http address.
 */
define('HTTP_SERVER', 'https://mysitesdomain.co.uk/');
/**
 * Note about HTTPS_SERVER:
 * There is no longer an HTTPS_SERVER setting for the Admin. Instead, put your SSL URL in the HTTP_SERVER setting above.
 */

/**
 * Note about DIR_WS_ADMIN
 * The DIR_WS_ADMIN value is now auto-detected.
 * In the rare case where it cannot be detected properly, you can add your own DIR_WS_ADMIN definition below.
 */

/**
 * Enter the domain for your storefront URL.
 * Enter a separate SSL URL in HTTPS_CATALOG_SERVER if your store supports SSL.
 */
define('HTTP_CATALOG_SERVER', 'https://mysitesdomain.co.uk');
define('HTTPS_CATALOG_SERVER', 'https://mysitesdomain.co.uk');

/**
 * Do you use SSL for your customers login/checkout on the storefront? If so, enter 'true'. Else 'false'.
 */
define('ENABLE_SSL_CATALOG', 'true');

/**
 * These DIR_WS_xxxx values refer to the name of any subdirectory in which your store is located.
 * These values get added to the HTTP_CATALOG_SERVER and HTTPS_CATALOG_SERVER values to form the complete URLs to your storefront.
 * They should always start and end with a slash ... ie: '/' or '/foldername/'
 */
define('DIR_WS_CATALOG', '/');
define('DIR_WS_HTTPS_CATALOG', '/');

/**
 * This is the complete physical path to your store's files.  eg: /var/www/vhost/accountname/public_html/store/
 * Should have a closing / on it.
 */
define('DIR_FS_CATALOG', '/var/sites/j/mysitesdomain.co.uk/public_html/');

/**
 * NOTE about DIR_FS_ADMIN
 * The value for DIR_FS_ADMIN is now auto-detected.
 * In the very rare case where there is a need to override the autodetection, simply add your own definition for it below.
 */

/**
 * The following settings define your database connection.
 * These must be the SAME as you're using in your non-admin copy of configure.php
 */
define('DB_TYPE', 'mysql'); // always 'mysql'
define('DB_PREFIX', ''); // prefix for database table names -- preferred to be left empty
define('DB_CHARSET', 'utf8mb4'); // 'utf8mb4' or older 'utf8' / 'latin1' are most common
define('DB_SERVER', 'XXX');  // address of your db server
define('DB_SERVER_USERNAME', 'XXX');
define('DB_SERVER_PASSWORD', 'XXX');
define('DB_DATABASE', 'XXX');

/**
 * This is an advanced setting to determine whether you want to cache SQL queries.
 * Options are 'none' (which is the default) and 'file' and 'database'.
 */
define('SQL_CACHE_METHOD', 'none');

/**
 * Reserved for future use
 */
define('SESSION_STORAGE', 'reserved for future use');

/**
 * Advanced use only:
 * The following are OPTIONAL, and should NOT be set unless you intend to change their normal use. Most sites will leave these untouched.
 * To use them, uncomment AND add a proper defined value to them.
 */
// define('DIR_FS_SQL_CACHE' ...
// define('DIR_FS_DOWNLOAD' ...
// define('DIR_FS_LOGS' ...

// End Of File

.htaccess in root:

Code:

RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://www.mysitesdomain.co.uk/$1 [R=301,L]
AddType x-httpd-php72 .php

.htaccess in admin:

Code:

#
# @copyright Copyright 2003-2016 Zen Cart Development Team
# @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
# @version $Id: .htaccess 19328 Modified in v1.6.0 $
#
# This is used with Apache WebServers
#
# The following blocks direct HTTP requests to all filetypes in this directory recursively, except certain approved exceptions
# It also prevents the ability of any scripts to run. No type of script, be it PHP, PERL or whatever, can normally be executed if ExecCGI is disabled.
# Will also prevent people from seeing what is in the dir. and any sub-directories
#
# For this to work, you must include either 'All' or at least: 'Limit' and 'Indexes' parameters to the AllowOverride configuration in your apache/conf/httpd.conf file.
# Additionally, if you want the added protection offered by the OPTIONS directive below, you'll need to add 'Options' to the AllowOverride list, if 'All' is not specified.
# Example:
#<Directory "/usr/local/apache/htdocs">
#  AllowOverride Limit Options Indexes
#</Directory>
###############################
DirectoryIndex index.php

# deny *everything*
<FilesMatch ".*\..*">
  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>
  <IfModule !mod_authz_core.c>
    Order Allow,Deny
    Deny from all
  </IfModule>
</FilesMatch>

# allow access to the root
<FilesMatch "^$">
  <IfModule mod_authz_core.c>
    Require all granted
  </IfModule>
  <IfModule !mod_authz_core.c>
    Order Allow,Deny
    Allow from all
  </IfModule>
</FilesMatch>

# but now allow just *certain* necessary files:
<FilesMatch "(?i).*\.(php|js|css|html?|ico|otf|jpe?g|gif|webp|png|swf|flv|xml|xsl)$">
  <IfModule mod_authz_core.c>
    Require all granted
  </IfModule>
  <IfModule !mod_authz_core.c>
    Order Allow,Deny
    Allow from all
  </IfModule>
</FilesMatch>

IndexIgnore */*

<limit POST PUT>
  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>
  <IfModule !mod_authz_core.c>
    Order Allow,Deny
    Deny from all
  </IfModule>
</limit>


## NOTE: If you want even greater security to prevent hackers from running scripts in this folder, uncomment the following line (if your hosting company will allow you to use OPTIONS):
# OPTIONS -Indexes -ExecCGI



##################
## Optional caching improvements
## Requires mod_header and mod_deflate to be enabled within Apache
##################
<IfModule mod_headers.c>
  Header unset Pragma
  FileETag None
  Header unset ETag
  #Header set Cache-Control "no-transform"
  <FilesMatch "(?i).*\.(ico|jpe?g|gif|otf|webp|png|swf|flv|svg|svgz)$">
    Header set Cache-control "max-age=864000, public, must-revalidate"
    Header unset Last-Modified
  </FilesMatch>
  <FilesMatch "(?i).*\.(html|htm|xml|txt|xsl)$">
    Header set Cache-control "max-age=7200, must-revalidate"
  </FilesMatch>
</IfModule>
<IfModule mod_deflate.c>
  <FilesMatch "(?i)\.(js|css)$">
    SetOutputFilter DEFLATE
  </FilesMatch>
</IfModule>

##################
## Optional improvements
## Requires mod_expires to be enabled within Apache
##################
<ifmodule mod_expires.c>
  ExpiresActive On
  ExpiresDefault A300
  ExpiresByType application/x-javascript A3600
  ExpiresByType text/css A3600
  ExpiresByType image/gif A604800
  ExpiresByType video/x-flv A604800
  ExpiresByType application/pdf A604800
  ExpiresByType text/html A300
  ExpiresByType image/x-icon A86400
  ExpiresByType image/jpeg A2592000
  ExpiresByType image/png A2592000
  ExpiresByType text/cache-manifest "access plus 0 seconds"

</ifmodule>


#turn off X-PHP-Originating-Script header when sending emails from admin
#uncomment to activate:
# php_flag mail.add_x_header Off

.htaccess in admin/includes:

Code:

#
# @copyright Copyright 2003-2016 Zen Cart Development Team
# @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
# @version $Id: Author: DrByte  Thu Mar 3 13:00:42 2016 -0500 Modified in v1.6.0 $
#
# This is used with Apache WebServers
#
# The following blocks direct HTTP requests to all filetypes in this directory recursively, except certain approved exceptions
# It also prevents the ability of any scripts to run. No type of script, be it PHP, PERL or whatever, can normally be executed if ExecCGI is disabled.
# Will also prevent people from seeing what is in the dir. and any sub-directories
#
# For this to work, you must include either 'All' or at least: 'Limit' and 'Indexes' parameters to the AllowOverride configuration in your apache/conf/httpd.conf file.
# Additionally, if you want the added protection offered by the OPTIONS directive below, you'll need to add 'Options' to the AllowOverride list, if 'All' is not specified.
# Example:
#<Directory "/usr/local/apache/htdocs">
#  AllowOverride Limit Options Indexes
#</Directory>
###############################

# deny *everything*
<FilesMatch ".*">
  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>
  <IfModule !mod_authz_core.c>
    Order Allow,Deny
    Deny from all
  </IfModule>
</FilesMatch>

# but now allow just *certain* necessary files:
<FilesMatch "(?i).*\.(js|css|jpg|gif|png|otf|cur|map|eot|svg|ttf|woff2?)$">
  <IfModule mod_authz_core.c>
    Require all granted
  </IfModule>
  <IfModule !mod_authz_core.c>
    Order Allow,Deny
    Allow from all
  </IfModule>
</FilesMatch>

IndexIgnore */*

[lat9]

It's your admin/includes/configure.php that is 'at issue':

Code:

/**
 * Enter the domain for your Admin URL. If you have SSL, enter the correct https address in the HTTP_SERVER setting, instead of just an http address.
 */
define('HTTP_SERVER', 'https://mysitesdomain.co.uk/');

Remove that unwanted / at the end of that definition.

[ventilator]

It's your admin/includes/configure.php that is 'at issue':

Code:

/**
 * Enter the domain for your Admin URL. If you have SSL, enter the correct https address in the HTTP_SERVER setting, instead of just an http address.
 */
define('HTTP_SERVER', 'https://mysitesdomain.co.uk/');

Remove that unwanted / at the end of that definition.

That did it! Thanks so much to all of you.

[dbltoe]

The .htaccess is allowing www access while the configs and SSL are set to non-www. I prefer 301s from a trusted generator that forces everything to match the SSL. In this case your SSL is without the www.

After making lat9's fix, if the site is still allowing www, try replacing the 301 in the store's .htaccess with the following:

Code:

# Needed before any rewriting

RewriteEngine On

### Built using the .htaccess 301 Redirect Generator from Web Site Advantage
### https://websiteadvantage.com.au/HtAccess-301-Redirect-Generator
### Place after 'RewriteEngine On' and before any CMS specific rewrite rules

# Redirect HTTP with www to HTTPS without www
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule .* https://%1%{REQUEST_URI} [R=301,L]
# Redirect HTTP without www to HTTPS without www
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# Redirect HTTPS with www to HTTPS without www
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule .* https://%1%{REQUEST_URI} [R=301,L]

## 301 Redirects

Often times, accessing a site with info that does not match the SSL and configs will cause a failure.


Just checked the site again and it is still not removing the www.

[ventilator]

The .htaccess is allowing www access while the configs and SSL are set to non-www. I prefer 301s from a trusted generator that forces everything to match the SSL. In this case your SSL is without the www.

After making lat9's fix, if the site is still allowing www, try replacing the 301 in the store's .htaccess with the following:

Code:

# Needed before any rewriting

RewriteEngine On

### Built using the .htaccess 301 Redirect Generator from Web Site Advantage
### https://websiteadvantage.com.au/HtAccess-301-Redirect-Generator
### Place after 'RewriteEngine On' and before any CMS specific rewrite rules

# Redirect HTTP with www to HTTPS without www
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule .* https://%1%{REQUEST_URI} [R=301,L]
# Redirect HTTP without www to HTTPS without www
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# Redirect HTTPS with www to HTTPS without www
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule .* https://%1%{REQUEST_URI} [R=301,L]

## 301 Redirects

Often times, accessing a site with info that does not match the SSL and configs will cause a failure.


Just checked the site again and it is still not removing the www.

Aha - yeah, a www vs non-www issue was still the case. I have tried your alternative 301 redirect in the root .htaccess, and it seems to work. Thank you...

[dbltoe]

You're welcome. I confirm as well.

As alluded to earlier in post 16, I normally jump in on these things as it's quite common to say "nothing changed" but the SSL getting renewed with or without the www needs to be matched in both configure.php files, in the 301 redirect, AND in any bookmarks you may have in your browser. We've seen it happen many times that a bookmark was set www and the site non-www which often denies access in the admin.

[ventilator]

You're welcome. I confirm as well.

As alluded to earlier in post 16, I normally jump in on these things as it's quite common to say "nothing changed" but the SSL getting renewed with or without the www needs to be matched in both configure.php files, in the 301 redirect, AND in any bookmarks you may have in your browser. We've seen it happen many times that a bookmark was set www and the site non-www which often denies access in the admin.

I guess anything SSL-related is often ignored in these 'nothing's changed' situations. I'm always dealing with the www v non-www issue in eg. Search Console, but tend to forget that it's a big factor in redirects and the like. Again, thanks all!

[mc12345678]

You're welcome. I confirm as well.

As alluded to earlier in post 16, I normally jump in on these things as it's quite common to say "nothing changed" but the SSL getting renewed with or without the www needs to be matched in both configure.php files, in the 301 redirect, AND in any bookmarks you may have in your browser. We've seen it happen many times that a bookmark was set www and the site non-www which often denies access in the admin.

Yeah, though I found you MIA, the message has been clear and seemed appropriate to pass along.. :) Glad to see you appear here.