I agree with you, @carlwhat. I'm wondering if it's our (not) friend ... the samesite cookie attribute.
I agree with you, @carlwhat. I'm wondering if it's our (not) friend ... the samesite cookie attribute.
great minds think alike....
ventilator, you can try adding these lines into your admin/includes/init_includes/init_sessions.php file:
https://github.com/zencart/zencart/b...ns.php#L25-L39
i will reproduce them here as well:
best.PHP Code:
$samesite = (defined('COOKIE_SAMESITE')) ? COOKIE_SAMESITE : 'lax';
if (!in_array($samesite, ['lax', 'strict', 'none'])) $samesite = 'lax';
if (PHP_VERSION_ID >= 70300) {
session_set_cookie_params([
'lifetime' => 0,
'path' => $path,
'domain' => (zen_not_null($cookieDomain) ? $domainPrefix . $cookieDomain : ''),
'secure' => $secureFlag,
'httponly' => true,
'samesite' => $samesite,
]);
} else {
session_set_cookie_params(0, $path .'; samesite='.$samesite, (zen_not_null($cookieDomain) ? $domainPrefix . $cookieDomain : ''), $secureFlag, true);
}
samesite cookie should have nothing to do with logging into the Admin and starting a session. There's no cross-site or moving-between-site activity happening there. At least not in an authentic store.
.
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
(Just getting back into attempting to enable admin access again!)
I did try adding those lines to admin/includes/init_includes/init_sessions.php, but have seen no change.
Unfortunately, I can't seem to get error reporting to work via enabling it in admin/includes/application_top.php as I did before (any tips re that gratefully received!) so I haven't been able to establish if the init_sessions.php change has made any difference...
...so do you have any ideas how I might go about pinning this down? I'm happy to do a complete overwrite of site files from same version (perhaps just in /admin?) if anyone thinks there would be mileage in doing so?
Also wondering if .htacess might be a factor? Just an idea. Is there a good guide out there as to how ZC .htaccess files should look? (Across the site - root, admin folder or wherever?)
Surprised that another zenner hadn't popped in to provide this, but carrying another message forwards that hasn't been discussed here.
SSL... The HTTP_SERVER value, if the site is full SSL enabled, should contain the domain name that is also in the SSL certificate. This means that if the SSL certificate is for www . domain . com then the value of HTTP_SERVER should include the www. prefix. If that certificate is specific for domain . com and doesn't include the www . prefix then don't include it...
What does all that mean? Well, first are you using and/or expecting the site to use: https:// on all pages. If so, in the admin/includes/configure.php what are the values of the lines for: ENABLE_SSL_CATALOG, and at least the protocol and presence/absence of the www prefix for HTTP_SERVER, HTTP_CATALOG_SERVER and HTTPS_CATALOG_SERVER.
As far as another admin directory, sure, could load a clean admin directory to a folder not named admin and not your current admin directory. That folder should be of the same version as your current store (or include improvements from future versions as applicable). The admin/includes/configure.php file should be populated basically with what you already have in your existing admin directory (or should as close as possible mirror the format of: admin/includes/dist-configure.php but contain your store's information). Note that there may be some other aspects of the admin that will not look the same as this new admin is missing files from your other admin. Suggestion would be, if access is restored that as little is modified as necessary within this new admin until it is updated to include "needed" files from the other admin or the other admin corrected and this admin is made unnecessary (removed).
ZC Installation/Maintenance Support <- Site
Contribution for contributions welcome...
I had'nt though of doing this. Think I'll try it when I have time, though in all likelihood I would remove the original admin directory of I can get the fresh one working. So I'd take the admin files from a freshly downloaded copy of the same version install files, and simply ensure that admin/includes/configure.php is set the same as my current one?
Thanks, for now, for all your help - and that of the other Zenners! I'll report when I've tried this, and see where we're at at that point.
Nope - fresh admin directory didn't help, I'm afraid. Still fails either to log in or give an error message of failed login...
IF your site is Joseph Harley Flowers, it is not secure and you have some problems with your configure.php files as trying to force https causes the template to disappear.
You mentioned the .htaccess file. There is not one in the root of an initial install UNLESS cpanel adds it to establish your site's PHP level. Sometimes a 301 redirect is added later in the process.
I would attach both configure.php files and the root's .htaccess here using the # (button on the button bar) to show them. Be sure to remove admin directory names and DB access info. I bet we find something in one of those.
Are You Vulnerable for an Accessibility Lawsuit?
myZenCartHost.com - Zen Cart Certified, PCI Compatible Hosting by JEANDRET
Free SSL, Domain, and MagicThumb with semi-annual and longer hosting.
Bookmarks