"There was a security error when trying to login" - v1.3.8

[dannylex]

It has nothing to do with 644 or 444 on your configure.php files.

Whatever is causing it is preventing your visitors from being able to establish a PHP session. You can't even add anything to the cart and have it be remembered. That's a classic problem with sessions.

When did your hosting company upgrade to PHP 5.2.5? Maybe they busted this on you without knowing it.

I'm having the same problem that crisand, I'm not using a webhosting since i have control over the host myself, i think i have a problem with sessions too, but i have tried to stablish a php session between 2 pages for testing and it works fine, besides the admin works fine too.

Please I need your help urgent, i don't know what to do.

I have SSL in false, but i do have a certified installed.

[V_linck]

Atticus - does this describe the phenomenon:
"... for both customer and admin logins, only the very first attempt with correct data input is bringing up the message 'There was a security error while trying to login'. The password asterisks stay in place, and simply tapping return once more then gets you in to the store/admin with apparently full functionality."
Not sure why that happens, but it can be lived with if so ... (dscvry post above fr June 2008) - sweet if that's the issue.

I've been experiencing exactly the same problem as described above. I'm using a fresh installation of Zencart v1.38a, so all the security tokens are in place. The tutorial regarding this issue actually says to add
<?php echo zen_draw_hidden_field('securityToken', $_SESSION['securityToken']); ?>
after every occurence of the password field (zen_draw_password_field function). This is already present in
- /includes/templates/MY_TEMPLATE/templates/tpl_login_default.php and
- /includes/templates/MY_TEMPLATE/templates/tpl_timeout_default.php

My question is, where is it meant to go in /admin/login.php (see my code below)? There is no "zen_draw_password_field." I can only guess that the line <input type="hidden" name="securityToken" value="<?php echo $_SESSION['securityToken']; ?>"> is doing the same job. Is this correct?

I'm currently using my own customised template, and have made some cosmetic css alterations to the appearance of the admin login pages (see code plus jpg example below). Other addons that are installed include: About Us Page, Column Divider Pro, Column Layout Grid, CSS Menu, Flash Hacks, Newsletter Subscribe, Time Zone Offset and RFQ. The problem was also happening before AND after I had installed an SSL, and even after I've installed the latest security patch. I've read all the posts regarding this issue but none seem to really resolve this.

To me, it seems like a random occurence. It doesn't always happen but sometimes it even happens after I've just rebooted the computer or cleared the cache etc. I am able to get through past the login via the store front or admin after my second or third attempt and everything else seem to function without a problem thereafter. I've only come across this problem once in the store front when trying to log in as a customer. The message occurs more in the admin, maybe because I've been logging in to the admin section more than the store front.

I am happy to just ignore this occurence and simply just live with it as suggested, but I want to be sure that I am not ignoring a serious security issue that will come back to bite me later down the track after the store has gone live. I am actually just inclined to change the message from "There was a security error when trying to login" to a less menacing warning like "There was an error when trying to login" in order to prevent my client and the shop customers from panicking when seeing this message. At this point I am very hesitant to go live until this problem is completely resolved. So, if anyone has a solution, please, please share.

Code:

<?php
//
// +----------------------------------------------------------------------+
// |zen-cart Open Source E-commerce                                       |
// +----------------------------------------------------------------------+
// | Copyright (c) 2003 The zen-cart developers                           |
// |                                                                      |
// | http://www.zen-cart.com/index.php                                    |
// |                                                                      |
// | Portions Copyright (c) 2003 osCommerce                               |
// +----------------------------------------------------------------------+
// | This source file is subject to version 2.0 of the GPL license,       |
// | that is bundled with this package in the file LICENSE, and is        |
// | available through the world-wide-web at the following url:           |
// | http://www.zen-cart.com/license/2_0.txt.                             |
// | If you did not receive a copy of the zen-cart license and are unable |
// | to obtain it through the world-wide-web, please send a note to       |
// | [email protected] so we can mail you a copy immediately.          |
// +----------------------------------------------------------------------+
//  $Id: login.php 6522 2007-06-20 23:34:31Z wilt $
//

  require('includes/application_top.php');

  $message = false;
  if (isset($_POST['submit'])) {
    $admin_name = zen_db_prepare_input($_POST['admin_name']);
    $admin_pass = zen_db_prepare_input($_POST['admin_pass']);
    $sql = "select admin_id, admin_name, admin_pass from " . TABLE_ADMIN . " where admin_name = '" . zen_db_input($admin_name) . "'";
    $result = $db->Execute($sql);
    if ((!isset($_SESSION['securityToken']) || !isset($_POST['securityToken'])) || ($_SESSION['securityToken'] !== $_POST['securityToken'])) {
     $message = true;
      $pass_message = ERROR_SECURITY_ERROR;      
    }
    if (!($admin_name == $result->fields['admin_name'])) {
      $message = true;
      $pass_message = ERROR_WRONG_LOGIN;
    }
    if (!zen_validate_password($admin_pass, $result->fields['admin_pass'])) {
      $message = true;
      $pass_message = ERROR_WRONG_LOGIN;
    }
    if ($message == false) {
      $_SESSION['admin_id'] = $result->fields['admin_id'];
      if (SESSION_RECREATE == 'True') {
        zen_session_recreate();
      }
      zen_redirect(zen_href_link(FILENAME_DEFAULT, '', 'SSL'));
    }
  }
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" <?php echo HTML_PARAMS; ?>>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=<?php echo CHARSET; ?>">
<title><?php echo TITLE; ?></title>
<link href="includes/stylesheet.css" rel="stylesheet" type="text/css" />
</head>
<body id="login" onload="document.getElementById('admin_name').focus()">
<form name="login" action="<?php echo zen_href_link(FILENAME_LOGIN, '', 'SSL'); ?>" method = "POST">
  <fieldset>
    <!--<legend><?php echo HEADING_TITLE; ?></legend>-->
    <span class="loginMessage"><?php echo $pass_message; ?></span>
     <br /><br /> 
    <label class="loginLabel" for="admin_name"><?php echo TEXT_ADMIN_NAME; ?></label>
<input style="float: left" type="text" id="admin_name" name="admin_name" value="<?php echo zen_output_string($admin_name); ?>" />
<br class="clearBoth" />
    <label  class="loginLabel" for="admin_pass"><?php echo TEXT_ADMIN_PASS; ?></label>
<input style="float: left" type="password" id="admin_pass" name="admin_pass" value="<?php echo zen_output_string($admin_pass); ?>" />
<br class="clearBoth" />

    <input type="hidden" name="securityToken" value="<?php echo $_SESSION['securityToken']; ?>">
    <input type="submit" name="submit" class="button" value="Login" />
    
 <br /><br />   
    
    <?php echo '<a class="resend_password" href="' . zen_href_link(FILENAME_PASSWORD_FORGOTTEN, '', 'SSL') . '">' . TEXT_PASSWORD_FORGOTTEN . '</a>'; ?>
<br />
<br />
<br />

<!--<?php /*?>    <span class="loginMessage"><?php echo $pass_message; ?></span><?php */?>-->
  </fieldset>
</form>
</body>
</html>
<?php require('includes/application_bottom.php'); ?>

[lcarlo1507]

I installed the puple lily zencart. I upgraded to 1.3 8a. What i didn't realize the purple lily was 1.37 but i really love the site.

I get a security error for customers to log in. I read some of the help but I';m still confused where to find the file to merge and how to merge it.

Please help

[peacefuldaze]

I struggled with this same error message for hours last night when i upgraded to 1.3.8a and i've pulled out all my hair. luckily i number every strand so they're easily replaced in just such an emergency. i beleive i've discovered one very simple error that drove me nuts and will hopefully prevent this with someone else.

basically, when you update both configure.php files on the admin and store sides, you need to actually make sure they updated. when i do any updates, i use a FTP program or the CP file manager to upload my updated files. happens no matterhow i make the update.

i know the following is basic programming, but sometimes we need a reminder.
when you want to update these configure.php files, the first thing you must do is to change the permissions of each file to 644, and not 444. the 6 allows you to rewrite, or overwrite the file. if you do not do this and attempt to overwrite the original file, it will not overwrite, even though it looks like it did. nothing will actually be rewritten and the original error causing file still exists. permissions must be set to 644 to make changes.

basically, i thought i was updating the files in reality the system was blocking this.
i found this out using the CP file manager. I wanted to update the configure.php on the admin side and had to change the ENABLE SSL from "false" to "true". i did not change the permissions at first and only used the EDIT FILE link. i edited the file from false to true and then saved it thinking hte update had been made. no such luck.

when i tried to log into an account on the website, same error again. when i went back to the file manager to edit the same file i just edited, it still showed "false", like i made no update at all.

that's when i realised the permissions were preventing any update. before you edit the file using CP file manager, or an FTP client, change the persmissions of the configure.php file to 644 and save. then open and edit the file, make your changes, then save the file. then edit persmissions again back to 444 (if you don't set it back to 444, you'll get another error message at the top of your home page saying you're vulnerable, simply set back to 444 and it will be solved).

now try it and see if this solved it. i tried for hours never realising that my updates were never being accepted. same with an FTP program. chaneg the permissions first, then you can overwrite the file, then change the permissions back to 444.
hope this helps someone else out there.

i know this is obvious to many of you, but i spent hours trying to solve the problem and read every single post about this problem and this is what solved it for me. maybe it'll save someone a few hair follicles.

i believe its only the configure.php files that require you to change the permissions. other filed do not need as they are not critical and security related.
peace,
jbrird

[Ajeh]

Thanks for posting the problem and solution to this issue ...

You would be amazed how many people do not see that the configure.php file on the server is not actually getting updated via FTP due to the permissions being set at 444 ...

Setting the permissions to 644 or deleting the file on the server and then uploading the new file is the solution as you have noted ...

Thanks for posting your upgrade nightmare ...

NOTE: and yes ... have done it myself more times than I care to count ... fortunately after the first dozen times I am faster now at catching this one ...

[V_linck]

Unfortunately, this still doesn't solve my issue as my version of zen cart was a fresh install of v1.38a. My file permissions for both my config files were set to 644 so there were no problems there. I have just experienced the second occurrence of the error in the shop front whilst logging in as a customer. I have provided a screen shot. Again I was able to login without further problems after I hit the login button a second time.

[V_linck]

I meant to add that I will reset the file permissions back to 444 as suggested so I hope this solves my problem too. Thanks

[golfador]

After no upgrades or any site tweaking I started getting this error. It started last night. What would cause this to just happen?

[V_linck]

Just an update with my security error during login ... I'm still getting the error message both in admin and when I login as a customer. This was after I set the permissions back to 444 for the config files. If anyone has any other ideas, please let me know. Thanks.

[xshaanx]

ok i know lot people was asking for same god dam help.. even i myself ask for help.. here and all the help i got from here it did not work for me.

but i made it to work.. n trust me it waorks like charm.........


for people who has install difarent templates all u have to do is .. go back template_default/templates

copy this 2 file tpl_login and tpl_logoff overright to your new templates.. that's all and trust me it'll work..
let me know...