Loading...
 
Architecture / Installation

Architecture / Installation


Login error/refusal TW1.9.5

posts: 40

After instaling TikiWiki 1.9.5, there were some problems with the different options and logging in, just like there were some problems with TW1.9.2. in this perspective.

For example:

  • You must be sure that you email is working, only then apply for an email confirmation. Otherwise there was no way anymore to get in as admin, and had to reinstall.

  • In 1.9.5, I could not get email confirmation working TOGETHER WITH ADMIN VALIDATION; it was either one of the options. So now, new registered users get a confirmation Email, which they have to click and then they're "registered" with "registered" rights. Nice to have their email confirmed and to know who is on the other side (at least to have a working email of that person). But then I had to take all rights away from "registered" users, so they only have the same rights as "anonymous". Later I can upgrade them to "editor", "admin", or make a new category "approved(regiseterd)" members. Yes, its a bit too much, but this is because the two options didn't work together (email confirm + admin validation);

  • When applying for more security on logging in that one not only has to fill in username + pasword, but also his/hers Email; that didn't work! Yes: it asks for one's email address on loggin in, but gives an error message if you give your TW-stored email address.


Luckely, no problems loggin in, because if you just didn't give any email address (while it is asking for), you're just logged in!


BUT TODAY I CAN'T LOGIN ANYMORE; HAVING THE SAME BASIC INSTALL PROBLEMS FOR A YEAR NOW & NOT GETTING FURTHER!


I don't know why.
With "admin" or with another registered name with admin rights, it just returns: wrong username/password.
BUT THIS IS A TIKIWIKI ERROR
I can ask for my password and get it through my external email. It's just the one I gave and can't login with the usernames and passwords that TW has.
Exactly this is the message:
"https://.../.../tw/tiki-error.php?error=Invalid+username+or+password
Error
Invalid username or password
Go back
Return to home page"


And yes, something else changed since yesterday:

I just was looking at different layouts and finally changed it to the tiki layout with a transparent worldmap on the background.
(see link to my TW-site below for example)
AFTER I changed to that map, strange enough it didn't give that additional email login request field anymore.
Not that big problem, I supposed.
But today, this new login doesn't work.

I also made some minor changes for security reason, before that.
They don't seem connected, but I give you the details to be sure.
See Tiki under attack: http://tikiwiki.org/tiki-read_article.php?articleId=136#comments
My comment is the 5th one (newest first).
As you can see, I ONLY deleted jhot.php and renamed -htaccess in .htaccess
For the rest nothing; the rest was researching and questioning.

I hope someone can help me out with this info!
Already for a year I'm installing TikiWiki over and over (maybe 10 times now) to get it working again, after these kinds of errors.
Ofcourse I can install again, but THAT DOESN'T RESOLVE THE CAUSE of the error and I will loose some work that is on this site now:
My TikiWiki 1.9.5 site

1) So what is the cause of the problem?

2) And how can I get into my TW again?

3) And then reparing the cause of the different login problems?


Thanks in advance, Marco

P.S.:
Also see two other (earlier) forumthreads;
a) another error with sending webmail
b) about pros & cons upgrading to PHP 5 server

posts: 3660 United States

> After instaling TikiWiki 1.9.5, there were some problems with the different options and logging in, just like there were some problems with TW1.9.2. in this perspective.
>
> For example:
>
> * You must be sure that you email is working, only then apply for an email confirmation. Otherwise there was no way anymore to get in as admin, and had to reinstall.

After the intial install, you should login as:
username = admin
password = admin

Tiki then prompts you to select a new password. There is no email confirmaiton required for the admin login.

>
> * In 1.9.5, I could not get email confirmation working TOGETHER WITH ADMIN VALIDATION; it was either one of the options. So now, new registered users get a confirmation Email, which they have to click and then they're "registered" with "registered" rights. Nice to have their email confirmed and to know who is on the other side (at least to have a working email of that person). But then I had to take all rights away from "registered" users, so they only have the same rights as "anonymous". Later I can upgrade them to "editor", "admin", or make a new category "approved(regiseterd)" members. Yes, its a bit too much, but this is because the two options didn't work together (email confirm + admin validation);
>

It is one or the other — but not both.

  • If you use "Email Confirmation", then admin does not need to validate the user. Users will will receive an email confirmation and, upon clicking the link, become REGISTERED users.
  • If you use "Admin Validation", then you — the admin — must manually valiate each new user. To receive notification, you must have the Tiki messaging turned on (as noted in the General Admin page).



> * When applying for more security on logging in that one not only has to fill in username + pasword, but also his/hers Email; that didn't work! Yes: it asks for one's email address on loggin in, but gives an error message if you give your TW-stored email address.
>
> Luckely, no problems loggin in, because if you just didn't give any email address (while it is asking for), you're just logged in!
>
>
> BUT TODAY I CAN'T LOGIN ANYMORE; HAVING THE SAME BASIC INSTALL PROBLEMS FOR A YEAR NOW & NOT GETTING FURTHER!
>
>
> I don't know why.
> With "admin" or with another registered name with admin rights, it just returns: wrong username/password.
> BUT THIS IS A TIKIWIKI ERROR
> I can ask for my password and get it through my external email. It's just the one I gave and can't login with the usernames and passwords that TW has.
> Exactly this is the message:
> "https://.../.../tw/tiki-error.php?error=Invalid+username+or+password
> Error
> Invalid username or password
> Go back
> Return to home page"
>
>
> And yes, something else changed since yesterday:
>
> I just was looking at different layouts and finally changed it to the tiki layout with a transparent worldmap on the background.
> (see link to my TW-site below for example)
> AFTER I changed to that map, strange enough it didn't give that additional email login request field anymore.
> Not that big problem, I supposed.
> But today, this new login doesn't work.
>
> I also made some minor changes for security reason, before that.
> They don't seem connected, but I give you the details to be sure.
> See Tiki under attack: http://tikiwiki.org/tiki-read_article.php?articleId=136#comments
> My comment is the 5th one (newest first).
> As you can see, I ONLY deleted jhot.php and renamed -htaccess in .htaccess
> For the rest nothing; the rest was researching and questioning.
>
> I hope someone can help me out with this info!
> Already for a year I'm installing TikiWiki over and over (maybe 10 times now) to get it working again, after these kinds of errors.
> Ofcourse I can install again, but THAT DOESN'T RESOLVE THE CAUSE of the error and I will loose some work that is on this site now:
> My TikiWiki 1.9.5 site
>
> 1) So what is the cause of the problem?
>
> 2) And how can I get into my TW again?
>
> 3) And then reparing the cause of the different login problems?
>
>
> Thanks in advance, Marco
>
> P.S.:
> Also see two other (earlier) forumthreads;
> a) another error with sending webmail
> b) about pros & cons upgrading to PHP 5 server
>

posts: 40

Thanks Rick,

...
> After the intial install, you should login as:
> username = admin
> password = admin
> Tiki then prompts you to select a new password. There is no email confirmaiton required for the admin login.

Yes, that's clear and history as you might know (you've been on my site, but might not have made the connectio to this posting!).
But then I selected an option somewhere to also have 'email confirmation' (it might be another term/word).
So I got an extra field on logging in, now requesting also to fill in your email account (that TW has stored).
But it never worked; when giving that account, it refused entrance. When just leaving that field blank (for admin or another user), yes, one could enter!
The problem now is that -after I changed to a new layout (CSS or so?) with a transparent map of the earth, this option -that extra email field- disappeared.
Not that big problem, but when trying to og-in again today, it refuses. Asking for the password by email, returns the smae old pasword & username, but using them, wont log-in anymore.

So maybe a quick solution to start with?

I perhaps can extract all the files in another folder, because I have the TikiWiki1.9.5 Zip on my BlueHost server.
Then replace some file (to enter/memberships/etc?, or just the CSS change?), renaming the old one and look what happens?

Which file(s)? Or just edit a file, what file and what line nrs? (just for reference; I have no line nrs on my editor)

...
> It is one or the other — but not both.
> *If you use "Email Confirmation", then admin does not need to validate the user. Users will will receive an email confirmation and, upon clicking the link, become REGISTERED users.
> *If you use "Admin Validation", then you — the admin — must manually valiate each new user. To receive notification, you must have the Tiki messaging turned on (as noted in the General Admin page).

Yes, I understood, that's the way it seems to work in the current version (-pitty!).
The email confirmation is for me important, to know if someones email isn't false.
But I don't want to have new signed-up members to upgrade their permissions themselves in that way.
So I had to change the permissions for "registered" back to the same as "anonymous".
(& then make a new category like "approved(registered)" )

I repeat the comprhensive points:
1) So what is the cause of the problem?
2) And how can I get into my TW again?
3) And then reparing the cause of the different login problems?

Thanks, Marco
My TikiWiki site (-just the same password!)

posts: 40

I'm getting stronger in my suspects that the change to the "Geo" CSS layout, is causing the login refusal problems.

Actually, I found a specific file about logging in, in the Geo dir:
/templates/styles/geo/modules/mod-login_box.tpl

posts: 40
error message, removed
posts: 4644 Japan

> O.K. guys & girls,
>
> That was it, just removed(renamed) that 'stupid' file above and what happened..?
>
> Instead of TikiWiki freaking out completely, I CAN LOG-IN AGAIN!
>
> I get the old login screen back (still whith Geo layout), INCLUDING that EMAIL FIELD that is not working

This is the normal behavior. Some themes have their own versions of the default Tiki templates and the program checks for any theme-specific versions to use before using the default versions. The Geo theme has its own version of the log-in module template; but apparently it wasn't updated to include the email field. That's why it didn't display the field when you switched to the Geo theme. When you deleted/renamed the file, Tiki used the standard log-in template instead, which is why the email field came back.

> However, as long as I don't fill in any email there, LOGIN WORKS AGAIN!
>
> So was this file placed there erronomous, or is this part of another error?
> Should I leave it that way, that files deleted/renamed?

If it works, sure.

> Now the question remains why I have that strange email field that is not working?
> Any idea?

I don't use anything but the standard Tiki login, but I suppose that email field is buggy. (I see in the templates/mod-login_box.tpl file "quick hack to make challenge/response work until 1.8 tiki auth overhaul" which doesn't really inspire maximum confidense.) Tiki is a huge program and some features have bugs, etc. Users who come across something that doesn't seem to work right should confirm that it is in fact a bug and not simply a configuration error or other installation-specific thing, and then file a bug report. In the meantime, turn off the feature that's busted, i.e., uncheck "Use challenge/response authentication" on Admininstration : Login.

-- Gary

posts: 40

> > That was it, just removed(renamed) that 'stupid' file above and what happened..?
> > Instead of TikiWiki freaking out completely, I CAN LOG-IN AGAIN!
> > I get the old login screen back (still whith Geo layout), INCLUDING that EMAIL FIELD that is not working
>
> This is the normal behavior. Some themes have their own versions of the default Tiki templates and the program checks for any theme-specific versions to use before using the default versions. The Geo theme has its own version of the log-in module template; but apparently it wasn't updated to include the email field. That's why it didn't display the field when you switched to the Geo theme. When you deleted/renamed the file, Tiki used the standard log-in template instead, which is why the email field came back.
>
> > However, as long as I don't fill in any email there, LOGIN WORKS AGAIN!
> > So was this file placed there erronomous, or is this part of another error?
> > Should I leave it that way, that files deleted/renamed?
> If it works, sure.
>
> > Now the question remains why I have that strange email field that is not working?
> > Any idea?
> I don't use anything but the standard Tiki login, but I suppose that email field is buggy. (I see in the templates/mod-login_box.tpl file "quick hack to make challenge/response work until 1.8 tiki auth overhaul" which doesn't really inspire maximum confidense.) Tiki is a huge program and some features have bugs, etc. Users who come across something that doesn't seem to work right should confirm that it is in fact a bug and not simply a configuration error or other installation-specific thing, and then file a bug report. In the meantime, turn off the feature that's busted, i.e., uncheck "Use challenge/response authentication" on Admininstration : Login.

Thanks Gary,

I know almost for sure the extra email field on *loggin-in* (that is not working), is a bug (less likely a corrupted file).
As well as for that program on the Geo dir.
But I don't know where to report it (except on this forum); don't know the technical language to report either, etc.?

Meanwhile, it's not that important, beacuse its only meant as an extra security.
Isn't it possible to have another security to combat hackers, trying to break passwords?
See: login E107 program test
"Please enter text in image"; thought with TW it's only possible on registering, not on loggin-in?


posts: 4644 Japan

> ...
> But I don't know where to report it (except on this forum); don't know the technical language to report either, etc.?

Bringing it to people's attention here in the forums is a good start. ;-)

> Meanwhile, it's not that important, beacuse its only meant as an extra security.
> Isn't it possible to have another security to combat hackers, trying to break passwords?

I suspect there are other parts of Tiki (and most web programs) that are more susceptible to vulnerabilities than the login form.

> See: login E107 program test
> "Please enter text in image"; thought with TW it's only possible on registering, not on loggin-in?

Because when registering, any username and password can be entered; there's no "right" username/password needed for a new registration. In this situation, "Please enter text in image" (aka CAPTCHA) is a way to prevent scripts, spambots, etc. — that is, nonhuman agents — from registering (or from posting comments, if anonymous posting is allowed) at the site.

But to log in as a registered user, there is a "right" set of information that must be entered. This makes the "text in image" redundant or at best only useful in the case of a scripted brute force attempt. Apparently these haven't been a problem for Tiki login security.

-- Gary

posts: 40

..
> Because when registering, any username and password can be entered; there's no "right" username/password needed for a new registration. In this situation, "Please enter text in image" (aka CAPTCHA) is a way to prevent scripts, spambots, etc. — that is, nonhuman agents — from registering (or from posting comments, if anonymous posting is allowed) at the site.
>
> But to log in as a registered user, there is a "right" set of information that must be entered. This makes the "text in image" redundant or at best only useful in the case of a scripted brute force attempt. Apparently these haven't been a problem for Tiki login security.

I understand the chosen path!

But it doesn't protect that much for hackers who use programs to crack passwords.
I can make a very complex password if I want and that will take them a lot of time.

But what about other people I give admin and editors rights?
I can't check how they protest their passwords, or how simple or complicated, or they keep their PC free of spyware, or they use that same or similar password on other places, and so on.

Yes: I opted for minimal 8 characters and numbers and letters to be used in the password.
But even then, someone can make it simple to crack.
A simple method is making it impossible for hacker software to check many different possible password combinations.
Also the CAPTCHA registration image is simple; if one compares it to Yahoo and others.
Why would they make it more complex? Probably there is software to crack simple CAPTCHA images?

Anyway, to get more security lacking the CAPTCHA images on every log-in, I opted for having to enter ones email address everytime.
But that also doesn't work (bug). Actually I prefer CAPTCHA for loggin in, instead of Email address, because mostly an email address can be retrieved easily.

posts: 4644 Japan

> ..
>
>
> But it doesn't protect that much for hackers who use programs to crack passwords.
> I can make a very complex password if I want and that will take them a lot of time.
>
> But what about other people I give admin and editors rights?
> I can't check how they protest their passwords, or how simple or complicated, or they keep their PC free of spyware, or they use that same or similar password on other places, and so on.

I assume you are giving admin or editor rights to people that you trust and have a working relationship with. This would include, I think, letting them know your concerns about password strength and spyware on their computers, etc. and getting some agreement and cooperation from them on those things.

>
> Yes: I opted for minimal 8 characters and numbers and letters to be used in the password.
> But even then, someone can make it simple to crack.
> A simple method is making it impossible for hacker software to check many different possible password combinations.

There are very, very many combinations of 8 characters. I don't know who'd be motivated to use a brute force attempt on your Tiki, but it seems rather unlikely they'd try or succeed. If you monitor your visitor logs you can start banning IPs when many failed log-in attempts are made.

> Also the CAPTCHA registration image is simple; if one compares it to Yahoo and others.
> Why would they make it more complex? Probably there is software to crack simple CAPTCHA images?

Yes, Tiki's is comparatively easy to get around with OCR but again CAPTCHA is not anti-hacker or -script kiddie, it's anti-bot/spider.

> But that also doesn't work (bug). Actually I prefer CAPTCHA for loggin in, instead of Email address, because mostly an email address can be retrieved easily.

All CAPTCHA does is make sure a human is visiting the site (or a good OCR tool is) to recognize the characters. It isn't an authentication method since the required input information is public, albeit contorted visually.

-- Gary


posts: 40

One error is remaining:
Members musn't enter their email, because then login is refused.
But when omitting one's stocked email account, login works.
I'll change this back to NO additional email field on loggin-in.
It's called "Use challenge/response authentication:" -> doesn't work for 1.9.5 !!!
And it's the same error for "Geo" or standard "tiki" layout.
Actually for challenge/response, I'm more interested in the graphic CAPTCHA code!
So when someone works on this error, why no changing it?

OTHER ERROR I FORGOT:
Require secure (https) log-in is NOT working.
(either with, or without "allow secure (https) login")
BUT I found the cause of it; on this option it only wants to go to:
https://tiki-login.php , so forgetting my website address!
This is NOT the case if I select ALWAYS https, then it automatically knows my website address!
Ad it doesn't matter if I select/vink only "require" secure login, or together with "allow".
(this error also is the same for Geo and standard Tiki layout)
HOW CAN THIS BE? + how resolve this?

posts: 9309 Germany
I'll have a look at it.

posts: 40

More details:

TikiWki knows automatically where my https server is and what subdirs come with it.
https://clearxs2.info/tw/tiki-admin.php
gets:
https://tw.cxs2.info/~clearxst/tw/tiki-admin.php?page=login

But apperently it doesn't know when logging in through the equivalent http addres:
http://clearxs2.info/tw/tiki-admin.php
gets:
https://tiki-admin.php

So then I have to fill in these fields in some way?:
HTTP server name:
HTTP port: 80
HTTP URL prefix:
HTTPS server name:
HTTPS port: 443
HTTPS URL prefix: /
What way?
& why this isn't automatically, while the first example just works fine?

Thanks!

posts: 40

(Not the slightest idea why my reply could come somehwere in the middle of the thread??! So again:)

Filled in the missing part:
HTTPS server name: tw.cxs2.info/~clearxst/tw (without the last "/")
YES, it works!
But now a NEW ERROR:

I.E. gives the proper HTTPS address, when loggin in through http:
http://tw.cxs2.info, becomes:
http://tw.cxs2.info/tiki-index.php
I.E. says in leftcorner below logs in through:
https://tw.cxs2.info/~clearxst/tw/tiki-login.php
That's O.K. now, but returns (over & over) with:

"The webpage cannot be found"
It's then still is on:
https://tw.cxs2.info/~clearxst/tw/tiki-login.php

Typing afterwards:
http://tw.cxs2.info/tiki-index.php
AND I'M LOGGED IN! (I'm sure I logged out; did this over & over)

So it works, BUT...
New error, TW doesn't know how to go from tiki-login to tiki-index anymore.
How to resolve that?

posts: 40

RESOLVED:

Server name (for absolute URIs): was http://clearxs.info

I just took it away completely.
Then the former strange error disappeard

Only I get a strange double "/"; no idea why that is, but it works:
http://tw.cxs2.info//tiki-admin.php

Going back to that server name; it automatically had filled in:
tw.cxs2.info

then took away the http as well as https "/" prefix somewhere else.

Still getting this:
http://tw.cxs2.info//tiki-index.php
(the double // )

posts: 40

Yes: the problem with the double "/" is because TikiWiki doesn't accept that I remove this.
Every time on removing the "/" prefixes (and having checked they're removed indeed), TW puts them back again in the fields where I had removed them, every time when I log in!

It works, but it's not how it belongs to be with "//"...

=====

Other non-mentioned problem remaining:

Often I have to use the refresh button when using TikiWiki; the first time it often doesn't get to the page and I ahve to refresh to do it well.
When altering data, I always have to check if the data is changed indeed; often it is NOT, so I have to change it a second time.
(& ofcourse for the double "/", I had checked they were indeed removed)

Why? -solution?

posts: 40

The "//", then "///", and probably even more... But after "///"; TikiWiki starts having some problems...
Seems to be a severe problem, as I spend another day on what it looks like:
All possible combinations in "General" and "Login".
It happens on secure log-in: When it goes back from https to http; Oeps, there it is! "//".
Logging out and in again, and we get "///".

PLEASE READ: "inmedi.eu" for the former "tw.cxs2.info", as I have pointed a new domain to the /tw dir


GENERAL:
Use URI as Home Page: NOT vinked - http://inmedi.eu
Server name (for absolute URIs): http://inmedi.eu
HTTPS Server: Automatic (uses HTTPS variable)
LOGIN:
HTTP server name: inmedi.eu
HTTP URL prefix: / (if I change that, TikiWiki restores it back, so I suspect that erronomous the "/" is in another part of TW also?)
HTTPS server name: inmedi.eu/
HTTPS URL prefix: ~clearxst/tw/


For the HTTPS I HAVE TO INCLUDE "/" at the end of "inmedi.eu" OR at the beginning of "~clearxst/tw/".
If I ommit that, it doesn't work. So to start with: I'm sure the extra "/" can't be taken away from here.

For the HTTP: I CAN'T TAKE THE "/" AWAY; TW DOESN'T ACCEPT THAT

THEN THE GENERAL MENU:
I already took any "/" away after "inmedi.eu"


Am I right to conclude that this is a TikiWiki bug???

O.K.: take away the "/" at the end of "~clearxst/tw/"; on loggin in I get:
https://inmedi.eu/~clearxst/twtiki-login.php
HTTP 404 Not Found

AS I THINK I'VE TRIED ALL LOGICAL POSSIBILITIES -Please correct me if not- IT SEEMS TO BE A BUG???