One of our customers had a very odd problem that we fixed a couple of days ago: whenever someone tried to login to his frontend, he had to do it twice. The login worked from the first time in rare situations, but most of the times the person had to enter his username and password twice (it always worked in the second time). The same problem existed for the logout. The person had to logout twice. (We noticed that the person had to logout twice only when he had to login twice)
When we started working on the website, we didn’t know what the problem is. We checked the login extension (module and component) to see if there’s anything wrong with them, but everything was fine. We also did a quick check on all the user related files, yet nothing seemed to be the culprit – the only non-standard thing that we saw was a redirect happening on a login to a 3rd party website before redirecting back to the problem (we have seen this on several other website, so we never thought of it as a problem). It was a very weird problem.
We then wanted to see if the username and password are actually posted (stored in $_POST) the first time the user tries to login, and they were…
Our next step was to examine the $_SESSION array to see if it’s actually storing the user information: it was rarely storing this information from the first time, and it was always storing it from the second time. Additionally, when the person was trying to logout, it was not clearing the user information from the first time (in most case) – but was always clearing the information from the second time the user clicked on the logout button.
We did spend some time trying to examine what the problem was, but, at one point, someone on the team noticed (while passing by) that the user was being redirected on login from http://www.ourcusomterjoomlawebsite/ to http://ourcustomerjoomlawebsite. That was the problem! That small non-standard script that we mentioned earlier was redirecting to a 3rd party website on login and then redirecting back to the website – but it was redirecting to the wrong link. Our client had hacked the controller.php file located under ourcustomerjoomlawebsite/components/com_user/ by adding the following lines after
$error = $mainframe->login($credentials, $options); by adding the following code:
$redirect_url = urlencode('http://ourcusomterjoomlawebsite/');
$authentication = $thirdPartyOject->getAuthentication();
$return = 'http://3rdpartywebsite/?authentication='.$authentication.'&redirect_url='.urlencode($redirect_url);
So, his Joomla website was redirecting to a 3rd party website and then redirecting back to his Joomla website, but without the www. So, if registered users used http://www.ourcusomterjoomlawebsite/ to login to his website, they were redirected back to http://ourcusomterjoomlawebsite/ and that’s why they looked as logged out. If they tried to login from http://ourcusomterjoomlawebsite/ then the login worked from the first time because the redirect was redirecting to the same website (Note: technically, and from a cookie-based perspective, there is a huge difference between www and non-www: if a person logs in to the www version of the website it does not mean that he’s logged in to the non-www version, that’s why some large websites do something called “cookie migration” to prevent this problem from happening with their users).
A similar script was found on the logout action.
To solve the login problem, we changed the above code to:
$redirect_url = urlencode('http://'. $_SERVER['HTTP_HOST'];);
$return = 'http://3rdpartywebsite/?remote_auth_token='.$remote_auth_login_token.'&redirect_url='.urlencode($redirect_url);
By using $_SERVER['HTTP_HOST'], we ensured that the 3rd party website always redirected to the same website. We did the same thing on the logout script and that solved the problem!
If you have the above problem on your Joomla website (you need to login and logout twice) or any other Joomla problem and you need help than that’s why we’re here for! Just contact us and we’ll be more than glad to help you. You don’t worry about our fees, they’re very reasonable!