New and old users are unable to connect to my elgg instance while I am

Hello,

I have setup an Elgg instance at https://conf.tn

Users are able to register after some trouble, no positive indication is given about the email confirmation, but an error and when retrying to register their are told that this email is already registred.

I can connect with any user account (admin, mine, those of other users having troubles if they give me their passwords) from my firefox, but they can't from their browsers.

This weekend I cleared my browser cache and since then I am also unable to connect. Fortunately i had another computer on which i didn't clear the browser cache.

Does this seem "déjà vu" to someone ?

  • Users are able to register after some trouble, no positive indication is given about the email confirmation, but an error and when retrying to register their are told that this email is already registred.

    Sounds like there is an issue sending the e-mails.

    It isn't needed for registration or forgot password, but did you set up the CRON in order for notifications be be send out. http://learn.elgg.org/en/stable/admin/cron.html

    I can connect with any user account (admin, mine, those of other users having troubles if they give me their passwords) from my firefox, but they can't from their browsers.

    By 'connect' do you mean login or just simply opening the site in the browser? I have no issue opening the site in the browser, so I assume you mean login.

    When I check out your site in Firefox I see an error in my browser console (F12) about a missing JS library. This could cause issues with other JS an therefor maybe prevent login.

    PS: You didn't give your Elgg version. This could help in giving advise related to any issue.

  • Hello, and thank you for answering so quickly.

    By 'connect', i mean login not just browsing.

    My elgg version is 3.3.21.

    All crons are running from the minute to the yearly cron.

    Users have no trouble to receive the confirmation email. They also receive an email when i reset a user's password. So, i guess emails are working properly (jsut detected as spam by some providers, but this is another issue that i will have to resolve, for now i am asking friends to enroll and test the website)

  • When accessing directly the two files (https://conf.tn/cache/1636308444/default/leafletjs and https://conf.tn/cache/1636308444/default/fullcalendar) that return a http/403 forbidden error, i have the following message:

    Asset must have a valid file extension

    This is an old error message and i didn't remember haw i did get rid of it.

  • I forgot to mention that my apache is serving requests over http only and that i use a reverse ssl proxy in front of it.

  • I forgot to mention that my apache is serving requests over http only and that i use a reverse ssl proxy in front of it.

    This could be very useful.

    Make sure the site url (wwwroot) is set with https in your elgg-config/settings.php

    https://github.com/Elgg/Elgg/blob/47b9ab4b9da805684cda196a12784c319e050dc8/elgg-config/settings.example.php#L44

    Maybe also look at https://github.com/Elgg/Elgg/blob/47b9ab4b9da805684cda196a12784c319e050dc8/elgg-config/settings.example.php#L487-L497

    It shouldn't be a problem that SSL is offloaded. We run a site on AWS where the loadbalancer does SSL and the webservers just do HTTP.

  • Hello,

    I have:

    $CONFIG->wwwroot = "https://conf.tn/";

    Maybe my troubeles comes from here:

    $CONFIG->cookies['session']['name'] = "__Secure-CONF_TN";
    // optionally overwrite the defaults from php.ini below
    $CONFIG->cookies['session']['path'] = "/";
    $CONFIG->cookies['session']['domain'] = "conf.tn";
    $CONFIG->cookies['session']['secure'] = true; //these two lines where
    $CONFIG->cookies['session']['httponly'] = true; // commented this morning so i removed comments in case it could solve my problem
    
    // extended session cookie
    //$CONFIG->cookies['remember_me'] = session_get_cookie_params();
    $CONFIG->cookies['remember_me']['name'] = "__Host-conf_tnperm";
    $CONFIG->cookies['remember_me']['expire'] = strtotime("+60 days");
    // optionally overwrite the defaults from php.ini below
    $CONFIG->cookies['remember_me']['path'] = "/";
    $CONFIG->cookies['remember_me']['domain'] = "conf.tn";
    $CONFIG->cookies['remember_me']['secure'] = true; //these two lines too
    $CONFIG->cookies['remember_me']['httponly'] = true; //where commented this morning. I removed comments, but this didn't solve my troubles.

    I did back-and-forth between apache and nginx and tried many variations of the settings.php

  • Make sure `$CONFIG->cookies['session'] = session_get_cookie_params();` is before the first custom cookie settings.

    If you wish to secure the cookies, you can only use the lines

    $CONFIG->cookies['session']['secure'] = true;
    $CONFIG->cookies['session']['httponly'] = true;

    And leave the lines

    $CONFIG->cookies['session']['path'] = "/";
    $CONFIG->cookies['session']['domain'] = "conf.tn";

    alone, so

    //$CONFIG->cookies['session']['path'] = "/";
    //$CONFIG->cookies['session']['domain'] = "";
  • I have misunderstood the lines with  session_get_cookie_params(); and thus had the two session_get_cookie_params() commented, as shown here after:

    // get the default parameters from php.ini
    //$CONFIG->cookies['session'] = session_get_cookie_params();
    $CONFIG->cookies['session']['name'] = "__Secure-CONF_TN";
    // optionally overwrite the defaults from php.ini below
    $CONFIG->cookies['session']['path'] = "/";
    $CONFIG->cookies['session']['domain'] = "conf.tn";
    $CONFIG->cookies['session']['secure'] = true;
    $CONFIG->cookies['session']['httponly'] = true;

    // extended session cookie
    //$CONFIG->cookies['remember_me'] = session_get_cookie_params();
    $CONFIG->cookies['remember_me']['name'] = "__Host-conf_tnperm";
    $CONFIG->cookies['remember_me']['expire'] = strtotime("+60 days");
    // optionally overwrite the defaults from php.ini below
    $CONFIG->cookies['remember_me']['path'] = "/";
    $CONFIG->cookies['remember_me']['domain'] = "conf.tn";
    $CONFIG->cookies['remember_me']['secure'] = true;
    $CONFIG->cookies['remember_me']['httponly'] = true;

    I wanted to separate Elgg session cookies from the default php_session and that of other sites running on the same apache instance.

    Now, it's like you adviced and it works!

    Thank you very much.