1

Topic: https session authenication problem - SSL issue

Hi all, the forum I help admin is moving to a https based service. I'm not sure whether the problem I am experiencing is punbb based or server based. Hopefully if the problem cannot be solved here at least the problem area can be identified. I will give a quick outline of what's happening first.

Here are the important details:

Pun version: 1.3.2
db: MySQL
server: Apache/2.0.52 (Red Hat)

httpdocs\{forum-root}    ~ http://{base-url}  -> working perfectly
httpsdocs\{forum-root}  ~ https://{base-url} -> authentication issues

The https is kind of working. If already logged into the http version you can can the url to https and browse the forum and read posts no problem. If you try and post you recieve the error msg:

Warning! The following errors must be corrected before your message can be posted:

    * Unable to confirm security token. A likely cause for this is that some time passed between when you first entered the page and when you posted the form. Clicking "Submit" again should solve the problem.

Clicking Submit again just repeats the message.

The real issue. When logged out of a session and trying to log into the https version of the login page you get the following messages on the login.php page:

Please confirm or cancel your last action

Unable to confirm security token. A likely cause for this is that some time passed between when you first entered the page and when you submitted a form or clicked a link. If that is the case and you would like to continue with your action, please click the Confirm button. Otherwise, you should click the Cancel button to return to where you were. 

'Confirm' 'Cancel' (buttons)

When clicking confirm you get the following Security Warning popup:

Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.

Are you sure you want to continue sending this information?

After clicking the Continue button I am redirected to this url:

http://{base-url}:443/login.php

with the following message:

Bad Request

Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.

    Hint: https://127.0.0.1/

Apache/2.0.52 (Red Hat) mod_ssl/2.0.52 OpenSSL/0.9.7a FrontPage/5.0.2.2635 Server at 127.0.0.1 Port 443

Is it a matter of getting the above url to read

https://{base-url}/login.php

minus the :443 or is it something more complicated.

Here is the config.php file for the https install (which was just copied directly from the http install with the config file changed accordingly)


<?php

$db_type = 'mysql';
$db_host = 'xx';
$db_name = 'xx';
$db_username = 'xx';
$db_password = 'xx';
$db_prefix = '';
$p_connect = false;

$base_url = 'https://url.org';

$cookie_name = 'forum_cookie_5ca60a';
$cookie_domain = '';
$cookie_path = '/';
$cookie_secure = 0;

define('FORUM', 1);

I was mainly trying different combination of $base_url, $cookie_domain and $cookie_secure = 0 or 1 but to no avail. I have a feeling it's something fairly simple in the config file that has to be properly set. After searching for a while I couldn't find any previous anwsers to this problem if they exist.

Sorry for the length of this post if you read through it all. I thought it'd be best to include as much relevant details as possible. Apologies if this is in the wrong section, mods please move if it's not.

Thanks for taking up your time value time. I look forward to any help or hints in the right direction that anyone can provide.

If the solution is something trivial please take great pleasure in pointing it out and I shall act sufficiently bashful smile

Re: https session authenication problem - SSL issue

The first thought has come into my mind is to install a fresh copy on your https server. If it works fine we'll know that the issue is in config settings. Otherwise, the issue can be in PunBB itself or somewhere in the server settings.

3

Re: https session authenication problem - SSL issue

Sorry for the delay, I had a bit of a hectic week. Parpalak, thanks for the response. I did a fresh install of punbb and came up with a few minor problems.

When I was following the setup instructions it told me that there was an existing punbb already in the db so I have to install a completely fresh install and use the db name prefix option. Is there a way around this or do you just change the config file after the new install?


Database type: MySql
Database server: address of current punbb server and db
Database name: name of current punbb install
Database username: current install details
Database password: current install details
Table prefix Optional database table prefix e.g. "foo_". blank but after 
the below error message i put in 'test_https_'

Base URL: defaulted to -> [url]http://example.org/cg[/url] 
but i changed it to [url]https://example.org/[/url]

this leads to this error message:

An error was encountered

A table called "users" is already present in the database "actual_db_name". 
This could mean that PunBB is already installed or that another piece of software 
is installed and is occupying one or more of the table names PunBB requires. 
If you want to install multiple copies of PunBB in the same database, 
you must choose a different table prefix.

So on the totally fresh install when I goto login I get the same error messages as my orginal post.
Any ideas what approach I should take now?

4

Re: https session authenication problem - SSL issue

Ok, I did a completely fresh test install completely unlinked to the old forum. I set up a new db, a fresh install of punbb and i'm still getting the error message when I try to login.

Re: https session authenication problem - SSL issue

I am also getting same error so here to get some advise

water wrote:

Ok, I did a completely fresh test install completely unlinked to the old forum. I set up a new db, a fresh install of punbb and i'm still getting the error message when I try to login.

6

Re: https session authenication problem - SSL issue

bump

Re: https session authenication problem - SSL issue

water wrote:

Hi all, the forum I help admin is moving to a https based service. I'm not sure whether the problem I am experiencing is punbb based or server based. Hopefully if the problem cannot be solved here at least the problem area can be identified. I will give a quick outline of what's happening first.

Here are the important details:

Pun version: 1.3.2
db: MySQL
server: Apache/2.0.52 (Red Hat)

httpdocs\{forum-root}    ~ http://{base-url}  -> working perfectly
httpsdocs\{forum-root}  ~ https://{base-url} -> authentication issues

The https is kind of working. If already logged into the http version you can can the url to https and browse the forum and read posts no problem. If you try and post you recieve the error msg:

Warning! The following errors must be corrected before your message can be posted:

    * Unable to confirm security token. A likely cause for this is that some time passed between when you first entered the page and when you posted the form. Clicking "Submit" again should solve the problem.

Clicking Submit again just repeats the message.

The real issue. When logged out of a session and trying to log into the https version of the login page you get the following messages on the login.php page. I have a feeling it's something fairly simple in the insulated water bottle carrier file that has to be properly set. After searching for a while I couldn't find any previous anwsers to this problem if they exist:

Please confirm or cancel your last action

Unable to confirm security token. A likely cause for this is that some time passed between when you first entered the page and when you submitted a form or clicked a link. If that is the case and you would like to continue with your [url=http://insulatedwaterbottlecarrier.com][color=black]insulated water bottle carrier[/color][/url], please click the Confirm button. Otherwise, you should click the Cancel button to return to where you were. 

'Confirm' 'Cancel' (buttons)

When clicking confirm you get the following Security Warning popup:

Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.

Are you sure you want to continue sending this information?

After clicking the Continue button I am redirected to this url:

http://{base-url}:443/login.php

with the following message:

Bad Request

Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.

    Hint: https://127.0.0.1/

Apache/2.0.52 (Red Hat) mod_ssl/2.0.52 OpenSSL/0.9.7a FrontPage/5.0.2.2635 Server at 127.0.0.1 Port 443

Is it a matter of getting the above url to read

https://{base-url}/login.php

minus the :443 or is it something more complicated.

Here is the config.php file for the https install (which was just copied directly from the http install with the config file changed accordingly)


<?php

$db_type = 'mysql';
$db_host = 'xx';
$db_name = 'xx';
$db_username = 'xx';
$db_password = 'xx';
$db_prefix = '';
$p_connect = false;

$base_url = 'https://url.org';

$cookie_name = 'forum_cookie_5ca60a';
$cookie_domain = '';
$cookie_path = '/';
$cookie_secure = 0;

define('FORUM', 1);

I was mainly trying different combination of $base_url, $cookie_domain and $cookie_secure = 0 or 1 but to no avail. I have a feeling it's something fairly simple in the config file that has to be properly set. After searching for a while I couldn't find any previous anwsers to this problem if they exist.

Sorry for the length of this post if you read through it all. I thought it'd be best to include as much relevant details as possible. Apologies if this is in the wrong section, mods please move if it's not.

Thanks for taking up your time value time. I look forward to any help or hints in the right direction that anyone can provide.

If the solution is something trivial please take great pleasure in pointing it out and I shall act sufficiently bashful smile

Hey I am using Fantastico De Luxe for the setup but I am having a similar issue. Was there ever a resolution to this? I think my host must be super out of date and this issue is patched or this is a configuration thing. Any help? Thanks much.