Archives For browser security

This is just a quick little note to suggest two ways to solve the problem that you cannot log in to your Magento admin interface after a fresh install of Magento.

The Problem

The problem will manifest itself as a redirect back to the login screen, even though you typed the right username and password. If this problem is affecting you, you will be redirected back and see no error message. This indicates you have the right credentials, but the Magento Admin is just not letting you in. You can verify it by typing the wrong username and password, you’ll see you get redirected back and it shows an error message.

The problem occurs because the Magento backend tries to set a cookie on your browser, and then for some reason when you next make a request, the cookie is gone(or was never there). This makes Magento think you have never logged in, and of course it redirects you to the login screen. So the real guts of it is the missing cookie, we need to find out why it’s missing.

There are two three solutions (Update: now with bonus 3rd solution) I have come across that will solve this, there may be others too, so please feel free to post them below. Both of these solutions have been suggested in the comments of my post on Setting up Apache Virtual Hosting.

Solution 1: Domain Name with no dots

This is the most common solution, if you have set up Magento to run locally (on MAMP for example) then you may be accessing the Apache webserver using the localhost hostname. A security setting in browsers means that the cookie will not be set, though apparently in FF3 at least, this behavior is a bug?.

So simply stop using localhost, you can use your localhost interface (e.g. 127.0.0.1 or 127.0.1.1). To determine your localhost interface you can look at the contents of your hosts file:

# Look for the number to the left of localhost
cat /etc/hosts

or your interface configuration.

# Look for interface loX with the LOOPBACK flag (probably lo0)
ifconfig

Once you know which number to use, you can replace localhost with the number. If you have already installed Magento using localhost then it will keep writing out links to localhost, even after you have changed to using the IP address, you will need to change the base_url values in the core_config_data table, you can run a query like this to find the right config values to change:

SELECT * FROM core_config_data WHERE VALUE LIKE "%localhost%";

This should identfy two config values that will need to update with a query like:

UPDATE core_config_data SET VALUE="http://127.0.0.1/" WHERE path IN ('web/unsecure/base_url','web/secure/base_url') ;

I’m going to assume you know to put the right value into that query, and not use the example one I have provided!

After changing that value you should delete your var/cache contents, and then refresh the page. Now you should have Magento running on an IP address, not a hostname with no dots in it. Of course you could always set up a fake domain name like www.testing.com by using a Virtual Hosting setup like I describe in my post on how to configure a MAMP Virtual host.

Solution 2: Timezone differences between server and client

One other, less likely problem, is that the cookie is being set, but expiring immediately. To check this you can inspect the cookies your browser is holding, and check if there is one there from Magento. If there is then check both the timezone your magento installation is using , and the one you have set locally, perhaps your local time is not set properly?

Solution 3: Cookie domain does not match server domain

This caught me out when I was replicating a remote site on my local mac development environment. I thought it’d be worth adding this solution here, seeing as this post still seems to rank well for Magento install problems. I had changed the base URLs but had forgotten to check the core_config_data table for any other Magento configuration data that might have been interfering with cookies. The config path in question is: web/cookie/cookie_domain.

You can check the table with an SQL command like this – you should be on the look out for config values that have hard coded the old URL:

SELECT * FROM core_config_data WHERE VALUE LIKE "%domain.com%";
 
-- Be on the look out for something like this:
|       513 | DEFAULT |        0 | web/cookie/cookie_domain               | DOMAIN.com                                     |

And update it to an empty string (less secure) or the new actual domain (more secure) as shown below:

UPDATE core_config_data SET VALUE = "" WHERE config_id = 513;
-- or
UPDATE core_config_data SET VALUE = "domain.com" WHERE config_id = 513;

But wait, there’s more….

Thanks to Kristof aka Fooman for this gem:

Th solution here is to clear all your cookies related to the store domains and subdomains.

And yet still more possible issues, this time from Mauro Spivak:

This is an example of the more general issue that sessions are not able to be created. That could be because local.xml is instructing Magento to store them in a non-exsistent location such as in Maruo’s example – or may also be caused by permission issues on the filesystem when storing sessions in var/session. I’d suggest checking there is a session matching the session ID for your cookie to see if this issue is affecting you.

Hopefully one of these two three four solutions will get you back on track and able to log in to your newly installed Magento. Feel free to post problems or suggest other solutions in the comments below. I’m always more than happy to update my posts with helpful tips from readers.