WordPress.org

Ready to get started?Download WordPress

Forums

[closed] Upgraded to WP 2.6 and can't access wp-admin area (192 posts)

  1. Anonymous
    Unregistered
    Posted 5 years ago #

    Can I suggest that anyone using the All In One SEO Pack plugin remove it from their plugins directory and try to log in again? Let me know if that works for you.

  2. Ben
    Member
    Posted 5 years ago #

  3. Ben
    Member
    Posted 5 years ago #

    Deleted all plugins, not working either.

  4. Samuel Wood (Otto)
    Tech Ninja
    Posted 5 years ago #

    @benjaminleist: I don't see any problem with http://www.belite.de/

    The other one is definitely broken though, as whole sections of the login form are missing (like the CSS stuff). Reupload the site again, including the files in the root directory.

  5. PokerPlayer
    Member
    Posted 5 years ago #

    I just used chameleondreams phpmyadmin fix and it worked fine AFTER I changed to the FF browser to log in.

  6. chameleonsdream
    Member
    Posted 5 years ago #

    Otto:
    some info for troubleshooting purposes:

    I upgraded to 2.6 at http://www.notmymothersblog.com.
    All plugins were deactivated before the upgrade.
    I backed up wp-config and .htaccess files, then deleted everything outside the wp-content directory.
    I edited my wp-config file to add in the new lines, uploaded everything but wp-content folder. In the wp-content folder, I selectively uploaded all the new files by hand.

    My site came up without a problem, but I got an incorrect password error when I tried to log in on any user. I attempted to reset passwords via 'forgot my password' but no joy.

    I hacked the database file to change my password, removed the activation key, tried to log in and got the endless loop being described. I had to manually log out using the Logout link on my front page before I could log in.

    Hope that info is helpful to someone. I'm having entirely -different- problems with another upgrade, but I'll kick the tires on that myself a bit before asking for help.

  7. Rove
    Member
    Posted 5 years ago #

    If you have access to the logfiles of the webserver you may want to check if the following line appears:

    PHP Fatal error: Allowed memory size of 16777216 bytes exhausted

    If it does, then increase the memory limit of php. If you don't have access to the logfiles, ask your host.

  8. Samuel Wood (Otto)
    Tech Ninja
    Posted 5 years ago #

    I had to manually log out using the Logout link on my front page before I could log in.

    Manually logging out like that removes the cookies. Clearing your browser cookies is effectively the same thing.

  9. chameleonsdream
    Member
    Posted 5 years ago #

    Manually logging out like that removes the cookies. Clearing your browser cookies is effectively the same thing.

    I understand that - but it still did not accept my valid password after upgrading, even after clearing cookies. I'm not trying to be obstructionist - just offering information that might help track down issues for others.

  10. _ck_
    Member
    Posted 5 years ago #

    Okay I figured out a REAL fix for the admin access.
    Took a bit of digging in the code.

    It has to do with a bug in the new cookie for admin access
    and how they (incorrectly) try to fall back to the default path.

    go into your wp-config.php
    and add this line:
    @define('ADMIN_COOKIE_PATH', '/');

    NOTE '/' will be your blog path.
    If you find that '/' doesn't work, make it '/blog/` or whatever your path is.

  11. Anonymous
    Unregistered
    Posted 5 years ago #

    worked for me after clearing cookies, although i am too scared now to update my other blogs.

  12. Anonymous
    Unregistered
    Posted 5 years ago #

    _ck_, that worked for me too, and I didn't even have to clear cookies.

    Thanks a million!

  13. Samuel Wood (Otto)
    Tech Ninja
    Posted 5 years ago #

    _ck_: That's not a bug, that's intentional. Your "fix" eliminates one of the major new security provisions of WordPress 2.6, namely to separate the admin cookies from the login cookies.

    I highly recommend AGAINST your so-called "fix".

  14. Anonymous
    Unregistered
    Posted 5 years ago #

    Otto42:

    If it's a feature that prevented me from logging in to my own blog immediately after upgrading, then the feature sucks and needs to be fixed.

  15. _ck_
    Member
    Posted 5 years ago #

    Otto42, I don't think you understand what the value does or what a cookie path is. Changing the cookie's path value does not remove it's separation (or security).

    It's remains a separate cookie.

    It's just pointing by default to an incorrect path in some configurations which is why the browser can't login (or stayed logged in).

    They'll have to fix this in 2.6.1 I guess.

  16. Samuel Wood (Otto)
    Tech Ninja
    Posted 5 years ago #

    I don't think you understand what the value does or what a cookie path is. Changing the cookie's path value does not remove it's separation (or security).

    I most certainly do, but I'm now pretty sure that you don't.

    Sending the admin cookie to the entire blog (instead of just the admin area) absolutely reduces the security. The whole point is to make the admin cookie *only* go to the admin area.

    in some configurations

    In what configurations, specifically?

  17. Samuel Wood (Otto)
    Tech Ninja
    Posted 5 years ago #

    If it's a feature that prevented me from logging in to my own blog immediately after upgrading, then the feature sucks and needs to be fixed.

    I'm not saying that it is not a bug.

    What I am saying is that ck's so-called "fix" is absolutely the incorrect way to fix the problem, if there is a problem. It may work, but that does not mean that it is a "fix".

  18. Anonymous
    Unregistered
    Posted 5 years ago #

    And the alternative you offer is...?

  19. Anonymous
    Unregistered
    Posted 5 years ago #

    Or, to put it another way:

    I upgraded because this was not a beta, and the upgrade immediately prevented me from doing ANYTHING on my blog. I needed to get back in, and this "fix", whatever else it may be, got me back in.

    What you recommended would have left me locked out of my blog, with not even a hint of how to get back in. Correct as far as security? Perhaps. Helpful to my situation? Not at all.

  20. _ck_
    Member
    Posted 5 years ago #

    Sending the admin cookie to the entire blog (instead of just the admin area) absolutely reduces the security.

    Locking a cookie to specific path instead of the webroot only inconveniences the legitimate user - a hacker will simply change the cookie path as desired, WordPress doesn't verify the path, only that the hash passes. It's up to the browser to verify/limit the path.

    The whole point is to make the admin cookie *only* go to the admin area.

    The path change may make some browsers not even bother to send the cookie which might have been devised as "security" but it's a false sense of security.

    In what configurations, specifically?

    The configurations that are failing admin login seem to include (but not limited to) installs that are not in the webroot. I would need more time to figure it out but to be honest, it's not my job. They obviously did not test enough (and that's typical for WP).

  21. rawalex
    Member
    Posted 5 years ago #

    (the moderators are very sensitive around here today).

  22. Samuel Wood (Otto)
    Tech Ninja
    Posted 5 years ago #

    And the alternative you offer is...?

    1. Reproduce the problem.
    2. Examine the result and find out the REAL problem.
    3. Fix the problem.

    _ck_ has jumped straight to 3 and cannot give me the results of step 2.

    Locking a cookie to specific path instead of the webroot only inconveniences the legitimate user

    No, locking the cookie to the correct path means that the hacker sniffing your connection has to sniff the connection on that path.

    The real problem with your solution is that you're discounting admin over SSL. The idea is to only send the admin cookie over the connection forced to SSL (if you're forcing SSL for your admin). That way, somebody sniffing your connection can't get your admin cookie, because it's encrypted. With your "fix", they can get it over the normal hits to your blog, which are not over SSL.

    The path change may make some browsers not even bother to send the cookie which might have been devised as "security" but it's a false sense of security.

    That is, in fact, the whole point. You don't want the admin cookie to be sent on connections that are not to the admin path. Because if the admin path is encrypted, then a sniffer can't sniff your cookie that way.

    The configurations that are failing admin login seem to include (but not limited to) installs that are not in the webroot.

    My installation is not in the webroot and it works just fine.

    Let me try this another way: What is the admin cookie path you are getting from the "non-fixed" version? What is the path to your admin directory?

  23. _ck_
    Member
    Posted 5 years ago #

    (the moderators are very sensitive around here today)

    Nah it's not about being sensitive, they just want to make sure the right info goes out (and probably don't like seeing problems). I'm a mod on the bbPress side and I'm the same way.

    I just happen to think I know what I am doing or at least just enough to be helpful ;-)

  24. _ck_
    Member
    Posted 5 years ago #

    Otto42, sending the cookie only over SSL for admin access is one thing but most people on shared hosting won't be doing that.

    The idea that a hacker could somehow spy on your connection/session and pick up the cookie for your regular login but not wait long enough until you do a transaction that uses wp-admin is silly.

  25. rawalex
    Member
    Posted 5 years ago #

    my comment was directed at a comment I added that was removed. I personally think you are doing a great job, but you are running into a very typical (not just for WP) wall of denial, that the upgrade can't be wrong. You are onto something because many other people are reporting the same issue.

    I also think you express the frustration of many dealing with problems in areas that likely didn't need to be touched, but that is another issue.

    Keep going, you are on the right track :)

  26. Samuel Wood (Otto)
    Tech Ninja
    Posted 5 years ago #

    rawalex: Your comment was removed because it was snarky and not helpful. You seem to do this a lot, and I'm fairly sick of it. Stop it. Future non-helpful posts you make will be removed. Read the forum rules, please.

    And I'm not denying there may be a bug, as I pointed out earlier. It might help for you to pay attention to what is being actually discussed.

  27. Samuel Wood (Otto)
    Tech Ninja
    Posted 5 years ago #

    Otto42, sending the cookie only over SSL for admin access is one thing but most people on shared hosting won't be doing that.

    No argument, but that does not change the fact that your "fix" is wrong. It's a temporary workaround at best, it does not solve the issue, and what's more, it will cause a security problem for people who are using the new Admin-SSL feature. Admin-SSL support is a major feature of this release, to recommend that people bypass that security measure so blatantly is rather poor form.

    The idea that a hacker could somehow spy on your connection/session and pick up the cookie for your regular login but not wait long enough until you do a transaction that uses wp-admin is silly.

    If you're using Admin-SSL connections, then the admin cookie will be encrypted as long as you're only sending it to the admin paths. Then it doesn't matter if they see those connections or not, they're encrypted. But your "fix" bypasses that by sending the admin cookie to the entire site/blog.

  28. thetattooedmama
    Member
    Posted 5 years ago #

    I still don't see a resolution. Why are there people here claiming to have all these solutions but nothing is working? It's going in a big circle.

  29. Samuel Wood (Otto)
    Tech Ninja
    Posted 5 years ago #

    @thetattooedmama: There will be no resolution until somebody gives the info we need to actually solve the problem.

    If _ck_ is correct about the cause, then we need somebody to tell us what their ADMIN_COOKIE_PATH is set to, what their two URLs on the Settings->General screen are set to (home and siteurl in the options table) and what the URL to their wp-admin is set to. Also, what cookies they are actually receiving in their browser would be helpful as well (these could be gotten using one of the several headers plugins for Firefox).

  30. rawalex
    Member
    Posted 5 years ago #

    Otto, I have found that snarky comments seems to be the standard here, so I follow the standard operating procedure of the board at hand. I have also been very careful in reading all the posts and I understand the issue at hand very well:

    "admin logins are screwed up because a new feauture doesn't work or wasn't tested in enough standard installation types". I also understand that the standard solution appears to be "wait for 2.6.1" and that any other fix that bypasses this code is considered poor form.

    Did I miss anything?

    I would say that TPTM need to be rolling out 2.6.1 in fairly short order, and in the meantime, I will continue to recommend to people NOT to upgrade. Considering the issues at hand (there are many) might it not be a good idea to withdraw the 2.6 "upgrade" until the fixes are in place?

Topic Closed

This topic has been closed to new replies.

About this Topic