Cannot login after upgrade to 1.2.12

[markkneen]

Hi All,

I just upgraded this morning to 1.2.12. Since doing the upgrade, I am unable to login.
My cacti installed using Yum and was upgraded this morning when I did Yum update

The upgrade completed with out error.

I get the login screen, enter either the admin credentials or a users credentials and I just get redirected back to the login.

If I enter incorrect login I get redirected back to login - no warning about invalid credentials.

Apache Error logs contain no errors

Cacti log contains no errors

Any Ideas?

[jesusangel]

Hello,

Are you using the default auth method or another one such as Web Basic Auth, LDAP Auth, etc.?

You can check the database to double-check if your credentials are right:

# mysql cacti
mysql> SELECT * FROM user_auth WHERE username = 'yourusername' AND password = MD5('yourpassword') AND realm = 0;

Kind regards,

[markkneen]

Hi,
Using default auth method. login worked fine pre-upgrade - Cacti been live for at least 8 months prior.

Checking the database user_log table - there are no entries at all since the upgrade

What I do notice is that when you login (this may have already been present before). I see the HTTP post request only the response is a 302

Code: Select all

General
Request Method: POST
Status Code: 302 Found
Remote Address: <IP of server>:443

Response Headers
Referrer Policy: no-referrer-when-downgrade
Cache-Control: no-store, no-cache, must-revalidate
Connection: Keep-Alive
Content-Length: 0
Content-Security-Policy: default-src *; img-src 'self' data: blob:; style-src 'self' 'unsafe-inline'; script-src 'self'  'unsafe-inline'; frame-ancestors 'self'; worker-src 'self'
Content-Type: text/html; charset=UTF-8
Date: Tue, 16 Jun 2020 07:05:55 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Keep-Alive: timeout=5, max=100
Last-Modified: Tue, 16 Jun 2020 07:05:55 GMT
Location: /index.php
P3P: CP="CAO PSA OUR"
Pragma: no-cache
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.31
Set-Cookie: cross-site-cookie=bar; SameSite=Strict; Secure
Set-Cookie: Cacti=rs9vojdiqge35umj7579mmaj1u; path=/cacti/; secure; HttpOnly
X-Frame-Options: SAMEORIGIN
X-Powered-By: PHP/7.2.31

Request Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cache-Control: max-age=0
Connection: keep-alive
Content-Length: 139
Content-Type: application/x-www-form-urlencoded
Cookie: cross-site-cookie=bar
DNT: 1
Host: <HOST>
Origin: https://<HOST>
Referer: https://<HOST>/index.php
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36

Form Data
__csrf_magic: sid:<SID>,1592291142
action: login
login_username: <NON_DEFAULT_USER>
login_password: <PASSWORD>

Then immediately followed by a HTTP GET to the same page (index.php)

I've search the Apache config and I have remove the http -> https redirect I had in my /etc/httpd/conf.d/ and I cannot find any other instances of a http redirect. Is this something that Cacti is doing and possibly why I cant login?

[jesusangel]

Hi,

Probably is Cacti who is redirecting your browser back to the login page after a failed login. We have to figure out why the login has stopped working after the upgrade. Please, check /var/log/cacti for any login problems.

Kind regards,

[markkneen]

All I see in my Cacti log related to my Weather Map - nothing for the login - failed or otherwise.

I've even tried toggling the "Force HTTPS" setting from the database setting table

(I have also just tried a wireshark capture but the entire conversation is encrypted)

[jesusangel]

Hi,

If you can't find any info about the logging error then I'll go for code debugging. Maybe you could insert some cacti_log sentences in the include/auth.php file. For example:

42# cacti_log('Auth method is ' . $auth_method , true, 'AUTH_NONE', POLLER_VERBOSITY_DEVDBG);

Then you should try to log in and check the cacti log file to track the login process.

Regards,

[markkneen]

I added the line - nothing in cacti.log

I also uncommented this line

Code: Select all

// cacti_log('After global.php (' . implode(', ', $included_files) . ')', true, 'AUTH_NONE', POLLER_VERBOSITY_DEVDBG);

still nothing in cacti.log

Its as though its not triggering the auth check

[markkneen]

OK Some good new..

The Cacti host I have, I have always accessed it using https://host.domain not https://host.domain/cacti

Since the upgrade, if I access https://host.domain I get the login page yet it will continually redirect me back - no date recorded in cacti.log
yet if I use https://host.domain/cacti - I get the same login page however I CAN login in.

How do I remove the requirement for https://host.domain/cacti?

the only thing I can find that may be responsible is this in /etc/httpd/conf.d/cacti.conf

Code: Select all

Alias /cacti    /usr/share/cacti

If I comment this out, I still get the login page - but cannot login


OK. Got it working. - Happy Days....

config.php changed $url_path to "/" and removed the Alias statement


Thanks for help

[jesusangel]

OK. Got it working. - Happy Days....

config.php changed $url_path to "/" and removed the Alias statement

Thanks for help

Not a problem. I'm glad you worked it out.