IIS Unable to sign in

[ghost]

I know IIS is not listed as supported yet, just adding the bug that I had in the other repo.

If you attempt to sign in using IIS, it just keeps going back to the front page.

[ghost]

Addendum: This creates 4 sessions in the php session folder:

Two are blank.

One: finger|s:40:"728464b89db49fe3d891c20cb5136b98cec80261";wrong|i:1;hack|i:1;error|s:39:"Login Failed - Stop! Attack detected!!!";

One: finger|s:40:"728464b89db49fe3d891c20cb5136b98cec80261";tokens|a:1:{s:5:"login";s:40:"49bd0e9bef627cb202d7f1ed40ba9b399df39b7e";}

[WickedShell]

oh jeez. I know nothing about IIS...

I'll see what I can find out about it...

[ghost]

Yep, hopefully something :) Apache on windows machines isn't very good in comparison to IIS. (as weird as that sounds considering I hate IIS)

[ghost]

As an update progress was made.

/classes/session-class.php

Changed:

$https = isset($secure) ? $secure : isset($_SERVER['HTTPS']);

To:

//$https = isset($secure) ? $secure : isset($_SERVER['HTTPS']);

and it began working no issues. My knowledge of php sessions is virtually non existent so I don't know of a neutral way to do whatever this was.

[WickedShell]

Hm... I wonder if ternary operations are broken (seems unlikely). More likely is that something about ssl

When you get sent back to the frontpage does it say something about ssl and an error?

Did you somehow turn on secure sessions only or try and connect to echelon with a secore session?

Alright some useful debugging now. If you take the line you commented out and changed it to be;

$https = false;

Does it still work fine? And then if you change it to be;

$https = true;

does it break?, or the other way around?

[ghost]

We haven't tested that yet but will later.

Our guy located the issue to be in the way that IIS / Apache return different settings for $_SERVER['HTTPS']

IIS returns "false" or "true"

Apache returns nothing if its false, and unknown if true. My guy updated the code to:

// Set SSL level $https = isset($secure) ? $secure : isset($_SERVER['HTTPS']); $https == 'off' ? $https = false : $https; $https == 'on' ? $https = true : $https;

[WickedShell]

... Good catch. Not going to lie, I had to stare at those ternary operators for awhile to make that make sense... I hadn't realized there was a differenece between IIS and Apache's handing of that...

I can't test that at the moment as my servers not setup to do SSL atm, but when I have it reconfigured I'll give that a shot :)

Thanks!

[ghost]

I have no idea what he did, just linked his code haha.

I believe you can now state that IIS works after you apply this change after fully validating it. I had no issues with it on IIS 7.0 after this was resolved.

[WickedShell]

It looks good. I might combine the last two lines into a single one, but it makes sense, assuming his initial point is correct.

But I've actually never tried to use the secure login yet, so I can't say :)

[WickedShell]

... so I discovered there is this great helper function sitting in the code that does a detectSSL() and it does it correctly I believe, from our earlier discussion. Will test this shortly.

[ghost]

Sounds good. If you give me an email, I will set you up FTP/MYSQL on our IIS machine and you can use it for testing :)

[WickedShell]

Heck that sounds like a great thing to get off my plate today! :)

Wicked.Shell.Scripts@gmail.com

[ghost]

Email sent with information.

[WickedShell]

detectSSL() fixes the problem, we have confirmed it :)

It does pretty much the same thing as the above solution does, but it's a tad faster and is serving it's proper place as a library/helper function.