We have a few users who use the correct login data and are sent right back to the login page. When I check on the user section of the admin it shows them as logging in when they say they do. I had this happen on IE8 and IE9 any suggestions or fixes?
Best practice forum (Archived)
Cant get past login screen
Cant get past login screen
Re: Cant get past login screen
Hi Walter
There does seem to be a problem with Moodle and Internet Explorer with some suggestions below about turning off regeneration of Session ID and better alternatives.
This suggests IE9 is OK - so maybe try updating IE9 or switching browsers if this is practical.
http://moodle.org/mod/forum/discuss.php?d=156503
This is a general reply regarding the issue with IE7 and IE8 users being returned to the blank login screen repeatedly. It means that IE7 and IE8 users cannot login after repeated attempts.
It is a difficult issue because so many users cannot simply upgrade to IE9 or switch to Firefox or Chrome browsers.
Workaround is not recommended
The workaround suggested here is to change an admin configuration setting located here:
Security -> HTTP Security -> Regenerate Session ID: Disable
It bothered me that the workaround being suggested here defeats a default security protection. So, here's the results of my research:
Summary - My Recommendation (for the moment, for one client using Moodle)
I will be recommending that this setting remain enabled and that a statement to IE7 and IE8 users be included in the customizable message to users on the login screen. If they cannot upgrade to IE9 or use Firefox, then they need to quit and restart the browser try their login again. Report the problem to the support contact if it occurs again. Work with the individuals who need to upgrade or switch. If a threshold is reached that endangers the project goals, then disable the setting. After disabling this: analyze your site traffic in order to see a shift to IE9 and re-enable.
Security Reasoning
Why does Moodle need to Regnerate Session ID? It is important to have this setting enabled to prevent a session fixation attack.
- Session Fixation
This type of security concern is described here
http://en.wikipedia.org/wiki/Session_fixation
Background - Moodle Development Information
- Moodle docs
http://docs.moodle.org/en/HTTP_security - Moodle Tracker
http://tracker.moodle.org/browse/MDL-21257
This is where Petr and Penny work out the code. It is a resolved issue. - Moodle Developer Docs
http://docs.moodle.org/en/Development:Security:Session_fixation
Not useful yet. This is a stub article awaiting some content from a developer. - Early Discussion by Developers
http://moodle.org/mod/forum/discuss.php?d=129570
Historical use. It shows Moodle is vulnerable without this setting enabled. - - Moodle Security Alerts - When was it initiated as a default setting
http://moodle.org/mod/forum/discuss.php?d=147107
MSA-10-0009: Session fixation prevention now turned on by default
by Petr Skoda (skodak) - Wednesday, March 31, 2010, 09:29 PM
Other threads that discuss this issue. In reverse chronological order.
- Response from Helen. Resolved by user.
http://moodle.org/mod/forum/discuss.php?d=158037#p692806 - Long thread. Developer recommends prior post * for workaround.
http://moodle.org/mod/forum/discuss.php?d=157842 - * Longer thread. Answer discovered by user. No security discussion.
http://moodle.org/mod/forum/discuss.php?d=156503 - Unanswered
http://moodle.org/mod/forum/discuss.php?d=153641
Re: Cant get past login screen
Installed Chrome on the machine and (as expected) all is well once again!!!!!!!!