[Help needed] PHP session cookies during login

[agentclark]

Describe the bug
Getting "The web server seems to be incorrectly configured for cookies required for PHP sessions!" during login.

Expected behavior
Access FreshRSS

Environment information Server:

• OS: Debian 11
• FreshRSS version: 1.23.2
• Database version: mariadb Ver 15.1 Distrib 10.5.23-MariaDB
• PHP version: PHP 7.4
• Installation type: git

Environment information Client:

• OS: Windows and Android
• Browser: Firefox, Edge, Chrome, Kiwi

Additional context
I was running FreshRSS smoothly for a couple of years now. Yesterday I did a long due update from 1.21.1 to 1.23.2. Since then I am unable to login on all my devices except for one. On the one device I still can login, I can only login via Firefox and no other Browser.

Before the update I hadn't touched my apache configuration. I now switched from prefork to event with no solution to the problem. FreshRss is running as a subdomain, so no reverse proxy is involved. I tried session.php as mentioned in 5973 and it is counting as expected.

In the apache access log I get a 403 and nothing in error log.
FreshRSS shows [Wed, 13 Mar 2024 11:04:12 +0000] [warning] --- Invalid session during login for user=xxx, nonce= in ./data/users/_/log.txt

I've whiped FreshRSS completly, except for the mariadb database (which I really would love to keep for the favorites) and freshly installed from git.

Thank you so much in advance!

edit: Added FreshRSS log

[joshuacwnewton]

I was getting this exact issue as well (no reverse proxy, exact same browser login error message, same warning in the users log.txt).

What helped me in the short term:

• Clear cookies in browser.
• If using an app with the API integration, change your API password then re-auth.

For me, the issue has been intermittent. It might have been tied to a change in port as I was setting up my docker compose, thus resulting in an outdated base_url? 🤔

I'm still looking for a more permanent fix. This forum post seems to be pointing in the direction of www/freshrss/data/config.php. Here's mine for reference:

<?php
return array (
  'environment' => 'production',
  'salt' => 'xxx',
  'base_url' => 'http://xxx',
  'auto_update_url' => 'https://update.freshrss.org',
  'language' => 'en',
  'title' => 'FreshRSS',
  'meta_description' => '',
  'logo_html' => '',
  'default_user' => 'xxx',
  'force_email_validation' => false,
  'allow_anonymous' => false,
  'allow_anonymous_refresh' => false,
  'auth_type' => 'form',
  'http_auth_auto_register' => true,
  'http_auth_auto_register_email_field' => '',
  'api_enabled' => true,
  'unsafe_autologin_enabled' => false,
  'simplepie_syslog_enabled' => true,
  'pubsubhubbub_enabled' => false,
  'allow_robots' => false,
  'allow_referrer' => false,
  'limits' => 
  array (
    'cookie_duration' => 7776000,
    'cache_duration' => 800,
    'timeout' => 20,
    'max_inactivity' => 9223372036854775807,
    'max_feeds' => 131072,
    'max_categories' => 16384,
    'max_registrations' => 1,
  ),
  'curl_options' => 
  array (
  ),
  'db' => 
  array (
    'type' => 'sqlite',
    'host' => '',
    'user' => '',
    'password' => '',
    'base' => '',
    'prefix' => '',
    'connection_uri_params' => '',
    'pdo_options' => 
    array (
    ),
  ),
  'mailer' => 'mail',
  'smtp' => 
  array (
    'hostname' => '',
    'host' => 'localhost',
    'port' => 25,
    'auth' => false,
    'auth_type' => '',
    'username' => '',
    'password' => '',
    'secure' => '',
    'from' => 'root@localhost',
  ),
  'extensions_enabled' => 
  array (
  ),
  'extensions' => 
  array (
  ),
  'disable_update' => true,
  'trusted_sources' => 
  array (
    0 => '127.0.0.0/8',
    1 => '::1/128',
  ),
);

If I run into the issue again, I'll try to troubleshoot further to find the root cause.

[math-GH]

just for documentation a link to another issue from the past: #5259

[bit15k]

I have encountered the same problem. I originally used nginx and placed freshrss in a subdirectory, it worked properly. Until I changed the domain name and modified the server name of nginx, this problem occurred. So I switched back to the nginx configuration file of the old domain name, but at this point, I was unable to log in. Always display "The web server sessions to be incorrectly configured for cookies required for PHP sessions!". I am very certain that I have configured nginx, as it was running normally before.

[Alkarex]

1. Check your base_url in data/config.php
2. Try with another browser, just to make sure there is no cache problem
3. Check your Web browser network logs in the developer tools to find out what cookies you get back and which one you send in the following request

[bit15k]

The content of the base url is as follows, which is consistent with the server_name and location in the nginx configuration file.

return array (
  'environment' => 'production',
  'salt' => '24088f2fb8bd2a363dca6ddccd63f192177eecce',
  'base_url' => 'https://my-domain/freshrss',
  'auto_update_url' => 'https://update.freshrss.org',
  'language' => 'en',
  'title' => 'FreshRSS',
  'meta_description' => '',
  'logo_html' => '',
  'default_user' => 'bit15k',
  'force_email_validation' => false,
  'allow_anonymous' => false,
  'allow_anonymous_refresh' => false,
  'auth_type' => 'form',
  'http_auth_auto_register' => true,
  'http_auth_auto_register_email_field' => '',
  'api_enabled' => false,
  'unsafe_autologin_enabled' => false,
  'simplepie_syslog_enabled' => true,
  'pubsubhubbub_enabled' => true,
  'allow_robots' => false,
  'allow_referrer' => false,
  'limits' => 

nginx configuration file reads as follows.

...
location /freshrss/ {
        proxy_cookie_path / "/; HTTPOnly; Secure; SameSite=Lax";
        proxy_pass http://freshrss/;
        add_header X-Frame-Options SAMEORIGIN;
        add_header X-XSS-Protection "1; mode=block";
        proxy_redirect off;
        proxy_buffering off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Prefix /freshrss/;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_read_timeout 90; 
        # Forward the Authorization header for the Google Reader API.
        proxy_set_header Authorization $http_authorization;
        proxy_pass_header Authorization;
    }

I tried logging in using a different local browser and it still says "The web server sessions to be incorrectly configured for cookies required for PHP sessions".

I used the browser developer tools to check and found that clicking on login returned a 403 forbidden

It should be noted that my freshrss was installed via docker compose, and nginx was installed on the host.