Windows 7, Google Chrome, Magento admin cookie problem
Tuesday, 05 April 2011This morning we came across an excellent bug that causes problems when you try to access the Magento Admin Panel when using Google Chrome (build 10.something) under Windows 7: You can't login to any Magento Admin Panel.
Meet the fantastic bug
We tried to login to our Magento backend this morning, but failed: The login-page did not give an error about wrong credentials, but just redirected back to the backed login-form. No message, not even a warning. But when we came across the same problem with a clients website, we quickly suspected it was not related to Magento, but to the Chrome browser we were using.
The problem seemed to occur with every Magento Admin Panel, across many different servers. Because IE and Firefox kept on working fine, the obvious clue that this problem was related to the Chrome browser was quickly picked up. After some investigation, the reason for the failed logins popped up: The developer tools of Chrome did not show any adminhtml cookie being set. And without a cookie you can't login.
Workaround #1 - Fix the cookie time
On the web, we found a suggestion that this might be related to the cookietime. So we applied the suggestion and changed the cookietime from 3600 to 86400 seconds (from 1 hour to 1 day). This worked! But we found that a cookie lifetime of 1 day was a bit long. So we took up the effort to find out at which cookie lifetime Chrome would start accepting the cookie:
We found that Chrome does not except the cookie if its lifetime is set to 3630 seconds, but it does except the cookie when set to 3631 seconds. Wonderful.
Workaround #2 - Use a different browser
But most likely, you can't just change this setting for every Magento backend you come across (or at least in our case we shouldn't). So therefor, for the moment, only one other solution leaves us: Change to another browser, until this issue is fixed in Chrome.
[Additions on April 6th 2011]
After more thorough investigation it seems that actually the bug is in Magento: Within the file app/code/core/Mage/Core/Model/Cookie.php the cookie is being set. The lifetime defined in that cookie is completely correct - it equals the setting as defined in the Magento Admin Panel. This lead to a quick conclusion that something must be wrong with the actual time being used - perhaps the timezone.
We started debugging one environment that had the timezone configured on Europe/Amsterdam. Within the PHP configuration the variable date.timezone was configured:
date.timezone = "Europe/Amsterdam"
Within other PHP applications this was used correctly - the PHP function date_default_timezone_get() would return the proper timezone. But still, Magento would use the UTC timezone (which is 1 hour difference from Amsterdam). After some code reviewing, we found that actually app/Mage.php made a hard override of the timezone by setting it always to UTC. This seems totally wrong, and should be considered a bug in Magento (Magento 1.4.1.1).
So now the math kicks in: As mentioned earlier, we found that 3630 seconds was not working, but 3631 seconds was. One hour has 3600 seconds in it, so actually - with the timezone bug in mind - the cookie was not set for 3630 seconds, but only 30 seconds. And then comes along the browser difference: Appearantly most browsers will just ignoe a 30 second cookietime by using a default cookietime instead. But in Chrome, a wrong cookietime of 30 seconds will result in the cookie not being set at all.
Workaround #3 - Calculate the right cookietime with the timezone bug in mind
So now we can come to the final workaround (apart from hacking the Magento core). When you're in Amsterdam, the difference is UTC+1. So if you would want 1 hour expiration time in the backend, you would define 3600 + 3600 = 7200 seconds in the backend. When you're in China, the difference is UTC+8. So if you would want 1 hour expiration time in the backend, you would define 3600 + (8 * 3600) = 32400 seconds in the backend.
Tsss.