While it may offer you a temporarily solution, you should considering not modifying the core code like that to solve problems. Changing the source code of an application will create problems that are much more difficult to track down.
There's a number of different issues that cause the errorless admin login behavior you're seeing, but they all go back to Magento not being able to set or read the session cookie. Magento uses sessions to pass error messages between pages — that's why you don't see an error message. Magento also uses sessions to store the "is logged in" value, so not setting sessions also causes the core error behavior.
Possible causes include
Local computer time vs. server time mismatch, causing instant cookie invalidation. Make sure your server time is correct.
Incorrect permissions on var/session
, preventing session files from being saved
Incorrect configuration of database/redis/other session storage, preventing saving of session values
A module is instantiating sessions to early, preventing the correct session names from being set
You're a developer using multiple URLs and have multiple cookie domains
Another developer has somehow modified app\code\core\Mage\Core\Model\Session\Abstract\Varien.php
, creating a hard to track down bug
The cookie domain in System -> Configuration -> Web -> Session Cookie Management
doesn't match the actual site domain.
You're using the localhost
as your server domain, and using a version of webkit that has trouble/bugs setting cookies for localhost
in some situations.
The short term fix is to just delete your cookie for the domain. That's often enough to solve the problem. If it persists, figure out which of the above reasons is the reason for your error, and take steps to address it (fix permissions, etc.)
You write in your question:
they face the issue that they can't login and no error message is displayed
This is a good indicator that you have a cookie issue. This error pattern is just that the login was successful for Magento (username and password did match) but there is no session to keep the successful login. Hence the login page is displayed again with no error message.
My research leads me to believe that this is a cookie problem, stemming from the fact that the example.com cookie is set, and then causes problems when the user is redirected to sub.example.com
You're pretty close, here is what happens.
- You have not specified a cookie-domain for both sites.
- Not specifying a cookie-domain means, the browser when it receives a cookie will file it under the domain of the request.
- The login will then set the session ID to example.com. In that session the user is logged in.
- After redirect a new session ID will be set to sub.example.com. In that new session the user is not logged in.
- If the browser requests a page under sub.example.com then, it needs to decide which of the two same-named cookies for the session is to be taken: The one for example.com or the one for sub.example.com? And if both in which order? Answer: You can't say as browsers vary here.
- And not only the browser, also the server needs to decide here. So what happens here? Answer: For PHP, it can't handle two cookie values with the same name. It only takes the first one. And which one that is, you can't say (see browsers).
- So this is already flawed. No wonder it won't work until you start fresh and remove existing cookies under both domains.
This is what you experienced and hopefully the listing sheds some light.
So how to handle this in your case?
My suggestion would be to configure the cookie domains as "example.com
" for all the two sites in your case. That means that both sites will share their session which I assume is what you're looking for.
Not setting the cookie-domain in the first place was causing you the trouble then as this resulted in two different cookie domains, but you want to share the session cookie, so you want one session cookie and not two.
Also: Set the cookie to HTTP only so it can't be spoofed in a browser-script.
Changes in your configuration:
- Cookie domain: example.com (was: (empty))
- Use HTTP only: Yes (was: No)
Best Answer
My issue is solved now!!!
I have deleted Application Load Balancer from AWS EC2 and followed below steps to create Classic Load Balancer with cookies 3600 as same was in my magento site.
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
On the navigation pane, under LOAD BALANCING, choose Target Groups.
Select the target group.
On the Description tab, choose Edit attributes.
On the Edit attributes page, do the following:
Select Enable load balancer generated cookie stickiness.
For Stickiness duration, specify a value between 1 second and 7 days.
Choose Save.