Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion

osTicket v1.10 (stable) and Maintenance Release v1.9.15 are now available! Go get it now

"Access Denied" Login Error

I had a problem where if you accidentally entered an incorrect useraname or password to access the admin area you were given an access denied error.

A cookie was set and you would continue to get this error until the cookie expired or was removed.

To fix this problem in scp/admin.php on line 19 change:
if(!$thisuser or !$thisuser->isadmin()) die('Access Denied');


to:
if(!$thisuser or !$thisuser->isadmin());



You still get an Invalid Login Message when you mistype a username or password but it will still let you try again.

Jason

Comments

  • Jason,

    I am not sure your advice is the correct implementation. Removing the check will allow staff without admin privileges to possibly access admin pages! It is better to get to the root cause of the problem.

    I am also not sure the condition you mentioned will result in access denied. staff.inc.php does the login checks and the only way to get the error as you described will be when you are already locked in as staff (non-admin) and try to access admin page.

    Regardless of the issue at play, you might want to change the code as shown below;

     if(!$thisuser or !$thisuser->isadmin()) {
    header('Location: index.php');
    require('index.php'); //Just in case of of header sent already
    exit;
    }
    I am very interested in replicating the error as you described. Feel free to PM or email me.
  • Update

    The issue at play here was login strikes due to excessive logins. osTicket 's staff control panel (scp) allows 3 login attempts before a forced timeout of 3 minutes. An email alert is sent to admin email.

    This is done to avoid (limit?) brute force attack and give admin heads up on the attack. This will also, unfortunately, affect staff with forgotten password, BUT it is for the good cause.

    This is all session based at the moment and will be DB based in the upcoming releases.

    The source of 'Access Denied" error is login.php and not admin.php as Jason indicated!

    Peace! It's tea time.
  • Thanks peter I have updated my copy with the code above.

    Jason
  • OK, so I've read this post and I'm trying to login but I can't seem to login at all. Sometimes it says access denied, other times it says invalid information. Just want to login. What is the best way for an admin to login to start setting up the OSticket system?

    Glad to see this is back online again. Thanks!
  • Is there a solution for this yet? I have been trying to login for 2 days now and I get invalid login then access denied. I checked php myadmin and i have the correct username and password. This is happening for all 3 of my staff logins. I have tickets that need to be answered and can not access anything. Where do i start?
  • I've seen Access Denied before while trying to login but in my case it was either caused by trying to login and view a ticket that I wasn't allowed to view or a ticket that has been deleted. Make sure you have permission to view the ticket that you are trying to view. For example if you are logging in by going to www.your-address.com/osticket/scp/tickets.php?id=18 and that ticket is in the Support Department, you have to make sure that the group you belong to has access to the Support Department. I think this was my problem.
  • still no solution??
  • ...  this thread is from 2007 and for version 1.6ST which is no longer supported.
    Also the solution is in the first three posts of the thread.
    Closing this zombie thread.
This discussion has been closed.