network protocol violation on Joomla 3.8.4

Don't think sending credentials will do any good. It's an issue directly in Joomlas routing behavior. If possible please revert to a backup for Joomla 3.8.3. I'm not sure if you can downgrade Joomla so if you've no backup available I don't have anything to suggest as CB can not alter the core routing code. More details can be found below.

github.com/joomla/joomla-cms/issues/19504

Folks, please hang in there. We can't do anything about this. It's a full B/C break with no clarification or how to implement compatibility. We're all at a stand still here expecting a quick 3.8.5 release soon to fix it.

Fixed now with 3.8.5, but I found that turning off "force https" in Joomla was at least a partial workaround (allowed the site to work, but users still had to delete their cookies or they would get a redirect loop error on login)

2 questions:

1) do you know if anyone has put the "HTTPS:" bugs into the Joomla github buglist? It's like they never even TESTED 3.8.4 on an HTTPS site!!

2) Whats the best practice, from the point of view of CB? It is all working fine with no "Force HTTPS:" setting in Joomla and no "Encrypt Login Form" in CB. Is that some sort of legacy setting, or is there a good reason to have them both on??

1) do you know if anyone has put the "HTTPS:" bugs into the Joomla github buglist? It's like they never even TESTED 3.8.4 on an HTTPS site!!

You can check the issue tracker below.

issues.joomla.org/

github.com/joomla/joomla-cms/issues

2) Whats the best practice, from the point of view of CB? It is all working fine with no "Force HTTPS:" setting in Joomla and no "Encrypt Login Form" in CB. Is that some sort of legacy setting, or is there a good reason to have them both on??

Force HTTPS should work fine assuming you don't have some odd redirect loops going on. For example live_site should be empty in configuration.php and you need to ensure any redirects you use on your site are non-SEF beginning with index.php. You shouldn't have any SEF or HTTPS issues then. CBs encrypt login form parameter just changes the URL to HTTPS for login/registration forms and checks to make sure the POST is done to HTTPS or it'll be rejected.

Hi Mikerotec,
I turned off "Force HTTPS" at Joomla as well and the site was indeet working. However, all SSL mandatory functions (such as facebook login or PayPal communcation) failed at the front end. This caused me to roll back on backup and was really painful as I have 3 digit user posts per day - all of them got lost with the backup.

I am still on 3.8.3 and we are intensive testing 3.8.5 with CB on a mirror site before I will take the decision to upgrade the live pages again. Interesting to know: the original Joomla login form was not affected by this bug and still was working under HTTPS enforcement. Therefore I was looking at CB to bring a solution.

Kyle explained to me to have "Encrypt Login Form" active in the CB Login Module, which I never had active. I switched it on with no effect.

I did not post this bug at github, but followed the posts to better understand the root cause. I also think this bug was caused by improper testing and even I did put this upgrade first on my mirror site, I did not notice the issue. Only loggin off and re-entering the page made the issue visible.

Best,
Andy

Are you all on PHP 7.2? If not please provide your PHP versions. The only login issues I can confirm are the below.

github.com/joomla/joomla-cms/pull/19199

Using "Force HTTPS" in my tests works perfectly fine. The redirect issues should be fixed with 3.8.5.

PHP Version 7.1.13 here!

yes, 3.8.5 has solved all issues, as far as I can tell.

I have Joomla "Force HTTPS" off ( same with log in modules, https also off) - and no ill effects here whatsoever ( Paypal payments still coming in fine via CBSubs)