Hello,

I released 10.0.49 yesterday to address some bugs. One particular fix has caused two major bugs.

0005887: Session cookies should always be HttpOnly / Secure where applicable - Composr CMS feature tracker

This issue was meant to address insecure session cookies, which take a major hit on SEO scores and security audits by today's standards. So I tightened up security and forced all Session cookies to be HttpOnly (meaning JavaScript cannot read them). Also, when running a site under HTTPS, the cookies will be flagged with the Secure property (meaning they cannot be accessed over HTTP).

These changes caused two major bugs:

0005888: Login loop when accessing CMS/Admin zones - Composr CMS feature tracker

This one is a simple fix: clear your browser cookies and instruct all your users to do the same. Alternatively, you can change the names of your cookies in _config.php to invalidate all current cookies. The patch on the tracker is an attempt to improve cookie clean-up and to utilize some of the code we currently use in v11 for cookies.

0005889: CSRF tokens broken - Composr CMS feature tracker

CSRF tokens are typically transmitted via hidden fields on forms. But for AJAX requests, there are no forms. Therefore, JavaScript has to get the CSRF token some other way. It used to just use your session ID. But we can't do that anymore because the session cookies are now HttpOnly. This means functionality like ratings, Commandr, and changing passwords broke. We now have to include the CSRF token as a hidden input field on every page so JavaScript can get it when it makes AJAX requests.

The tracker issue has a patch for it. But you also have to edit your GLOBAL_HTML_WRAP files for all themes you use in v10 to include the CSRF token. Instructions are on the tracker issue in the comments.

A new release, 10.0.50, will be made in a few days to include these fixes. These fixes have already been applied to compo.sr . Please report any other issues you encounter to the tracker. Thank you!