Can't log into Secure (SSL) Magento site on front end in Chrome

Question

I've been having a constant struggle with being able to log into the site www.dragondirectsales.com. It's a magento 1.9.1 site. The site has a subdomain, cas.dragondirectsales.com. Everything seemed fine until we moved the site to the live hosting that they are currently using.

Ever since, we've been fighting issues with logging in, both on the front end (customer logins) and the back end (admin). If you attempt to log in, it just loops you back to the appropriate login screen with no error messages. Again this happens only for customer logins.

Every time it happens I spend hours trying to fix it, and manage to get it working across every test case I can think of. Then about a month later the client emails me saying it's broken again, and swearing that he hasn't touched anything in the admin section. We're on the 4th time I've had to fix this, and all the previous changes appear to still be in there, so I'm at a loss for what is causing this issue.

Right now I have the site using Secure URLs in the front end. Cookie Path is blank. Cookie Domain is .dragondirectsales.com. I'm using HTTP Only (iPad was having a separate login issue that this fixed). Cookie Restriction Mode is set to no.

The only thing that has happened between the last time this worked and now is that we had an extension developer work on the Partial Payment extension, and I'm not entirely convinced that their work had anything to do with this issue. I can turn the extension completely off from the module xmls and the issue still happens.

Any help is completely appreciated!

Answer 1

I believe I finally found the answer to this.

The trick was to create the directory app/code/local/Mage/Customer/Model and copy the file Session.php into it. The Session.php file can be found at app/code/core/Mage/Customer/Model. Once the file is moved over, find this section:

    public function setCustomerAsLoggedIn($customer)
{
    $this->setCustomer($customer);
    $this->renewSession();
    Mage::dispatchEvent('customer_login', array('customer'=>$customer));
    return $this;
}

Comment out the $this->renewSession( ); section, so it looks like this:

    public function setCustomerAsLoggedIn($customer)
{
    $this->setCustomer($customer);
    //$this->renewSession();
    Mage::dispatchEvent('customer_login', array('customer'=>$customer));
    return $this;
}

Make sure to clear out all login cookies. I tested this on Chrome, Firefox, and IE on Windows, and Safari on iPad and everything worked like a charm.

Thanks to this Stack Exchange entry for the answer: Erratic cookie-related login problem

Answer 2

You have to force Magento to use the same cookie domain for both secure and unsecure URLs. You can inspect your sites cookies using the developer tools in the FireFox or chrome browser. This solution was tested on Magento 1.9.2.4

When the Session Cookie Management variables are not set incorrectly Magento may create two "frontend" cookies with different cookie domains. This typically happens during the login process when you have HTTPS (ie. SSL enabled) for the secure URL. Here are workable values for the Session cookie management configuration.

Cookie Life Time: 3600
Cookie Path: /
Cookie Domain : .mydomain.com (The dot prefix is important)
Use HTTP Only : No
Cookie Restriction Mode: No 

1. In the admin panel go to System -> Configuration -> Web-> Session Cookie Management
2. Set the Cookie Management configuration as shown above
3. Save the configuration and clear the Magento cache
4. Restart your web server to clear the PHP variables in case you made the change directly in MYSQL database
5. Clear your browser cache to remove any existing cookies associated with your magento site. This is important.

Using the dot prefix on the cookie domain is important to prevent duplicate cookies from being created for the secure URL

Changing the cookie domain will also affect the "adminhtml" cookie used by the Magento back end. Make sure to clear your browser cache to prevent admin login problems.

Changing the core code as described in another answer is not necessary when yu set the Web Session Cookie Management configuration correctly.