Cookie endless redirect

Hi, I have one problem, and just cannot solve it.

Made a custom restrict access for a client based on It has more features but works on the same base. On my localhost and two servers, it works without issues, but on the client’s server, it goes to redirect loop every time after login.

Browser error is:

The page isn’t redirecting properly.
This problem can sometimes be caused by disabling or refusing to accept cookies.

The domain is properly redirected, it redirects to https and www.
Although must mention that before this integration client had htaccess password protection enabled.

In the controller for the login page tried changing this

if ($kirby->user()) {


if ($kirby->user()) {

but it didn’t help.

I would really appreciate some hint, maybe someone had a similar issue, although I didn’t find it in the forum.

One more thing, redirect error is only on the home page after login. I can go to any other page without problems.


Are there any other .htaccess files in a higher hierarchy folder? Or some domain redirection in the provider panel involved? Or something in the Virtual host config? Hard to tell without knowing the exact configuration. Since it works on your other setups, I’m sure there is some misconfiguration on the client server involved.

Hi, Sonja!
Good questions, that’s the next thing to check for sure. Didn’t have access to the server yet.
But wanted to rule off the cookie as error first.

Yes, but it is a controller for the Login page only.
If user is logged in, and tries to see Login page he is redirected to the home page.

That code is according to the cookbook, you should only run into an issue if all pages are restricted, i.e. including the home page. But that would then happen no matter which server.

What do you mean? All pages are restricted.
But with that code on my server there are no issues.

On top of the header.php I have redirect to login if not logged in

<?php if (!$kirby->user()) go('login') ?>

Yes, that’s ok.

1 Like

Hm, no idea really apart from what I already mentioned above.

What is different in your setup compared to the cookbook recipe?

Thank you, Sonja, the issue really point strongly to server setup. But still wanted to check before going there.

Well, hope you can sort it out with the client.

Not too much in controller.
Added honeypot.

Login page template file and blueprint is extended very much per client needs, but non of it affects the basic function for sure.

I wonder if some server side caching might be involved…but more guesswork then really knowing :wink:

Have you checked the browser’s network tab to see what exactly is happening?

Good, I thought of that too, especially because he had that htaccess password protect earlier, and didn’t have domain redirection setup. I sent him

<IfModule mod_rewrite.c>
        RewriteCond %{HTTPS} off [OR]
        RewriteCond %{HTTP_HOST} !^www\. [NC]
        RewriteCond %{HTTP_HOST} ^(.*)$  [NC]
        RewriteRule (.*) https://www.%1/$1 [R=301,L]

to fix that.

Yeah, that server needs attention.

Thank you for your help.

No! Going to check it now. :slight_smile:

Additional .htaccess password protection, even if still in place, shouldn’t really interfere, because you could actually do both without issues.

Does this tell you something new?

Client cuted it out, showed me the htaccess.
The main problem is his privacy. If I have access to files and server, it would go much faster.

It really looks as if the logged-in user isn’t stored. We see a POST request to login, but then GET requests going backwards and forwards between login and home. So the user is sent to home, but then back again to login and so forth

1 Like

To me seemed like he gets a cookie for non-www domain and cookie needs to be for www.