T.ME/BIBIL_0DAY
CasperSecurity


Server : Apache/2
System : Linux server-15-235-50-60 5.15.0-164-generic #174-Ubuntu SMP Fri Nov 14 20:25:16 UTC 2025 x86_64
User : gositeme ( 1004)
PHP Version : 8.2.29
Disable Function : exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
Directory :  /home/gositeme/domains/lavocat.quebec/private_html/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Current File : /home/gositeme/domains/lavocat.quebec/private_html/ISSUE_SUMMARY.md
# Issue Summary - All Pages Without .html

## Problem
Pages like `/user/profile`, `/user/dashboard`, etc. **DO load the HTML** (HTTP 200), but get stuck on "Loading..." screen.

## Root Cause
1. ✅ `.htaccess` routing works - auto-appends `.html`
2. ✅ HTML files load correctly  
3. ✅ React app starts
4. ❌ **React makes API calls that return "Unauthorized"**
5. ❌ **Session cookies not being validated through Apache proxy**

## Why Session Fails

**NextAuth Cookie Settings (src/lib/auth.ts line 91-98):**
```typescript
sessionToken: {
  name: process.env.NODE_ENV === 'development' ? 
    'next-auth.session-token' : 
    '__Secure-next-auth.session-token',
  options: {
    httpOnly: true,
    sameSite: 'lax',
    path: '/',
    secure: process.env.NODE_ENV === 'production',  // ← Requires HTTPS
    domain: process.env.NODE_ENV === 'production' ? 
      process.env.COOKIE_DOMAIN : undefined  // ← Must be set correctly
  }
}
```

**Current Settings:**
- `NODE_ENV=production` 
- `COOKIE_DOMAIN=.lavocat.quebec`
- Cookie name: `__Secure-next-auth.session-token` (requires HTTPS)
- Secure flag: true (requires HTTPS)

## The Issue
When API requests go through Apache proxy to Node.js:
- Browser → Apache (HTTPS) → Node.js (HTTP on port 3000)
- Session cookie has `secure: true` (HTTPS only)
- Apache proxy connection to Node is HTTP
- Session validation might be failing

## Solution Options

1. **Set NODE_ENV=development** (quick fix, less secure)
2. **Configure Apache to pass session headers properly**
3. **Disable secure cookies** in NextAuth config
4. **Use direct connection** instead of proxy

## Current Status
- Server running: ✅ PID 7638
- APIs accessible: ✅  
- Proxy working: ✅
- Session validation: ❌

CasperSecurity Mini