Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#46919] - [5.4.3] Frontend login silently fails with SEF + mod_rewrite enabled since 5.4.3

No Code Attached Yet
avatar contumace
contumace
19 Feb 2026

Hello,

Since upgrading to Joomla 5.4.3 today, frontend login no longer works when both SEF URLs and mod_rewrite ("Use URL Rewriting") are enabled. The login form submits and silently redirects back to itself, with no error message displayed.

Environment:

  • Joomla 5.4.3 (issue appeared immediately after upgrading from 5.4.2)
  • SEF URLs: enabled
  • Use URL Rewriting (mod_rewrite): enabled
  • Add Suffix to URLs: disabled
  • Session handler: Database
  • force_ssl: 2 (HTTPS enforced site-wide)
  • live_site: set to https://
  • Standard Joomla .htaccess file, unmodified
  • All Multifactor Authentication plugins: disabled

Symptoms:

  • Frontend login fails silently for all users (redirects back to login form)
  • No error message is shown
  • Backend login works normally

Workarounds confirmed:

  • Disabling "Use URL Rewriting" (mod_rewrite) restores frontend login for super user (only), but index.php appears in all URLs
  • Disabling SEF entirely also restores login

This worked perfectly in 5.4.2. Nothing in the server configuration has changed. The issue is clearly a regression introduced in 5.4.3.

Thank you for looking into this.

avatar contumace contumace - open - 19 Feb 2026
avatar contumace contumace - change - 19 Feb 2026
Labels Removed: ?
avatar joomla-cms-bot joomla-cms-bot - change - 19 Feb 2026
Labels Added: No Code Attached Yet
avatar joomla-cms-bot joomla-cms-bot - labeled - 19 Feb 2026
avatar contumace contumace - change - 19 Feb 2026
Title
Subject: Frontend login silently fails with SEF + mod_rewrite enabled since 5.4.3
[5.4.3] Frontend login silently fails with SEF + mod_rewrite enabled since 5.4.3
avatar OctavianC
OctavianC - comment - 19 Feb 2026

Can't replicate this - tested 5.4.3 with mod_rewrite (apache) and everything works fine. I should also add that setting live_site to https:// will lead to an Uri parse error so I'm guessing you meant that it's set to https://your-domain

avatar contumace
contumace - comment - 19 Feb 2026

With debug at max, I got the message "L'identifiant de sécurité ne correspondait pas. La demande a été interrompue pour empêcher toute violation de la sécurité. Veuillez réessayer." I then removed the url assigned to $live_site in configuration.php, leaving it blank. Everything works as before. It seems security got more strict with respect to CSRF tokens in 5.4.3.

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46919.

avatar CZ-Hobby
CZ-Hobby - comment - 19 Feb 2026

same here: https://cld-charter.cz

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46919.

avatar NobleCoder69
NobleCoder69 - comment - 21 Feb 2026

Hi i like to work on this could you assign it to me.

avatar brianteeman
brianteeman - comment - 21 Feb 2026

The joomla project does not assign issues, anyone is free to submit a pull requests.

avatar ahotzler
ahotzler - comment - 24 Feb 2026

public $live_site = '';
I can't remember configuring the parameter in any way. But I regularly encounter broken pages at customers' sites or in forums where something has been configured.

My impression is that the configuration is a remnant of fiddly, over-optimized configuration, which is typical behavior in Internet forums where users cause problems for themselves by moving as far away from the standard as possible.

Add a Comment

Login with GitHub to post a comment