Private Mode won't accept any password, just loops prompt

I’m self-hosting and have my site set to private for some friends to check out as I build it. However, no matter what password someone enters to access the site, whether correct or otherwise, it doesn’t let them through and just loops the password page. Tried it in Chrome, Firefox and Edge in both normal and incognito modes.

I’ve seen multiple other threads about this going back a couple of years and it was acknowledged as a bug, but on my brand new Ghost install, the exact same issue’s still happening. Is this bug still outstanding or does anyone know a fix for this?

Thanks very much!

Setup information

Ghost Version
5.127.0

Node.js Version
22.16.0

How did you install Ghost?
Ghost-CLI

Provide details of your host & operating system
VMware VM
Ubuntu Server 22.04.2

Database type
MySQL 8

Browser & OS version
Chrome/Firefox/Edge on Windows 11

I know the cause and posted a bugfix / pull request a long time ago - but “Closed as not planned”.

Now to the point:
http://localhost:2368 does not work.

It does not work with “http”. You have to create a certificate and use “https”. That is all.

But with my bugfix it would always work.
https://github.com/TryGhost/Ghost/issues/17514#issuecomment-1694584103

It doesn’t seem to matter to them because it works in production mode under “https”.

Well, that’s pretty ridiculous, given that it’s probably not a complicated fix. My site uses http because it’s behind Cloudflare Zero Trust, which handles the SSL for me. But if that’s the case, then there we have it.

Appreciate your response.

My reading of the linked issue and pr is that it fixed that problem but created a new one. I don’t think anyone has offered a patch that fixes the problem for the subset of self-hosters not using https and using private mode, while not breaking previews for the subset of sites with private mode and the recommended separate admin domain configuration.

I spent months trying to teach them (since v5.54.4), but to no avail.

My PR was merged, but then reverted.
https://github.com/TryGhost/Ghost/pull/17938

The bug still exists years later.

It would be so easy. Maybe you could make a new PR.
I have no experience with pull requests. It was my first … and maybe the last

Your English seems fine to me. I’m guessing they didn’t prioritize the fix because their thinking is “Who would use HTTP in this day and age?” And that’s a fair perspective, except with services like Cloudflare Zero Trust, there are multiple ways to skin the HTTPS cat. And if it’s such an easy fix, I don’t know why they wouldn’t just do it anyway, but I ain’t no developer type.

I only plan to keep the site private until I relaunch it, so this won’t be much of an issue for long. But it is concerning to see such minor issues blown off for years at a time.

As Cathy has already tried to explain on this thread, and I explained on the issue:

The proposed fix solves the problem for HTTP+private mode yes, however it broke previews for all the sites using private mode with the recommended configuration of having a separate admin domain.

That is to say it fixes a feature that is officially unsupported, and breaks one that is officially recommended.

Therefore we prioritised the recommended feature over the unsupported one.

Again, if anyone has a fix that solves the problem without breaking anything else, then we would merge it.

See my comment: