Login problem after changing URL and https

Post a reply


This question is a means of preventing automated form submissions by spambots.
Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:

BBCode is ON
[img] is ON
[url] is ON
Smilies are ON

Topic review
   

If you wish to attach one or more files enter the details below.

Maximum filesize per attachment: 1 MiB.

Expand view Topic review: Login problem after changing URL and https

Re: Login problem after changing URL and https

by axew3 » Thu Jun 25, 2020 4:06 pm

Thank you for appreciation!
"Account activation:" field to "Disable registration"
Yes, you can of course disable registration in phpBB!

Following to check for the issue above mentioned, i see now that this code is the probòem, that run just on top of the verify credentials function of the plugin:

Code: Select all

 // The presented cookie uid, is in the black list and the user not logged in?
 if( $w3all_anti_brute_force_yn == 1 && ! is_user_logged_in() && isset($w3all_bruteblock_phpbbulist[$phpbb_u]) ){
      setcookie ("w3all_bruteblock", "1", 0, "/", $w3cookie_domain, false); // expire session, removed on phpBB_user_session_set()
       self::w3all_wp_logout('wp_login_url');
      return;
 }
This code used to stop any bruteforce: if the username is in the list, is not logged, the logout fire, the function logout and return, so stop any subsequent action (calls to db to check for the session).

If no other smart solution will come out in mind, the way to resolve can't be like into this example (where i can manage problems in another way, may managing records into db when in trouble like this morning that this is obviously not useful for nobody)

The solution is: do not activate the option Swap login/registration/reset pass links with bruteforce active,
if/and you want users do these actions only in phpBB
, may just remove then in wp side all links that points to registration/login lost pass and that points to wp, and manually add links to related phpBB pages. Then in case of problems, so when an user need to reset/unlock his account, it will be normally processed. Let test things more deeply in these days, hope to come out with a solution for this problem, but without adding code into phpBB side, it seem at me at moment +- impossible.

Re: Login problem after changing URL and https

by jambo » Thu Jun 25, 2020 3:08 pm

GREAT!! I am back on track, your comments led me down the path to see what I might have done to make things bad.

The problem was created by me!!!!

I set the "Allow "Remember Me" logins:" in phpBB 3.3 to "off" because I am going to force all logins through wordpress and I figured I would control the cookie timeout there. The minute I set that back to "on" my problem went away!!!!!

My other question, is since I am putting everything through wordpress, and I want to FORCE registration there, should I set the "Account activation:" field to "Disable registration". I already have pushed all the login links to wordpress with my phpBB style, but that would remove all the register links for me.

Thank you very much for your help and for the plugin, you rock!!!!

James

Re: Login problem after changing URL and https

by axew3 » Thu Jun 25, 2020 9:22 am

Hello! Ok look, i've been locked out just now by this site.
Reason: i have option anti-bruteforce on plugin enabled AND option Swap WordPress default Login, Register and Lost Password links to point to phpBB related pages enabled.
If an user results to be on the plugin's bruteforce list, when an user login via phpBB NOT iframed, it will login in phpBB, but when coming into WP side will be logged out. And if the user reset the pass in phpBB, then try to login wp, again, the pass do not match, this because the bruteforce prevention, do not let code execution if the user do not unlock his account with a correct login into WP side.
More: the antibruteforce measure, let firewall plugins do their jobs and when pass do not match, the code fire a wrong login event, so firewall plugins will log the event, and may require you to unlock account. But again, if the username is in the bruteblock list, the code to unlock the user will not execute correctly.
Then, how i can do a login in wp and reset things, if the option swap login/register/lost pass is enabled, together with anti-bruteforce?

Did you fall into same?

Going to check all about into next coming soon 2.3.6. I will start today on check and fix all issues also based on yours reports.
I will check what about bruteforce and common issues it can cause using different plugin's settings.
In reply here as soon i discover more while reversing the logic/code.

It is not clear to me this:
but when I try to go back to phpbb it does not work
You login in wordpress, then when visiting phpBB the user logout (also in wordpress)?

Re: Login problem after changing URL and https

by jambo » Wed Jun 24, 2020 10:24 pm

okay, I turned off Activate w3all sessions keys Brute Force countermeasure and I am now able to login to phpbb and look around the forums fine. I am also able to go to wordpress fine and look around, but when I try to go back to phpbb it does not work.

If I log into wordpress and try to go to phpbb it does not work. So, phpbb -> wordpress is fine but not the other way around.

Thanks!!

Re: Login problem after changing URL and https

by jambo » Wed Jun 24, 2020 8:29 pm

I am still hating this down, and I am looking into the class.wp.w3all-phpbb.php file and I insterted some debug statement as below:

Code: Select all

if( !(isset($_COOKIE[$u])))
        error_log( "Cookie is not set!!!\n", 3, "/var/log/VBMWMO/error_log");

          // HERE INSIDE WE ARE SECURE //
        $_COOKIE[$u] = (isset($_COOKIE[$u])) ? $_COOKIE[$u] : 1;
        $_COOKIE[$sid] = (isset($_COOKIE[$sid])) ? $_COOKIE[$sid] : '';
        $_COOKIE[$k] = (isset($_COOKIE[$k])) ? $_COOKIE[$k] : '';

error_log( "User = " . $_COOKIE[$u] . "\n", 3, "/var/log/VBMWMO/error_log");
And got this output:
User = 1
User = 11515
Cookie is not set!!!
User = 1
User = 1
Cookie is not set!!!
User = 1
Cookie is not set!!!
User = 1
Cookie is not set!!!
User = 1
Cookie is not set!!!
User = 1
Cookie is not set!!!
User = 1
Cookie is not set!!!
User = 1
Cookie is not set!!!
Cookie is not set!!!
User = 1
User = 1
The first User=1 was accessing the login page, the system logged me in UID = 11515 and then promptly could not find my cookie.

I will keep looking...

James

Re: Login problem after changing URL and https

by jambo » Wed Jun 24, 2020 7:29 pm

I removed the www from the site name all over the place and it is just down to xyz.com with no www.

I changed the cookie as well to .xyz.com

and I have the same problem. Nothing has changed.

Top