Login problem after changing URL and https

jambo
User w
User w
Posts: 19
Joined: Fri May 15, 2020 7:23 pm

Login problem after changing URL and https

Post by jambo »

I had the W3 plugin working fabulously and then we went live.

This morning we went live and the integration is no longer working. We put HTTPS in place, and made the URL www.xyz.org and you are able to log into either wordpress or phpbb, but when you go between them you get logged out.

URL www.xyz.org for wordpress
URL www.xyz.org/forum for phpbb

Domain is redirected to https://www.xyz.org on wordpress
Cookie domain on wordpress is www.xyz.org because of that

Domain is redirected to https://www.xyz.org on phpbb
cookie domain is set to "www.xyz.org" on phpbb

Cookies are all set at ".www.xyz.org" and I see the cookie being set in the same domain on both sides, but the cross-login is not working. When I login to wordpress I see the correct cookie being set on the wordpress login.

We are a small club and are doing this upgrade for our users because it was really very needed.

Any help is GREATLY appreciated!!!

If you need a login please let me know and I can share REAL url's in private chat as well.

BY THE WAY I did a full re-install after the move to https and the change domain.

James

jambo
User w
User w
Posts: 19
Joined: Fri May 15, 2020 7:23 pm

Re: Login problem after changing URL and https

Post by jambo »

A bit more:

I go to phpbb (clear my cookies) and login. I get 3 cookies in my browser:
  • vbmwmo8_k - domain .www.xyz.com - Content nothing - path /
  • vbmwmo8_sid - domain .www.xyz.com - Content hash - path /
  • vbmwmo8_u - domain .www.xyz.com - Content 11345 - path /
I can use phpBB and all good.

I go to wordpress and I can access wordpress and click around. Cookies at this stage:
  • vbmwmo8_k - domain .www.xyz.com - Content NOW WITH A HASH - path /
  • vbmwmo8_sid - domain .www.xyz.com - Content hash - path /
  • vbmwmo8_u - domain .www.xyz.com - Content 11345 - path /
  • PHPSESSID - domain (NO DOT)www.xyz.com - Content hash - path /
  • wordpress_loggedin(hash) - domain .www.xyz.com - Content hash - path /
  • wordpress_sec(hash) (2 of them) - domain .www.xyz.com - Content hash - path various
I am able to click around and all is good.

I go back to phpBB and I am not logged in and I have the following cookies:
  • vbmwmo8_k - domain .www.xyz.com - Content No content - path /
  • vbmwmo8_sid - domain .www.xyz.com - Content hash - path /
  • vbmwmo8_u - domain .www.xyz.com - Content This is NOW 1, not 11345! - path /
  • PHPSESSID - domain (NO DOT)www.xyz.com - Content hash - path /
  • wordpress_loggedin(hash) - domain .www.xyz.com - Content hash - path /
  • NO wordpress_sec cookies
I also noticed that when I go from phpbb to wordpress the vbmwmo8_sid cookie is NOT the same hash.

Sometimes I get duplicate vbmwmo8 cookies with .www.xyz.com and www.xyz.com.

If I log in on the wordpress side and go to phpbb I get the same functionality as above!

I am at my limit on how to solve this.

Thank you!!!

jambo
User w
User w
Posts: 19
Joined: Fri May 15, 2020 7:23 pm

Re: Login problem after changing URL and https

Post by jambo »

I removed the www from the site name all over the place and it is just down to xyz.com with no www.

I changed the cookie as well to .xyz.com

and I have the same problem. Nothing has changed.

jambo
User w
User w
Posts: 19
Joined: Fri May 15, 2020 7:23 pm

Re: Login problem after changing URL and https

Post by jambo »

I am still hating this down, and I am looking into the class.wp.w3all-phpbb.php file and I insterted some debug statement as below:

Code: Select all

if( !(isset($_COOKIE[$u])))
        error_log( "Cookie is not set!!!\n", 3, "/var/log/VBMWMO/error_log");

          // HERE INSIDE WE ARE SECURE //
        $_COOKIE[$u] = (isset($_COOKIE[$u])) ? $_COOKIE[$u] : 1;
        $_COOKIE[$sid] = (isset($_COOKIE[$sid])) ? $_COOKIE[$sid] : '';
        $_COOKIE[$k] = (isset($_COOKIE[$k])) ? $_COOKIE[$k] : '';

error_log( "User = " . $_COOKIE[$u] . "\n", 3, "/var/log/VBMWMO/error_log");
And got this output:
User = 1
User = 11515
Cookie is not set!!!
User = 1
User = 1
Cookie is not set!!!
User = 1
Cookie is not set!!!
User = 1
Cookie is not set!!!
User = 1
Cookie is not set!!!
User = 1
Cookie is not set!!!
User = 1
Cookie is not set!!!
User = 1
Cookie is not set!!!
Cookie is not set!!!
User = 1
User = 1
The first User=1 was accessing the login page, the system logged me in UID = 11515 and then promptly could not find my cookie.

I will keep looking...

James

jambo
User w
User w
Posts: 19
Joined: Fri May 15, 2020 7:23 pm

Re: Login problem after changing URL and https

Post by jambo »

okay, I turned off Activate w3all sessions keys Brute Force countermeasure and I am now able to login to phpbb and look around the forums fine. I am also able to go to wordpress fine and look around, but when I try to go back to phpbb it does not work.

If I log into wordpress and try to go to phpbb it does not work. So, phpbb -> wordpress is fine but not the other way around.

Thanks!!

User avatar
axew3
w3all User
w3all User
Posts: 2007
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: Login problem after changing URL and https

Post by axew3 »

Hello! Ok look, i've been locked out just now by this site.
Reason: i have option anti-bruteforce on plugin enabled AND option Swap WordPress default Login, Register and Lost Password links to point to phpBB related pages enabled.
If an user results to be on the plugin's bruteforce list, when an user login via phpBB NOT iframed, it will login in phpBB, but when coming into WP side will be logged out. And if the user reset the pass in phpBB, then try to login wp, again, the pass do not match, this because the bruteforce prevention, do not let code execution if the user do not unlock his account with a correct login into WP side.
More: the antibruteforce measure, let firewall plugins do their jobs and when pass do not match, the code fire a wrong login event, so firewall plugins will log the event, and may require you to unlock account. But again, if the username is in the bruteblock list, the code to unlock the user will not execute correctly.
Then, how i can do a login in wp and reset things, if the option swap login/register/lost pass is enabled, together with anti-bruteforce?

Did you fall into same?

Going to check all about into next coming soon 2.3.6. I will start today on check and fix all issues also based on yours reports.
I will check what about bruteforce and common issues it can cause using different plugin's settings.
In reply here as soon i discover more while reversing the logic/code.

It is not clear to me this:
but when I try to go back to phpbb it does not work
You login in wordpress, then when visiting phpBB the user logout (also in wordpress)?

jambo
User w
User w
Posts: 19
Joined: Fri May 15, 2020 7:23 pm

Re: Login problem after changing URL and https

Post by jambo »

GREAT!! I am back on track, your comments led me down the path to see what I might have done to make things bad.

The problem was created by me!!!!

I set the "Allow "Remember Me" logins:" in phpBB 3.3 to "off" because I am going to force all logins through wordpress and I figured I would control the cookie timeout there. The minute I set that back to "on" my problem went away!!!!!

My other question, is since I am putting everything through wordpress, and I want to FORCE registration there, should I set the "Account activation:" field to "Disable registration". I already have pushed all the login links to wordpress with my phpBB style, but that would remove all the register links for me.

Thank you very much for your help and for the plugin, you rock!!!!

James

User avatar
axew3
w3all User
w3all User
Posts: 2007
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: Login problem after changing URL and https

Post by axew3 »

Thank you for appreciation!
"Account activation:" field to "Disable registration"
Yes, you can of course disable registration in phpBB!

Following to check for the issue above mentioned, i see now that this code is the probòem, that run just on top of the verify credentials function of the plugin:

Code: Select all

 // The presented cookie uid, is in the black list and the user not logged in?
 if( $w3all_anti_brute_force_yn == 1 && ! is_user_logged_in() && isset($w3all_bruteblock_phpbbulist[$phpbb_u]) ){
      setcookie ("w3all_bruteblock", "1", 0, "/", $w3cookie_domain, false); // expire session, removed on phpBB_user_session_set()
       self::w3all_wp_logout('wp_login_url');
      return;
 }
This code used to stop any bruteforce: if the username is in the list, is not logged, the logout fire, the function logout and return, so stop any subsequent action (calls to db to check for the session).

If no other smart solution will come out in mind, the way to resolve can't be like into this example (where i can manage problems in another way, may managing records into db when in trouble like this morning that this is obviously not useful for nobody)

The solution is: do not activate the option Swap login/registration/reset pass links with bruteforce active,
if/and you want users do these actions only in phpBB
, may just remove then in wp side all links that points to registration/login lost pass and that points to wp, and manually add links to related phpBB pages. Then in case of problems, so when an user need to reset/unlock his account, it will be normally processed. Let test things more deeply in these days, hope to come out with a solution for this problem, but without adding code into phpBB side, it seem at me at moment +- impossible.

Post Reply