Periodically losing the ability to login

[hskrasek]

I am using ion_auth for a web app that I am developing, and periodically I will go from being able to login using one of the accounts I created, and then the next it just refreshes the page and errors out.

I am catching the possibility of ion_auth failing to login, and displaying a flash_message with a rudimentary message at the time being, but I have no clue where to even start with this issue, any help would be appreciated.

[benedmunds]

So you just get false back from the login call? what error does ion auth have?

[hskrasek]

I just modified the code to return the ion_auth->errors() message, and the message is 'Temporarily Locked Out'. It seems to happen after our iOS developer logs in a few times using the login API endpoint I created. (This uses the same login method as the web app btw)

[benedmunds]

What does the error say before you modify it?

Im wondering if its some kind of weird session issue...

-Ben Edmunds 706.289.4115 ben.edmunds@gmail.com

On Monday, July 15, 2013 at 5:23 PM, Hunter Skrasek wrote:

I just modified the code to return the ion_auth->errors() message, and the message is 'Temporarily Locked Out'. It seems to happen after our iOS developer logs in a few times using the login API endpoint I created. (This uses the same login method as the web app btw)

— Reply to this email directly or view it on GitHub (https://github.com/benedmunds/CodeIgniter-Ion-Auth/issues/479#issuecomment-21004878).

[hskrasek]

The error was one that I wrote myself, if the ion_auth->login() returned false. It was a quick fix to see where the error was happening at the time. I just now modified it to show the errors() message, so that I could give you more information.

What's odd is that he is logging in under his own account, and yet it locks everyone out of the system.

[benedmunds]

Really weird. What are your CI config settings? Specifically cookies and sessions?

[hskrasek]

Currently they are default, haven't found a need to muck around with them, possibly breaking things.

Could the issue stem from using ion_auth to authenticate for a mobile login, but then not being able to create the cookies and such since the request is coming from an Android/iOS app? I am new to having mobile apps and Codeigniter interacting with each other. I am also new to ion_auth so I don't really know all the in's and out's just yet.

[benedmunds]

It shouldnt be an issue, I've done it plenty. Go ahead and post your settings and then lets try a few things to see if it makes a difference.

[hskrasek]

Alright here they are.

Cookie and Session: http://pastebin.com/1AVb7HzC ion_auth config: http://pastebin.com/dFtYekhe

[benedmunds]

Thanks.

First let's try setting

$config['sess_match_useragent'] = FALSE;

If this doesn't work we can try using native PHP sessions to determine/rule that out.

-Ben Edmunds 706.289.4115 ben.edmunds@gmail.com

On Monday, July 15, 2013 at 5:47 PM, Hunter Skrasek wrote:

Alright here they are. Cookie and Session: http://pastebin.com/1AVb7HzC ion_auth config: http://pastebin.com/dFtYekhe

— Reply to this email directly or view it on GitHub (https://github.com/benedmunds/CodeIgniter-Ion-Auth/issues/479#issuecomment-21006332).

[hskrasek]

Alright, I have made this change and uploaded it to our staging server. The mobile developers have left for the day, and it only seems to break when they are running API calls, so I may have to wait until tomorrow to see if the issue returns.

I'll let ya know if the issue comes back again, it has been happening periodically, but not predictively so I don't know when or if it'll happen again now with this change being made.

[benedmunds]

Ah ok, no worries. I'll go ahead and point you to the next troubleshooting step so you can try it when they're there without waiting on me.

Drop this into your project in application/core/ https://gist.github.com/benedmunds/6004326
This will override CI sessions and make it use native PHP sessions.

[hskrasek]

Alright, thank you sir I appreciate it.

Will keep you up-to-date if any of those two steps fixes the issue.

[benedmunds]

Thanks man, good luck

[hskrasek]

Well I wanted to give it a few days, but it seems as if the first solution worked like a charm.

Thanks for all the help!

[benedmunds]

Awesome, good to hear!

[hskrasek]

I am hoping this doesnt persist but the temporarily locked out issue is happening again. I just implemented the second fix (MY_Session), and hopefully that resolves it. I do have some more information though, it happened after our iOS guy logged in via the mobile app while testing it. The password was correct but it still registered three incorrect login attempts before locking him, and everyone else out of the system until those login attempt records were deleted.

[benedmunds]

Any update?

[hskrasek]

I havent noticed the issue crop up again, but then again it took almost a month before the issue happened again. If I see anything I will let you know, but for now I think the MY_Session fix may have resolved the issue.

[benedmunds]

I hate problems like that dude, intermittent errors are horrible. Thanks and good luck!

[hskrasek]

They are not fun, especially when the last big deadline is Thursday, and the product launch is the 24th. Oh well, we knew what we were getting into when we became programmers I suppose :P. I appreciate it, will let ya know if everything works out or not.

[hskrasek]

The issue just happened again, I was out of the office when I was notified and am trying to find more details. All I know at the moment is that if I clear the login_attempts table, everyone is allowed back into the system again. Wish I had more to go off of.

[benedmunds]

That helps a lot actually. I would add a ton of logging, then see if maybe the API is getting hit multiple times in a row for some reason when this happens. That might be locking users out due to login attempts.

[hskrasek]

Alright so I did some testing and came down to this. Spamming the API for a minute to two minutes straight with correct login details worked fine. As soon as we tried to login with incorrect details through the API (which just passes the username and password to the ion_auth login method), it locks not only that user, but everyone out of the system.

login_attempts looks like this: id ip_address login time 30 CNa~ adamk@basanty.com 1377108066 31 CNa~ adamk@basanty.com 1377108069 32 CNa~ adamk@basanty.com 1377108070

[hskrasek]

I think I know what is going on.. the login_attempts functionality is using the IP address for the lockouts, correct?

[benedmunds]

Yes it is, which I see where your going, since the API server is what hits it it's always the same IP... Correct?

[hskrasek]

Sorta, its logging the IP address as different IP's from the API hits, but during development we are all testing on the same network so when one of us sends up incorrect login's, then it locks all of us out.

Which I can see being an issue in the future since this is being targeted towards schools, and I am worried that if one student screws up the login at school, itll lock the whole school out.

[benedmunds]

Yea definitely.

Do you have any other identifying information you could use in place of IP? If so I can walk you through changing it to check against that. You could also just turn off the lockout for the short term but that is a security risk so I'd recommend addressing it before going live.

[hskrasek]

I think the best bet would be to go with email, since the login_attempts is already capturing it anyway.

[benedmunds]

Good call. Need help extending to implement that? Or do you have it already?

-Ben Edmunds

On Aug 22, 2013, at 12:16 PM, Hunter Skrasek notifications@github.com wrote:

I think the best bet would be to go with email, since the login_attempts is already capturing it anyway.

— Reply to this email directly or view it on GitHubhttps://github.com/benedmunds/CodeIgniter-Ion-Auth/issues/479#issuecomment-23107099 .

[hskrasek]

I wouldn't mind the help, I was looking through it last week but I didn't want to break anything, and now that I have started my last year of college today, brains a little bit fritzed.

But once I get everything implemented I was gonna say I could fork and submit a pull request to maybe implement a more customizable login_attempts lockout, just need to be pointed in the right direction is all.

[benedmunds]

It already stores the login identity so all you'd need to do is add a config option for track_login_ip_address as a bool. For the PR set it to TRUE for backwards compatibility, for your use you'll need to set it to false.

Then around line 984 in models/ion_auth_model.php change the query logic to query for IP only if that config option is true.

Make sense?

[hskrasek]

Makes sense, we are working with the get_last_attempt_time($identity) function correct? If so I think I have successfully implemented the logic. Going to have to test it though. If it works properly than I shall update you here.

Btw thanks again for all the help. Appreciate it.

[hskrasek]

It worked, later today when I have time and if you'd like, I can fork and pull request the addition. Thanks again

[benedmunds]

Awesome, definitely!

[hskrasek]

I may have been busy, but only 21 days later I finally submit that pull request :P

[benedmunds]

This look great, merged it in. Thanks!

Did this solve your login problems?

[hskrasek]

Yea everything is all good to go now. Appreciate the help

[benedmunds]

Awesome. Thanks for contributing back! Take care.

[segebee]

having this same issue...this helped...would love to contribute code