Closed gary231178 closed 9 years ago
@gary231178 Under Admin -> Preferences -> Security/Protection -> User Tracking method - what is set? Cookies or Sessions? Also, would you mind providing a screenshot of the online menu when it is bugging? thanks.
Hi it is currently set to cookies. Enclosed a screenie of online menu via web issue, will ask the affected mobile users to grab a screenshot for me to add also.
The scrrenshot is for a new signup called test user. As you can see once logging in i get incorrect login but online menu shows "test user" as being online.
https://cloud.githubusercontent.com/assets/12760959/8150841/b306b3a2-12f1-11e5-96a4-2a659f7aff0c.png
Please find enclosed 2 screenshots which are failed logins (But online) from a mobile user. His name is Hagler, which shows as being online. When logging in from his pc, he can log in fine with same credentials.
If you look it says user "Hagler"is online after logging in, But Last visitors shows was online 1 day ago rather than 0 mins ago.
In your own admin area, please go here: e107_admin/banlist.php?mode=failed&action=list Can you find the user name of the failed-login on the user's mobile device? It should give the reason why it failed. Perhaps the IP of his phone is blocked?
No entries in the banlist. I have also whitelisted said ip to test that to no avail. Also if banned they would get a white page or one of the custom ban rules set in the new system. Also that wouldn't explain the test user i created which is same IP as mine, i can log in with my account but not with the test account. Max signups from same ip is also set to 3. Dissalow multiple logins No
There should be an entry for the 'failed login' - can you see one?
No failed login entries, but then would there be expected to be one, if the online menu is reporting the user as being online? And its merely the system not recognising it to that effect.
The theme don't have a custom login menu (made by me), it use core login menu styled in login_menu_template, so his functionality is not changed.
@gary231178 , after the 'incorrect login' does the user have all the access of a logged in user? eg. member-only forums etc?
@gary231178 - please fill in the contact form after logging in here (http://e107.org/developers/) . I think we can solve this quicker over Skype.
Nope, same viewing capabilities as an unlogged in user. Restricted guest acess only. Sorry I don't use skype.
What is interesting, is i loaded website via mobile, logged in to my account / admin / users and then logged in as "Hagler" 1 of the users affected, and i was logged in just fine. That said, the web test user i created which has the same login issue via pc web, online but not logged in, when using test user credentials which fails. I can log in fine as test user from admin though by again logging in as that user with my admin permissions.
I have recieved further reports of the bug, this time via pc login and not mobile, similar to one that i had reproduced previously. This user is [LTN] Wildfire as the screenshot shows, the online menu reports being online viewing index.php however the error log shows that the data entered doesn't match a registered user. This error doesn't get reproduced in the failed login logs in the admin area. I.e doesn't show as a failed login as i would have expected.
Last visit also shows 6th June 2015 which also doesn't reflect the online menu reporting online.
Should i try changing from cookies to sessions for user tracking to see if this makes a difference?
I think I am one step closer to resolving at least 1 instance of the failed login / online issue. I today decided to explore the mysql database to see if anything stands out, or was missing/incomplete from the failed log-in users.
One thing which immediately struck my attention was the password field for 5 or 6 users, the hashed details in the password field was exactly the same as my own, meaning that users password would be the same as mine. Now there is no possible way that my password would ever be the same as these users. All these users at some point have been made an admin by myself, or have had there profile edited. So it would seem by myself editing the users profile somehow upon saving the details their own password is being replaced with my own, hence giving them the failed login. I confirmed the theory by successfully logging in [LTN]Wildfire with his username or email taken from the mysql database and using my password to login successfully as said user.
Hope this helps.
Gary
i've seen this problem with passwords at one of my sites too, as it turned out, autofill from the browser edited those when editing the useraccount by an admin..
when you edit a user different from your own account you have to delete the password each and every time before saving changes (the password is filled by the browsers autofill function) if you don;t the password will be overwritten with your own.
@willem010, @gary231178 Are you guys using Chrome? It seems to be good at ignoring autocomplete='off'. I'm going to randomize the field name, which should stop this autofill issue once and for all!
ah yes, probably chrome yep. and thanks to the mighty google account thingie. before you know it you enter name adress dob, socialsec#, passport id's and your favorite color upon entering an email adress on a random site. I bet a lot of sites (mis)use this. anyway.. i only use chrome for testing, it's not my default browser (but by now google probably knows more about me then i know myself :P )
i have no idea if this is what's causing @gary231178 's problem tho, i just noticed the remark of double passes, which i noticed myself so i gave my 2 cents.
Seems the newer version of firefox are also ignoring autocomplete='off'. ! My workaround won't prevent the browser asking you if you want to save the password, but it should prevent auto-filling the field with the wrong password.
i think your solution should fix this issue, or at least it will leave the confirmation pass field empty preventing an overwrite by default.
https://github.com/e107inc/e107/issues/1055
Following on from the above issue, have had other instances as below not connected with above.
Case 1:- New user sign up, verified, logs in with correct info:- Online menu shows user as being online, but status shows as not logged in, unable to post, etc. Fix:- delete user and have them resign up (not ideal)
Case 2:- Existing user can log in via pc & or laptop can post fine and is logged in, however when logging in via mobile site, (tablet or phone) online menu shows user online but they are again not logged in and unable to post etc.
Theme details:-