Caching of dashboard page causes password reset to fail [WPEngine hosting conflict]

[toyinogun]

Reproduction Steps

I have not been able to replicate this same error exactly but I wasn't also able to reset my password on my site with Namecheap host.

Install the Latest version of LifterLMS. Attempt to reset password Click the password reset link in the email.

Expected Behavior

It should successfully reset the password

Actual Behavior

I get this error when trying to access the password reset page:

I also tried this on the trial site but I did not receive any email(guess emails are disabled on the trial or something) but on my own site, here is the error I get:

HS-171630

Error Messages / Logs

• Include any relevant error messages or log files

  
  [Wed Jul 28 08:41:56.130944 2021] [php7:notice] [pid 31926] [client 105.112.148.233:48752] auditor:event=user_register {"user_id":772,"blog_id":1,"event":"user_register","current_user_id":770,"remote_addr":"105.112.148.233"}, referer: https://tinychefs.com/
  [Wed Jul 28 08:43:21.758957 2021] [php7:notice] [pid 12295] [client 105.112.148.233:31412] auditor:event=retrieve_password_key {"user_login":"lifterlms1","blog_id":1,"event":"retrieve_password_key","current_user_id":0,"remote_addr":"105.112.148.233"}, referer: https://tinychefs.com/
  [Wed Jul 28 08:43:21.771133 2021] [php7:notice] [pid 12295] [client 105.112.148.233:31412] auditor:event=profile_update {"user_id":772,"blog_id":1,"event":"profile_update","current_user_id":0,"remote_addr":"105.112.148.233"}, referer: https://tinychefs.com/
  [Wed Jul 28 08:45:12.493278 2021] [php7:notice] [pid 24731] [client 105.112.148.233:33154] auditor:event=wp_login {"user_id":770,"blog_id":1,"event":"wp_login","current_user_id":0,"remote_addr":"105.112.148.233"}, referer: https://tinychefs.com/wp-login.php
  [Wed Jul 28 09:13:25.215763 2021] [php7:notice] [pid 465] [client 103.62.48.228:63666] preventing possible attempt to enumerate users
  [Wed Jul 28 09:13:25.951748 2021] [php7:notice] [pid 419] [client 103.62.48.228:64000] preventing possible attempt to enumerate users

### System and Environment Information

<details>
<summary>System Report</summary>

<!-- Paste your System Report between the three backticks below this line -->

System Report: Wordpress

Home Url: [removed] Site Url: [removed] Login Url: [removed]/wp-login.php Version: 5.7.2 Debug Mode: No Debug Log: No Debug Display: No Locale: en_US Multisite: No Page For Posts: Not Set Page On Front: Tiny Chefs Cooking Classes, Camps and Parties (#871) [[removed]/] Permalink Structure: /%postname%/ Show On Front: page Wp Cron: Yes

Settings

Version: 5.1.1 Db Version: 5.1.1 Course Catalog: Course Catalog (#9670) [[removed]/courses/] Membership Catalog: Membership Catalog (#9671) [[removed]/memberships/] Student Dashboard: Dashboard (#9673) [[removed]/dashboard/] Checkout Page: Purchase (#9672) [[removed]/purchase/] Course Catalog Per Page: 9 Course Catalog Sorting: menu_order Membership Catalog Per Page: 9 Membership Catalog Sorting: menu_order Site Membership: Not Set Courses Endpoint: my-courses Edit Endpoint: edit-account Lost Password Endpoint: reset-password Vouchers Endpoint: redeem-voucher Autogenerate Username: yes Password Strength Meter: no Minimum Password Strength: strong Terms Required: no Terms Page: Not Set Checkout Names: required Checkout Address: required Checkout Phone: optional Checkout Email Confirmation: yes Open Registration: yes Registration Names: required Registration Address: optional Registration Phone: hidden Registration Voucher: optional Registration Email Confirmation: no Account Names: required Account Address: required Account Phone: optional Account Email Confirmation: yes Confirmation Endpoint: confirm-payment Force Ssl Checkout: no Country: US Currency: USD Currency Position: left Thousand Separator: , Decimal Separator: . Decimals: 2 Trim Zero Decimals: no Recurring Payments: yes Email From Address: [removed] Email From Name: [removed] Email Footer Text: Email Header Image: 9257 Cert Bg Width: 800 Cert Bg Height: 616 Cert Legacy Compat: no

Constants

LLMS_REMOVE_ALL_DATA: undefined LLMS_REST_DISABLE: undefined LLMS_SITE_FEATURE_RECURRING_PAYMENTS: undefined LLMS_SITE_IS_CLONE: undefined

Gateways

Stripe: Enabled Stripe Test Mode: Disabled Stripe Logging: no Stripe Order: 1 Manual: Disabled Manual Logging: Manual Order: 1

Server

Mysql Version: 5.7.34 Php Curl: Yes Php Default Timezone: UTC Php Fsockopen: Yes Php Max Input Vars: 10000 Php Max Upload Size: 50 MB Php Memory Limit: 512M Php Post Max Size: 100M Php Soap: Yes Php Suhosin: No Php Time Limt: 3600 Php Version: 7.4.18 Software: Apache Wp Memory Limit: 40M

Browser

HTTP USER AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36

Theme

Name: Tiny Chefs Theme Version: 2.0 Themeuri: [removed] Authoruri: http://www.designtlc.com Template: bb-theme Child Theme: Yes Llms Support: No

Plugins

Advanced Post Manager: 4.5 Beaver Builder Plugin (Agency Version): 2.4.2.5 Beaver Builder Responsive Background Images: 1.5.1 Beaver Themer: 1.3.3.1 Better Search Replace: 1.3.4 Delightful Downloads: 1.6.6 Docket WP: 1.1.3 Events Tickets Extension: Virtual / Online Event Tickets: 1.0.1 Event Tickets: 5.1.6 Gravity Forms: 2.5.7 Gravity Forms Coupons Add-On: 3.0 Gravity Forms Mailchimp Add-On: 4.9 Gravity Forms Stripe Add-On: 4.1 Gravity Forms User Registration Add-On: 4.8 Gravity Forms Zapier Add-On: 4.1 Gravity Perks: 2.2.5 Ivory Search: 4.6.4 LifterLMS: 5.1.1 LifterLMS Labs: 1.6.0 LifterLMS Stripe Payment Gateway: 5.3.2 ManageWP - Worker: 4.9.9 Pods - Custom Content Types and Fields: 2.7.28 Pods Beaver Themer Add-On: 1.3.6 Popup Maker: 1.16.2 Popup Maker - Exit Intent Popups: 1.4.0 PowerPack for Beaver Builder: 2.17.1 Public Post Preview: 2.9.3 Redirection: 5.1.3 Regenerate Thumbnails Advanced: 2.4.0 Schema Glue for Yoast & The Events Calendar by WP Munich: 1.2.0 ShortPixel Image Optimizer: 4.22.2 Smash Balloon Instagram Feed: 2.9.2 SSL Insecure Content Fixer: 2.7.2 Strong Testimonials: 2.51.5 SVG Support: 2.3.18 The Events Calendar: 5.8.1 The Events Calendar: Filter Bar: 5.1.1 The Events Calendar Extension: Relabeler: 1.0.1 The Events Calendar Extension: Settings Import / Export: 1.0.1 The Events Calendar PRO: 5.8.1 The Events Calendar Shortcode & Block PRO: 2.27.1 TLC Custom Functionality Plugin: 4.1 Ultimate Addons for Beaver Builder: 1.31.3 User Menus: 1.2.7 User Role Editor: 4.60.1 User Switching: 1.5.7 WP Help: 1.7.0 WP Mail SMTP: 2.9.0 WP Recipe Maker: 7.4.0 WP Recipe Maker Premium: 7.4.0 WP Video Lightbox: 1.9.1 Yoast Duplicate Post: 4.1.2 Yoast SEO: 16.7 Yoast SEO: Local: 14.0 Yoast SEO Premium: 16.7

Integrations

BbPress: No BuddyPress: No

Template Overrides

</details>

This issue has be recreated:
+ [ ] Locally
+ [ ] On a staging site
+ [ ] On a production website
+ [ ] With only LifterLMS and a default theme

[eri-trabiccolo]

@toyinogunseinde Thanks for reporting this.

The issue that happens on your website looks quite different. It happens when something went wrong while sending the email to reset the password (while the customer's issue happens after clicking on the reset password link received in the email), can you send any wp email on your website?

Although it's a different issue if you think it's something we should investigate please open a different issue and provide use with your system info AND your PHP error log if any.

About the customer issue.: What happens is that when you click on the pw reset link you're taken on the password reset page and some checks are made, then a cookie containing the user id and the reset key (the one that you can see in the link you received in the email, after ?key=) is saved in the browser: https://github.com/gocodebox/lifterlms/blob/5.1.1/includes/forms/controllers/class.llms.controller.account.php#L391-L392

Then you're redirected to the same reset password page with a GET parameter (reset-pass=1) that informs another piece of code to check that cookie and validate the information it contains so to proceed with the password resetting process: https://github.com/gocodebox/lifterlms/blob/5.1.1/includes/functions/llms.functions.person.php#L362-L364 As you can see, the message 'The password reset key could not be found. Please rest your password again if needed.' is the one of the first screenshot. Basically what's happening here is that the cookie aforementioned is not set.

The reason why this is happening on the customer website is unknown at the moment, and I can't reproduce it locally as well. Might depend on a conflicting plugin? It might.

I see you already asked for a staging website, so let's wait for that. Thanks!

[nrherron92]

@eri-trabiccolo

We've got staging on the ticket with credentials saved in one pass (tinychef staging).

Debug log is enabled and all plugins are turned off with 2021 theme enabled.

I'm not seeing any errors in the debug logs, but I can recreate the issue with default theme and only LifterLMS in staging

[thomasplevy]

@nrherron92 Thanks...

I think the dashboard page is being cached and that's preventing access to the cookie as intended.

I was under the impression that WPE had cache exclusions set for LifterLMS pages (like our dashboard) but it seems that this page is definitely being cached and I think that may be causing the issue. Though I'm not positive.

When I attempt to read the value of the cookie to check the password reset key (this is using WP core's cookie, by the way) it reads "null" but when I inspect the value of the cookie in my browser it has the expected value.

According to WPE docs, pages that rely on cookies should be excluded from the cache: https://wpengine.com/support/cookies-and-php-sessions/

See the section "Exclude Pages from Cache when Cookie is Present"

So this might be "expected" behavior originating from WPE caching or MU plugins... I'm not positive.

Can you relay this to the user to see if WPE can assist in setting up a cache exclusion for the dashbaord (and the password reset page)

[thomasplevy]

@chrisbadgett any way we can bend the ear of one of our contacts at WPE to see if something with the cache exclusions may have changed with regards to LifterLMS and WPE?

[eri-trabiccolo]

@thomasplevy Seems that @toyinogunseinde @willmiddleton-lifterlms and @nrherron92 already found this issue occurring with WPEngine - according to what @willmiddleton-lifterlms says here: https://wordpress.org/support/topic/password-reset-no-longer-working-in-version-5-0-2/

About:

When I attempt to read the value of the cookie to check the password reset key (this is using WP core's cookie, by the way) it reads "null" but when I inspect the value of the cookie in my browser it has the expected value.

Checking the cookie value in my browser was the first thing I did on the production website, and there the cookie was not (and is not, just checked again) set at all, while yeah I can see it is set on the staging website.

[thomasplevy]

@gocodebox/success It looks the above information about caching has not yet been relaid to the customer. Can we please update them to let them know why this is happening (it's not really something I can find a way to fix) at least that I've been able to figure out... If something is cached that shouldn't be cached I don't know if we can prevent that from happening anymore than we've already tried.

@chrisbadgett has told me he's reached out to WPE to backchannel about this but the customer can add a cache exclusion today to fix the problem.

I'm updating the issue to denote this as a WPE conflict and going to leave this open until we can get a resolution (one way or another) through our backchannel but we shouldn't be waiting for that to update the customer.

[nrherron92]

@thomasplevy tiny chefs has been updated!

[nrherron92]

HS-173995 I did let them know about excluding cache with WPE

[thomasplevy]

@nrherron92 we currently do not have a solution to this and cannot solve this from within LifterLMS. @chrisbadgett is trying to backchannel with WPE directly to see if we can get them to resolve these kinds of caching issues on WPE.

At the moment we're going to have to call this a known conflict with WPE hosting and LifterLMS and provide users with the known workaround. Again, I stress that to my knowledge we cannot fix this as WPE is issuing the caching rules and we can't override that from within the plugin (at least as far as I am currently aware).

You should continue noting when problems arise so that we can have a source to track how many users are affected by (it should be all LifterLMS / WPE users, but if we track it that can help convey gravity to WPE).

[toyinogun]

HS-174368

[aandrewjoyce]

This also affects FlyWheel users, for what it's worth. Adding a cache exclusion at FW fixes the problem.

[chrisbadgett]

WP Engine provided a test account for LifterLMS team testing. Logins available in password manager.

[toyinogun]

HS-188129