ajquick
commented
1 year ago I am using the authentication flowchart from the following page:
https://usersinsights.com/wordpress-user-login-hooks/
There are several hooks in the process that are being triggered in the login process. In the order presented on the flow chart, I am tracking the following:
- Authenticate
- Auth_Cookie
- Send_Auth_Cookies
- Login_Redirect
- Determine_Current_user
- Set_Current_User
Every step along the way is triggered correctly, but for whatever reason Set_Current_User is not being triggered with the user. At every other step along the way I can see the user has the correct cookies, I can see the user is essentially logged in.
However, after the login_redirect is called, the user is not redirected to the correct page and instead they are redirected back to the login page which returns the following to the authenticate hook:
WP_Error::__set_state(array(
'errors' =>
array (
'empty_username' =>
array (
0 => '<strong>Error:</strong> The username field is empty.',
),
'empty_password' =>
array (
0 => '<strong>Error:</strong> The password field is empty.',
),
),
'error_data' =>
array (
),
'additional_data' =>
array (
),
))I've pretty much narrowed it down to the user being logged in and then it attempts to run through another login submission, but this time the username and password fields are empty and therefore they do not get logged in afterall.
EDIT: I can now see "set_current_user" is actually setting the user correctly, but upon redirect the set_current_user is redone with a null user.
This is unusual behavior and I am fairly certain that the plugin isn't to blame.
I configured a SimpleSAMLphp instance on one domain and then setup this plugin on another. The SAML goes through correctly, the data is received by the plugin and the user is created if they don't exist. I can see through the hooks that the user is logged in.... and then I'm met with the login page again, the user is not logged in.
Something happens somewhere between the logging of a user in and the next step. Like I said, this potentially has nothing to do with the plugin itself. I just need help trying to figure out what to do to solve it.
I have CloudLinux, modsec, csf, nginx and all kinds of things running on this server. I've tried disabling everything, turning on verbose logging and nothing I can find out is blocking the login or deleting the login.
To test, I created a WP site on a 3rd party server and was able to login using my simpleSAMLphp IDP without problems. It has to be this server's configuration. Does anyone have any suggestions on what to look for as far as 3rd party server plugins that could be blocking things?