Open dhsathiya opened 2 years ago
Hi @abhishekfdd Please look into this issue and provide an update before EOD.
Keep posting updates on this task.
Thanks,
Ref Slack thread: https://rtcamp.slack.com/archives/CMPBQ2B09/p1657646249878179
@dhsathiya Is there any particular step to reproduce this issue, as I was able to login fine every time?
@abhishekfdd As discussed, please try to set a timeout and see if you are able to reproduce the issue.
@abhishekfdd: I was discussing it with @chandrapatel. He has a theory regarding this. Please talk with Chandra once.
To replicate:
Nothing worked.
Discussed with @chandrapatel problem seems to be in redirection but still we are not able to replicate the issue.
Thanks for checking this again.
If anyone faces the same issue, we will report it along with a screencast here.
Keeping this task on hold till that.
@elifvish Can you take a look at this and figure out a solution?
Hi @elifvish Any updates on this?
Yes, I was able to reproduce the issue.
The issue is only reproducible when wordpress_logged_in
cookie is set and user visits the login page with this reauth=1
in url.
I've few solutions in mind. Will try them today.
cc: @aviral-mittal
@elifvish Please update with the solutions tried and if any of them worked.
The root issue is that nonce verification fails if a user visits wp-login.php
with reatuth=1
in query args and wordpress_logged_in
.
This happens as when nonce is created it checks whether the user is logged in or not. And uses the uid as a part of nonce.
Now when login request is sent wp-verify-nonce
fails as reauth=1
parameter logs out the user and now when user id is fetched to verify nonce it returns null
.
Yesterday I tried a solution of redirection to wp-login.php it worked but. I thought I should dig deep to check the root cause.
now that I have found it.
The only way to fix this is to redirect or refresh the login page if visited with reauth=1
and wordpress_logged_in
cookie set.
I tested the fix.
Will raise a PR soon once I find the best possible location to place the check.
cc: @aviral-mittal
@Rink9 Need to test this fix as well.
@aviral-mittal I have cross checked this issue on chrome, firefox, safari browser with clearing all the caches and cookies. Currently it's working as expected on production site on every browsers. And also redirecting back to login page after clicking on login button
issue got resolved on production site. We are good to close this issue as it's working fine now.
@gagan0123 Can you please look into this issue? It doesn't seem to be fixed, or it is happening again. I am sending you a screen recording of the issue as well as an HAR export.
@dhsathiya
Thanks for providing the HAR file for debugging, as the issue is quite difficult to replicate.
From the HAR file I've deduced that for the first login attempt, when you are redirected back to the login page, it gives a 200
response code instead of 302
as it should have.
In code there are only three possible ways in which no error message would appear when the user is redirected back to the login page even on failure.
$user
assigned for your login session (Does not seem to be the case in your request)code
or provider
parameters are missing when redirected. (Again, not the case in your request)The third one seems plausible since the site you reported it for, uses page level caching.
Now if you are being served a cached version of the login page, in that case the issue of nonce failure can occur whenever the cache is older than the nonce expiration.
Will need to test this hypothesis. Keep you posted on the progress.
I have noticed that when visiting a site after a while and using the Login-with-Google plugin, after clicking the login button the site gets redirected back to the
wp-login
page again.Previous observation: The last time issue occurred, I checked the requests and found that the redirect was a soft redirect - 302. And the network tab showed that it is from
Disk Cache