Jump to content
Laikmosh

Strange login error

Recommended Posts

Hello, im having a strange behavior at a frontend login, yesterday it was working perfectly, this morning it stopped working without me changing a line of code, so here is the problem, maybe somebody here has seen this before:

this is my login code, it checks the inputs via ajax and returns either "logueado" or "falla_login"

$username = slugify($datos['login_username']); 
$username = $sanitizer->username($username);
$pass = $datos['login_password'];
if(isset($username) && isset($pass)) {
 $u = $session->login($username, $pass); 
 if($u) {
   $respuesta->status = "logueado";
 } else {
   $respuesta->status = "falla_login";
 }
};

Now this part of the code appears to be working fine, its returning "logueado" when I input the right credentials and "falla_login" when im not.

So, after this the answer is evaluated by ajax and if the login was successful("logueado") it reloads the page,

This is is the code for the page, its suposed to show you a diferent page depending on your role and the login page if you are not logged in:

require("./include/head.php");
if (($user->isLoggedin())) { 															//si el usuario inició sesión
	require("./include/header.php");
	if ($role=="administrador"||$role=="ceo"||$role=="superuser") {										//si es administrador o superuser
		require("./administracion/administracion-index.php");							//llamar página de administrador
	}
	if ($role=="instructor") {															//si es instructor
		require("./instructor/instructor-index.php");									//llamar página de instructor
	}
	if ($role=="alumno") {																//si es alumno
		require("./alumno/alumno-index.php");											//llamar página de alumno
	}
} else { 	
		$role = "unLogged";														//si el usuario no esta logueado
		require("./login.php");															// mostrar pantalla de login

}; 				

 

The problem is that when I login with the right credentials the page is reloaded and its suposed to check for my role (the code for setting the $role variable is inside the functions.php file) and then show me the right page, but its returning me to the login page, the weirdest thing is when i check the sessions log i find this:

log1:
Successful login for 'elbedroom'
log2:
User 'elbedroom' - Error: Invalid challenge value (IP: 0.0.0.0)

So apparently there is somethingchecking for an ip or something and its unlogging me right after logging in, i havent found anyhting on the forums about this "Invalid challenge value" so i hope somebody can help, right now i can only login if i go the the backend, login and return to the front end, this way everything works fine, but from the frontend login nothing is working

Captura de pantalla 2017-10-03 a la(s) 00.20.24.png

Share this post


Link to post
Share on other sites

The error is output when PW cannot verify session challenge cookie.

Try clearing your cookies. On Chrome F12 > Application > Clear Storage

Share this post


Link to post
Share on other sites

Tried that but didint work, same thing happens even if i change browser, and the same error is happening when any of the users try to login from their computers

Share this post


Link to post
Share on other sites

Do you have a cookie set by the name "wire_challenge"?

wire_challenge:"qQD3i99Juyx%2Fgpq%2F5PVrGjtRfDCgW37V"

 

Share this post


Link to post
Share on other sites

Well I just erased all the cookies but anyway it’s not a local problem, the problem is persistent with all users and on any computer  or browser

Share this post


Link to post
Share on other sites

If it's hindering your work, you can temporarily disable session challenge by setting

$config->sessionChallenge = false;

in site/config.php, but it will be less secure.

  • Like 1

Share this post


Link to post
Share on other sites

Ok, that’s the perfect option to temporarily stop all the users from yelling at me and sendind death threats over email, but you think there is anything in my code that could be causing this error?

What should I look for?

Share this post


Link to post
Share on other sites

This is the part that checks session challenge:

// Session.php
protected function ___isValidSession($userID) {

    $valid = true; 
    $reason = '';
    $sessionName = session_name();

    // check challenge cookie
    if($this->config->sessionChallenge) {
        if(empty($_COOKIE[$sessionName . "_challenge"]) || ($this->get('_user', 'challenge') != $_COOKIE[$sessionName . "_challenge"])) {
            $valid = false; 
            $reason = "Error: Invalid challenge value";
        }
    }
    // ...
}

I'm guessing it was a one time issue, and somehow user id and its challenge got corrupt/mismatched, which prevented you from logging in. Enabling sessionChallenge again probably will not cause errors anymore once challenge is reset properly.

Otherwise there's something wrong with sessions or $_COOKIE isn't set properly, deleting site/assets/sessions/ directory or restarting php service might help

Share this post


Link to post
Share on other sites

i went to look into that code and made this modification so i can see whats the problem in the log:

if($this->config->sessionChallenge) {
			if(empty($_COOKIE[$sessionName . "_challenge"]) ) {
				$valid = false; 
				$reason = "Error: Invalid challenge value, empty cookie";
				// $reason = "Error: Invalid challenge value";
			}
			if(($this->get('_user', 'challenge') != $_COOKIE[$sessionName . "_challenge"])) {
				$valid = false; 
				$user_challenge = $this->get('_user', 'challenge');
				$cookie_challenge = $_COOKIE[$sessionName."_challenge"];
				$reason = "Error: Invalid challenge value, no match: sessionName=".$sessionName.', cookie='.$cookie_challenge.'user='.$user_challenge;
				// $reason = "Error: Invalid challenge value";
			}
		}	

and this was the result:

User 'elbedroom' - Error: Invalid challenge value, no match: sessionName=wire, cookie=user=U.kakjfc.txoyfTz0jWmFM7KipM8lHIo (IP: 0.0.0.0)

It seems strange because if the cookie was empty the the log would be for the first option and it would say: "Error: Invalid challenge value, empty cookie", but instead it confirms that the cookie is not empty but then it shows an empty result.

When i look for the cookies i see the "wire_challenge" cookie is there, everytime i reload thepage the value changes, and when i logout the cookie disappears, im thinking there is some code deleting the cookie everytime i do a frontend login before it validates the challenge, or something like that...

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...