Strange login error

[Laikmosh]

Hello, im having a strange behavior at a frontend login, yesterday it was working perfectly, this morning it stopped working without me changing a line of code, so here is the problem, maybe somebody here has seen this before:

this is my login code, it checks the inputs via ajax and returns either "logueado" or "falla_login"

$username = slugify($datos['login_username']); 
$username = $sanitizer->username($username);
$pass = $datos['login_password'];
if(isset($username) && isset($pass)) {
 $u = $session->login($username, $pass); 
 if($u) {
   $respuesta->status = "logueado";
 } else {
   $respuesta->status = "falla_login";
 }
};

Now this part of the code appears to be working fine, its returning "logueado" when I input the right credentials and "falla_login" when im not.

So, after this the answer is evaluated by ajax and if the login was successful("logueado") it reloads the page,

This is is the code for the page, its suposed to show you a diferent page depending on your role and the login page if you are not logged in:

require("./include/head.php");
if (($user->isLoggedin())) { 															//si el usuario inició sesión
	require("./include/header.php");
	if ($role=="administrador"||$role=="ceo"||$role=="superuser") {										//si es administrador o superuser
		require("./administracion/administracion-index.php");							//llamar página de administrador
	}
	if ($role=="instructor") {															//si es instructor
		require("./instructor/instructor-index.php");									//llamar página de instructor
	}
	if ($role=="alumno") {																//si es alumno
		require("./alumno/alumno-index.php");											//llamar página de alumno
	}
} else { 	
		$role = "unLogged";														//si el usuario no esta logueado
		require("./login.php");															// mostrar pantalla de login

}; 				

 

The problem is that when I login with the right credentials the page is reloaded and its suposed to check for my role (the code for setting the $role variable is inside the functions.php file) and then show me the right page, but its returning me to the login page, the weirdest thing is when i check the sessions log i find this:

log1:
Successful login for 'elbedroom'
log2:
User 'elbedroom' - Error: Invalid challenge value (IP: 0.0.0.0)

So apparently there is somethingchecking for an ip or something and its unlogging me right after logging in, i havent found anyhting on the forums about this "Invalid challenge value" so i hope somebody can help, right now i can only login if i go the the backend, login and return to the front end, this way everything works fine, but from the frontend login nothing is working

[abdus]

The error is output when PW cannot verify session challenge cookie.

Try clearing your cookies. On Chrome F12 > Application > Clear Storage

[Laikmosh]

Tried that but didint work, same thing happens even if i change browser, and the same error is happening when any of the users try to login from their computers

[abdus]

Do you have a cookie set by the name "wire_challenge"?

wire_challenge:"qQD3i99Juyx%2Fgpq%2F5PVrGjtRfDCgW37V"

 

[Laikmosh]

Well I just erased all the cookies but anyway it’s not a local problem, the problem is persistent with all users and on any computer  or browser

[abdus]

If it's hindering your work, you can temporarily disable session challenge by setting

$config->sessionChallenge = false;

in site/config.php, but it will be less secure.

[Laikmosh]

Ok, that’s the perfect option to temporarily stop all the users from yelling at me and sendind death threats over email, but you think there is anything in my code that could be causing this error?

What should I look for?

[abdus]

This is the part that checks session challenge:

// Session.php
protected function ___isValidSession($userID) {

    $valid = true; 
    $reason = '';
    $sessionName = session_name();

    // check challenge cookie
    if($this->config->sessionChallenge) {
        if(empty($_COOKIE[$sessionName . "_challenge"]) || ($this->get('_user', 'challenge') != $_COOKIE[$sessionName . "_challenge"])) {
            $valid = false; 
            $reason = "Error: Invalid challenge value";
        }
    }
    // ...
}

I'm guessing it was a one time issue, and somehow user id and its challenge got corrupt/mismatched, which prevented you from logging in. Enabling sessionChallenge again probably will not cause errors anymore once challenge is reset properly.

Otherwise there's something wrong with sessions or $_COOKIE isn't set properly, deleting site/assets/sessions/ directory or restarting php service might help

[Laikmosh]

i went to look into that code and made this modification so i can see whats the problem in the log:

if($this->config->sessionChallenge) {
			if(empty($_COOKIE[$sessionName . "_challenge"]) ) {
				$valid = false; 
				$reason = "Error: Invalid challenge value, empty cookie";
				// $reason = "Error: Invalid challenge value";
			}
			if(($this->get('_user', 'challenge') != $_COOKIE[$sessionName . "_challenge"])) {
				$valid = false; 
				$user_challenge = $this->get('_user', 'challenge');
				$cookie_challenge = $_COOKIE[$sessionName."_challenge"];
				$reason = "Error: Invalid challenge value, no match: sessionName=".$sessionName.', cookie='.$cookie_challenge.'user='.$user_challenge;
				// $reason = "Error: Invalid challenge value";
			}
		}	

and this was the result:

User 'elbedroom' - Error: Invalid challenge value, no match: sessionName=wire, cookie=user=U.kakjfc.txoyfTz0jWmFM7KipM8lHIo (IP: 0.0.0.0)

It seems strange because if the cookie was empty the the log would be for the first option and it would say: "Error: Invalid challenge value, empty cookie", but instead it confirms that the cookie is not empty but then it shows an empty result.

When i look for the cookies i see the "wire_challenge" cookie is there, everytime i reload thepage the value changes, and when i logout the cookie disappears, im thinking there is some code deleting the cookie everytime i do a frontend login before it validates the challenge, or something like that...