Jump to content

Strange login error


Laikmosh
 Share

Recommended Posts

Hello, im having a strange behavior at a frontend login, yesterday it was working perfectly, this morning it stopped working without me changing a line of code, so here is the problem, maybe somebody here has seen this before:

this is my login code, it checks the inputs via ajax and returns either "logueado" or "falla_login"

$username = slugify($datos['login_username']); 
$username = $sanitizer->username($username);
$pass = $datos['login_password'];
if(isset($username) && isset($pass)) {
 $u = $session->login($username, $pass); 
 if($u) {
   $respuesta->status = "logueado";
 } else {
   $respuesta->status = "falla_login";
 }
};

Now this part of the code appears to be working fine, its returning "logueado" when I input the right credentials and "falla_login" when im not.

So, after this the answer is evaluated by ajax and if the login was successful("logueado") it reloads the page,

This is is the code for the page, its suposed to show you a diferent page depending on your role and the login page if you are not logged in:

require("./include/head.php");
if (($user->isLoggedin())) { 															//si el usuario inició sesión
	require("./include/header.php");
	if ($role=="administrador"||$role=="ceo"||$role=="superuser") {										//si es administrador o superuser
		require("./administracion/administracion-index.php");							//llamar página de administrador
	}
	if ($role=="instructor") {															//si es instructor
		require("./instructor/instructor-index.php");									//llamar página de instructor
	}
	if ($role=="alumno") {																//si es alumno
		require("./alumno/alumno-index.php");											//llamar página de alumno
	}
} else { 	
		$role = "unLogged";														//si el usuario no esta logueado
		require("./login.php");															// mostrar pantalla de login

}; 				

 

The problem is that when I login with the right credentials the page is reloaded and its suposed to check for my role (the code for setting the $role variable is inside the functions.php file) and then show me the right page, but its returning me to the login page, the weirdest thing is when i check the sessions log i find this:

log1:
Successful login for 'elbedroom'
log2:
User 'elbedroom' - Error: Invalid challenge value (IP: 0.0.0.0)

So apparently there is somethingchecking for an ip or something and its unlogging me right after logging in, i havent found anyhting on the forums about this "Invalid challenge value" so i hope somebody can help, right now i can only login if i go the the backend, login and return to the front end, this way everything works fine, but from the frontend login nothing is working

Captura de pantalla 2017-10-03 a la(s) 00.20.24.png

Link to comment
Share on other sites

This is the part that checks session challenge:

// Session.php
protected function ___isValidSession($userID) {

    $valid = true; 
    $reason = '';
    $sessionName = session_name();

    // check challenge cookie
    if($this->config->sessionChallenge) {
        if(empty($_COOKIE[$sessionName . "_challenge"]) || ($this->get('_user', 'challenge') != $_COOKIE[$sessionName . "_challenge"])) {
            $valid = false; 
            $reason = "Error: Invalid challenge value";
        }
    }
    // ...
}

I'm guessing it was a one time issue, and somehow user id and its challenge got corrupt/mismatched, which prevented you from logging in. Enabling sessionChallenge again probably will not cause errors anymore once challenge is reset properly.

Otherwise there's something wrong with sessions or $_COOKIE isn't set properly, deleting site/assets/sessions/ directory or restarting php service might help

Link to comment
Share on other sites

i went to look into that code and made this modification so i can see whats the problem in the log:

if($this->config->sessionChallenge) {
			if(empty($_COOKIE[$sessionName . "_challenge"]) ) {
				$valid = false; 
				$reason = "Error: Invalid challenge value, empty cookie";
				// $reason = "Error: Invalid challenge value";
			}
			if(($this->get('_user', 'challenge') != $_COOKIE[$sessionName . "_challenge"])) {
				$valid = false; 
				$user_challenge = $this->get('_user', 'challenge');
				$cookie_challenge = $_COOKIE[$sessionName."_challenge"];
				$reason = "Error: Invalid challenge value, no match: sessionName=".$sessionName.', cookie='.$cookie_challenge.'user='.$user_challenge;
				// $reason = "Error: Invalid challenge value";
			}
		}	

and this was the result:

User 'elbedroom' - Error: Invalid challenge value, no match: sessionName=wire, cookie=user=U.kakjfc.txoyfTz0jWmFM7KipM8lHIo (IP: 0.0.0.0)

It seems strange because if the cookie was empty the the log would be for the first option and it would say: "Error: Invalid challenge value, empty cookie", but instead it confirms that the cookie is not empty but then it shows an empty result.

When i look for the cookies i see the "wire_challenge" cookie is there, everytime i reload thepage the value changes, and when i logout the cookie disappears, im thinking there is some code deleting the cookie everytime i do a frontend login before it validates the challenge, or something like that...

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...