www programming

 // The presented cookie uid, is in the black list and the user not logged in?
 if( $w3all_anti_brute_force_yn == 1 && ! is_user_logged_in() && isset($w3all_bruteblock_phpbbulist[$phpbb_u]) ){
      setcookie ("w3all_bruteblock", "1", 0, "/", $w3cookie_domain, false); // expire session, removed on phpBB_user_session_set()
       self::w3all_wp_logout('wp_login_url');
      return;
 }

Thank you for appreciation!
[quote]"Account activation:" field to "Disable registration"[/quote]
Yes, you can of course disable registration in phpBB!

Following to check for the issue above mentioned, i see now that this code is the probòem, that run just on top of the verify credentials function of the plugin:

[code] // The presented cookie uid, is in the black list and the user not logged in?
if( $w3all_anti_brute_force_yn == 1 && ! is_user_logged_in() && isset($w3all_bruteblock_phpbbulist[$phpbb_u]) ){
setcookie ("w3all_bruteblock", "1", 0, "/", $w3cookie_domain, false); // expire session, removed on phpBB_user_session_set()
self::w3all_wp_logout('wp_login_url');
return;
}[/code]

This code used to stop any bruteforce: if the username is in the list, is not logged, the logout fire, the function logout and return, so stop any subsequent action (calls to db to check for the session).

If no other smart solution will come out in mind, the way to resolve can't be [b]like into this example[/b] (where i can manage problems in another way, may managing records into db when in trouble like this morning that this is obviously not useful for nobody)

[b]The solution is: do not activate the option Swap login/registration/reset pass links with bruteforce active,
if/and you want users do these actions only in phpBB[/b], may just remove then in wp side all links that points to registration/login lost pass and that points to wp, and manually add links to related phpBB pages. Then in case of problems, so when an user need to reset/unlock his account, it will be normally processed. Let test things more deeply in these days, hope to come out with a solution for this problem, but without adding code into phpBB side, it seem at me at moment +- impossible.

GREAT!! I am back on track, your comments led me down the path to see what I might have done to make things bad.

The problem was created by [b]me[/b]!!!!

I set the "Allow "Remember Me" logins:" in phpBB 3.3 to "off" because I am going to force all logins through wordpress and I figured I would control the cookie timeout there. The minute I set that back to "on" my problem went away!!!!!

My other question, is since I am putting everything through wordpress, and I want to FORCE registration there, should I set the "Account activation:" field to "Disable registration". I already have pushed all the login links to wordpress with my phpBB style, but that would remove all the register links for me.

Thank you very much for your help and for the plugin, you rock!!!!

James

Hello! Ok look, i've been locked out just now by this site.
Reason: i have option anti-bruteforce on plugin enabled AND option [b]Swap WordPress default Login, Register and Lost Password links to point to phpBB related pages[/b] enabled.
If an user results to be on the plugin's bruteforce list, when an user login via phpBB NOT iframed, it will login in phpBB, but when coming into WP side will be logged out. And if the user reset the pass in phpBB, then try to login wp, again, the pass do not match, this because the bruteforce prevention, do not let code execution if the user do not unlock his account with a correct login into WP side.
More: the antibruteforce measure, let firewall plugins do their jobs and when pass do not match, the code fire a wrong login event, so firewall plugins will log the event, and may require you to unlock account. But again, if the username is in the bruteblock list, the code to unlock the user will not execute correctly.
Then, how i can do a login in wp and reset things, if the option swap login/register/lost pass is enabled, together with anti-bruteforce?

Did you fall into same?

Going to check all about into next coming soon 2.3.6. I will start today on check and fix all issues also based on yours reports.
I will check what about bruteforce and common issues it can cause using different plugin's settings.
In reply here as soon i discover more while reversing the logic/code.

It is not clear to me this:
[quote]but when I try to go back to phpbb it does not work[/quote]
You login in wordpress, then when visiting phpBB the user logout (also in wordpress)?

okay, I turned off [b]Activate w3all sessions keys Brute Force countermeasure[/b] and I am now able to login to phpbb and look around the forums fine. I am also able to go to wordpress fine and look around, but when I try to go back to phpbb it does not work.

If I log into wordpress and try to go to phpbb it does not work. So, phpbb -> wordpress is fine but not the other way around.

Thanks!!

if( !(isset($_COOKIE[$u])))
        error_log( "Cookie is not set!!!\n", 3, "/var/log/VBMWMO/error_log");

          // HERE INSIDE WE ARE SECURE //
        $_COOKIE[$u] = (isset($_COOKIE[$u])) ? $_COOKIE[$u] : 1;
        $_COOKIE[$sid] = (isset($_COOKIE[$sid])) ? $_COOKIE[$sid] : '';
        $_COOKIE[$k] = (isset($_COOKIE[$k])) ? $_COOKIE[$k] : '';

error_log( "User = " . $_COOKIE[$u] . "\n", 3, "/var/log/VBMWMO/error_log");

I am still hating this down, and I am looking into the [i]class.wp.w3all-phpbb.php[/i] file and I insterted some debug statement as below:

[code]if( !(isset($_COOKIE[$u])))
error_log( "Cookie is not set!!!\n", 3, "/var/log/VBMWMO/error_log");

// HERE INSIDE WE ARE SECURE //
$_COOKIE[$u] = (isset($_COOKIE[$u])) ? $_COOKIE[$u] : 1;
$_COOKIE[$sid] = (isset($_COOKIE[$sid])) ? $_COOKIE[$sid] : '';
$_COOKIE[$k] = (isset($_COOKIE[$k])) ? $_COOKIE[$k] : '';

error_log( "User = " . $_COOKIE[$u] . "\n", 3, "/var/log/VBMWMO/error_log");
[/code]

And got this output:

[quote]User = 1
User = 11515
Cookie is not set!!!
User = 1
User = 1
Cookie is not set!!!
User = 1
Cookie is not set!!!
User = 1
Cookie is not set!!!
User = 1
Cookie is not set!!!
User = 1
Cookie is not set!!!
User = 1
Cookie is not set!!!
User = 1
Cookie is not set!!!
Cookie is not set!!!
User = 1
User = 1[/quote]

The first User=1 was accessing the login page, the system logged me in UID = 11515 and then promptly could not find my cookie.

I will keep looking...

James

I removed the www from the site name all over the place and it is just down to xyz.com with no www.

I changed the cookie as well to .xyz.com

and I have the same problem. Nothing has changed.