Login problem after changing URL and https

jambo
User ww
User ww
Posts: 21
Joined: Fri May 15, 2020 7:23 pm

Login problem after changing URL and https

Post by jambo »

I had the W3 plugin working fabulously and then we went live.

This morning we went live and the integration is no longer working. We put HTTPS in place, and made the URL www.xyz.org and you are able to log into either wordpress or phpbb, but when you go between them you get logged out.

URL www.xyz.org for wordpress
URL www.xyz.org/forum for phpbb

Domain is redirected to https://www.xyz.org on wordpress
Cookie domain on wordpress is www.xyz.org because of that

Domain is redirected to https://www.xyz.org on phpbb
cookie domain is set to "www.xyz.org" on phpbb

Cookies are all set at ".www.xyz.org" and I see the cookie being set in the same domain on both sides, but the cross-login is not working. When I login to wordpress I see the correct cookie being set on the wordpress login.

We are a small club and are doing this upgrade for our users because it was really very needed.

Any help is GREATLY appreciated!!!

If you need a login please let me know and I can share REAL url's in private chat as well.

BY THE WAY I did a full re-install after the move to https and the change domain.

James
jambo
User ww
User ww
Posts: 21
Joined: Fri May 15, 2020 7:23 pm

Re: Login problem after changing URL and https

Post by jambo »

A bit more:

I go to phpbb (clear my cookies) and login. I get 3 cookies in my browser:
  • vbmwmo8_k - domain .www.xyz.com - Content nothing - path /
  • vbmwmo8_sid - domain .www.xyz.com - Content hash - path /
  • vbmwmo8_u - domain .www.xyz.com - Content 11345 - path /
I can use phpBB and all good.

I go to wordpress and I can access wordpress and click around. Cookies at this stage:
  • vbmwmo8_k - domain .www.xyz.com - Content NOW WITH A HASH - path /
  • vbmwmo8_sid - domain .www.xyz.com - Content hash - path /
  • vbmwmo8_u - domain .www.xyz.com - Content 11345 - path /
  • PHPSESSID - domain (NO DOT)www.xyz.com - Content hash - path /
  • wordpress_loggedin(hash) - domain .www.xyz.com - Content hash - path /
  • wordpress_sec(hash) (2 of them) - domain .www.xyz.com - Content hash - path various
I am able to click around and all is good.

I go back to phpBB and I am not logged in and I have the following cookies:
  • vbmwmo8_k - domain .www.xyz.com - Content No content - path /
  • vbmwmo8_sid - domain .www.xyz.com - Content hash - path /
  • vbmwmo8_u - domain .www.xyz.com - Content This is NOW 1, not 11345! - path /
  • PHPSESSID - domain (NO DOT)www.xyz.com - Content hash - path /
  • wordpress_loggedin(hash) - domain .www.xyz.com - Content hash - path /
  • NO wordpress_sec cookies
I also noticed that when I go from phpbb to wordpress the vbmwmo8_sid cookie is NOT the same hash.

Sometimes I get duplicate vbmwmo8 cookies with .www.xyz.com and www.xyz.com.

If I log in on the wordpress side and go to phpbb I get the same functionality as above!

I am at my limit on how to solve this.

Thank you!!!
jambo
User ww
User ww
Posts: 21
Joined: Fri May 15, 2020 7:23 pm

Re: Login problem after changing URL and https

Post by jambo »

I removed the www from the site name all over the place and it is just down to xyz.com with no www.

I changed the cookie as well to .xyz.com

and I have the same problem. Nothing has changed.
jambo
User ww
User ww
Posts: 21
Joined: Fri May 15, 2020 7:23 pm

Re: Login problem after changing URL and https

Post by jambo »

I am still hating this down, and I am looking into the class.wp.w3all-phpbb.php file and I insterted some debug statement as below:

Code: Select all

if( !(isset($_COOKIE[$u])))
        error_log( "Cookie is not set!!!\n", 3, "/var/log/VBMWMO/error_log");

          // HERE INSIDE WE ARE SECURE //
        $_COOKIE[$u] = (isset($_COOKIE[$u])) ? $_COOKIE[$u] : 1;
        $_COOKIE[$sid] = (isset($_COOKIE[$sid])) ? $_COOKIE[$sid] : '';
        $_COOKIE[$k] = (isset($_COOKIE[$k])) ? $_COOKIE[$k] : '';

error_log( "User = " . $_COOKIE[$u] . "\n", 3, "/var/log/VBMWMO/error_log");
And got this output:
User = 1
User = 11515
Cookie is not set!!!
User = 1
User = 1
Cookie is not set!!!
User = 1
Cookie is not set!!!
User = 1
Cookie is not set!!!
User = 1
Cookie is not set!!!
User = 1
Cookie is not set!!!
User = 1
Cookie is not set!!!
User = 1
Cookie is not set!!!
Cookie is not set!!!
User = 1
User = 1
The first User=1 was accessing the login page, the system logged me in UID = 11515 and then promptly could not find my cookie.

I will keep looking...

James
jambo
User ww
User ww
Posts: 21
Joined: Fri May 15, 2020 7:23 pm

Re: Login problem after changing URL and https

Post by jambo »

okay, I turned off Activate w3all sessions keys Brute Force countermeasure and I am now able to login to phpbb and look around the forums fine. I am also able to go to wordpress fine and look around, but when I try to go back to phpbb it does not work.

If I log into wordpress and try to go to phpbb it does not work. So, phpbb -> wordpress is fine but not the other way around.

Thanks!!
User avatar
axew3
w3all User
w3all User
Posts: 2883
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: Login problem after changing URL and https

Post by axew3 »

Hello! Ok look, i've been locked out just now by this site.
Reason: i have option anti-bruteforce on plugin enabled AND option Swap WordPress default Login, Register and Lost Password links to point to phpBB related pages enabled.
If an user results to be on the plugin's bruteforce list, when an user login via phpBB NOT iframed, it will login in phpBB, but when coming into WP side will be logged out. And if the user reset the pass in phpBB, then try to login wp, again, the pass do not match, this because the bruteforce prevention, do not let code execution if the user do not unlock his account with a correct login into WP side.
More: the antibruteforce measure, let firewall plugins do their jobs and when pass do not match, the code fire a wrong login event, so firewall plugins will log the event, and may require you to unlock account. But again, if the username is in the bruteblock list, the code to unlock the user will not execute correctly.
Then, how i can do a login in wp and reset things, if the option swap login/register/lost pass is enabled, together with anti-bruteforce?

Did you fall into same?

Going to check all about into next coming soon 2.3.6. I will start today on check and fix all issues also based on yours reports.
I will check what about bruteforce and common issues it can cause using different plugin's settings.
In reply here as soon i discover more while reversing the logic/code.

It is not clear to me this:
but when I try to go back to phpbb it does not work
You login in wordpress, then when visiting phpBB the user logout (also in wordpress)?
Post Reply