Redirects back to login page after clicking login button

Question

Redirects back to login page after clicking login button

dhsathiya opened this issue 2 years ago · comments

I have noticed that when visiting a site after a while and using the Login-with-Google plugin, after clicking the login button the site gets redirected back to the wp-login page again.

Previous observation:
The last time issue occurred, I checked the requests and found that the redirect was a soft redirect - 302. And the network tab showed that it is from Disk Cache

Nitun · Answer 1 · Wed Jul 13 2022 15:30:58 GMT+0800 (China Standard Time)

Hi @abhishekfdd
Please look into this issue and provide an update before EOD.

Keep posting updates on this task.

Thanks,

Aviral Mittal · Answer 2 · Wed Jul 13 2022 20:45:39 GMT+0800 (China Standard Time)

Ref Slack thread: https://rtcamp.slack.com/archives/CMPBQ2B09/p1657646249878179

Abhishek · Answer 3 · Mon Jul 18 2022 14:28:59 GMT+0800 (China Standard Time)

@dhsathiya Is there any particular step to reproduce this issue, as I was able to login fine every time?

Aviral Mittal · Answer 4 · Tue Jul 19 2022 15:36:21 GMT+0800 (China Standard Time)

@abhishekfdd As discussed, please try to set a timeout and see if you are able to reproduce the issue.

Devarshi Sathiya · Answer 5 · Tue Jul 19 2022 18:19:50 GMT+0800 (China Standard Time)

@abhishekfdd: I was discussing it with @chandrapatel. He has a theory regarding this. Please talk with Chandra once.

Abhishek · Answer 6 · Wed Jul 20 2022 21:34:12 GMT+0800 (China Standard Time)

To replicate:

Tried clearing cookie.
tried decreasing session timeout
setting browser setting to resume with last session.

Nothing worked.

Discussed with @chandrapatel problem seems to be in redirection but still we are not able to replicate the issue.

Nitun · Answer 7 · Thu Jul 21 2022 00:55:55 GMT+0800 (China Standard Time)

Thanks for checking this again.

If anyone faces the same issue, we will report it along with a screencast here.

Keeping this task on hold till that.

Aviral Mittal · Answer 8 · Fri Sep 09 2022 19:22:21 GMT+0800 (China Standard Time)

@elifvish Can you take a look at this and figure out a solution?

Aviral Mittal · Answer 9 · Mon Sep 12 2022 17:02:33 GMT+0800 (China Standard Time)

Hi @elifvish Any updates on this?

Vishal Kumar · Answer 10 · Mon Sep 12 2022 17:52:36 GMT+0800 (China Standard Time)

Yes, I was able to reproduce the issue.
The issue is only reproducible when wordpress_logged_in cookie is set and user visits the login page with this reauth=1 in url.
I've few solutions in mind. Will try them today.
cc: @aviral-mittal

Aviral Mittal · Answer 11 · Tue Sep 13 2022 14:05:00 GMT+0800 (China Standard Time)

@elifvish Please update with the solutions tried and if any of them worked.

Vishal Kumar · Answer 12 · Tue Sep 13 2022 18:10:09 GMT+0800 (China Standard Time)

The root issue is that nonce verification fails if a user visits wp-login.php with reatuth=1 in query args and wordpress_logged_in.
This happens as when nonce is created it checks whether the user is logged in or not. And uses the uid as a part of nonce.
Now when login request is sent wp-verify-nonce fails as reauth=1 parameter logs out the user and now when user id is fetched to verify nonce it returns null.

Yesterday I tried a solution of redirection to wp-login.php
it worked but. I thought I should dig deep to check the root cause.

now that I have found it.
The only way to fix this is to redirect or refresh the login page if visited with reauth=1 and wordpress_logged_in cookie set.
I tested the fix.
Will raise a PR soon once I find the best possible location to place the check.

cc: @aviral-mittal

Aviral Mittal · Answer 13 · Mon Sep 19 2022 16:39:01 GMT+0800 (China Standard Time)

@Rink9 Need to test this fix as well.

Rinky Chowdhury · Answer 14 · Mon Sep 19 2022 18:04:08 GMT+0800 (China Standard Time)

@aviral-mittal I have cross checked this issue on chrome, firefox, safari browser with clearing all the caches and cookies. Currently it's working as expected on production site on every browsers. And also redirecting back to login page after clicking on login button issue got resolved on production site. We are good to close this issue as it's working fine now.

Screen.Recording.2022-09-19.at.4.00.30.PM.mov

Devarshi Sathiya · Answer 15 · Wed May 03 2023 20:03:30 GMT+0800 (China Standard Time)

@gagan0123 Can you please look into this issue? It doesn't seem to be fixed, or it is happening again.
I am sending you a screen recording of the issue as well as an HAR export.

Gagan Deep Singh · Answer 16 · Thu May 04 2023 15:09:22 GMT+0800 (China Standard Time)

@dhsathiya

Thanks for providing the HAR file for debugging, as the issue is quite difficult to replicate.

From the HAR file I've deduced that for the first login attempt, when you are redirected back to the login page, it gives a 200 response code instead of 302 as it should have.

In code there are only three possible ways in which no error message would appear when the user is redirected back to the login page even on failure.

The already existing cookies for the site, make WordPress believe you are still logged in, and we already have a $user assigned for your login session (Does not seem to be the case in your request)
The returned code or provider parameters are missing when redirected. (Again, not the case in your request)
If the Nonce created for the login session gets expired before, you are redirected back to the login page.

The third one seems plausible since the site you reported it for, uses page level caching.

Now if you are being served a cached version of the login page, in that case the issue of nonce failure can occur whenever the cache is older than the nonce expiration.

Will need to test this hypothesis. Keep you posted on the progress.