Bad hash after password update

  • Version: 3.9.6

    Issue description:
    I’m running into a redirect loop after changing a member password. It appears that the cookies are not cleared properly, and the bad hash used for user validation is not being removed nor handled correctly.

    Reproduce:
    1. Log in
    2. Change the password
    3. Navigate to any page (e.g. homepage) without (re-)logging in
    4. Redirect loop

    I’ve fixed this by changing the validate function in simple-membership/classes/class.swpm-auth.php:320->validate().

    Added code:

    $logout_url = SIMPLE_WP_MEMBERSHIP_SITE_HOME_URL . '?swpm-logout=true';
wp_redirect($logout_url);

    Before:
    wp_logout(); //Force logout of WP user session to clear the bad has

    Login log:
    [04/02/2020 9:40 AM] – SUCCESS: Authentication request using email address: [email protected], Found a user record with username: Testlid
    [04/02/2020 9:40 AM] – SUCCESS: Authentication request – Username: Testlid
    [04/02/2020 9:40 AM] – SUCCESS: Authentication successful for username: Testlid. Executing swpm_login action hook.
    [04/02/2020 9:40 AM] – SUCCESS: Trying wp_signon() with username: Testlid
    [04/02/2020 9:40 AM] – SUCCESS: wp_authenticate action. User with username: Testlid is already logged in.
    [04/02/2020 9:40 AM] – SUCCESS: wp_login hook triggered. Username: Testlid
    [04/02/2020 9:40 AM] – SUCCESS: Setting current WP user to: Testlid
    [04/02/2020 9:40 AM] – SUCCESS: Triggering swpm_after_login hook.
    [04/02/2020 9:40 AM] – SUCCESS: validate() – Username: Testlid
    [04/02/2020 9:40 AM] – SUCCESS: validate() – Username: Testlid
    [04/02/2020 9:41 AM] – SUCCESS: validate() – Username: Testlid
    [04/02/2020 9:42 AM] – SUCCESS: validate() – Username: Testlid
    [04/02/2020 9:42 AM] – SUCCESS: validate() – Username: Testlid
    [04/02/2020 9:42 AM] – SUCCESS: validate() – Username: Testlid
    [04/02/2020 9:42 AM] – SUCCESS: validate() – Username: Testlid
    [04/02/2020 9:42 AM] – SUCCESS: validate() – Username: Testlid
    [04/02/2020 9:42 AM] – SUCCESS: validate() – Username: Testlid
    [04/02/2020 9:42 AM] – SUCCESS: validate() – Username: Testlid
    [04/02/2020 9:42 AM] – SUCCESS: validate() – Bad Hash
    [04/02/2020 9:42 AM] – SUCCESS: validate() – Username: Testlid
    [04/02/2020 9:42 AM] – SUCCESS: validate() – Bad Hash
    [04/02/2020 9:42 AM] – SUCCESS: validate() – Username: Testlid
    [04/02/2020 9:42 AM] – SUCCESS: validate() – Bad Hash

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support mbrsolution

    (@mbrsolution)

    Thank you for reaching out to us.

    I have submitted a message to the developers to investigate further your findings.

    Thank you

    Thread Starter pimschaaf

    (@pimschaaf)

    This problem persists in 3.9.7. The same fix works.

    Plugin Author wp.insider

    (@wpinsider-1)

    There is likely a conflict with another plugin which is creating a loop. What do you mean by a re-direct loop? I am not seeing a redirect loop.

    We can’t just add the following line there without fully understanding the implications (because it will affect all the other sites):
    wp_redirect($logout_url);

    What I can do is add an action hook there so you can use that hook to add a redirect in there. You will see the following action hook in the next version of the plugin:

    swpm_validate_login_hash_mismatch

    You can use that hook to add your custom code so it doesn’t get overwritten in the future.

    • This reply was modified 4 years, 10 months ago by wp.insider.
    Thread Starter pimschaaf

    (@pimschaaf)

    Perfect, that hook should help us out here. I can see why this workaround might not be universally applicable.

    To be clear, Chrome claims it to be redirect loop. I’m not sure what it is being redirected to, but given the workaround I think that wp_logout() is ultimately the mechanism for the looping behavior here.

    My theory: if the bad hash is not reset properly with wp_logout(), and wp_logout() triggers a new page load, and validate() triggers on that page load with the bad hash still present it will trigger wp_logout() again, in a loop.

    Thanks!

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Bad hash after password update’ is closed to new replies.