[Plugin: Friends Only] Login requested for every page

I got that wrong. It isn’t wanting a login for every page. What happens is, yu log in with your email address to access the site, then if you select a different page it asks for the login email again. After that you can move freely around the site. So it’s actually only asking for the login twice

Thanks for that – super useful to know. I’m looking into it now.

Quick question that just came to mind – is the initial base URL (e.g. https://www.example.com) the same as the subsequent URL?

Is the server changing the URL between the two pages (e.g. from https://www.example.com to example.com)?

Thanks Gabe. This will be a private blog, but I don’t mind sharing it for a while to try and get this sorted out. I appreciate your help.

https://www.raycastell.co.uk/wordpress

You can get in with friendsonly instead of an email address -I hope!

I think I’ve fixed it.

Try editing the sentry.php file in the plugin, and replace it entirely with the following code. (Under Plugins -> Editor)

<?php 

// This function determines whether the user should be displayed the login page based on whether or not they have already authenticated themselves with WordPress (i.e. Administrator logged in), or with the sentry

function fo_runSentry() {

	// Create site URLs to test later for URL hacking or provide access to special pages (e.g. login or FeedWrangler)

	$base_WP_URI = str_replace('www.','',strtolower(get_bloginfo('wpurl')));
	$clean_URI = str_replace('www.','',strtolower('https://'.$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI']));

	// If the cookie has already been set, then don't show the sentry
	if (isset($_COOKIE['verify'])) {
		return;
	}
	// If the user is logged in then don't show the sentry
	elseif (is_user_logged_in()) {
		return;
	}
	// If the user is requesting media (mostly RSS readers and subscription emails), then let them view the media
	elseif (strpos($clean_URI, $base_WP_URI.'/wp-content/uploads') === 0) {
		return;
	}
	// If this is a wp-cron request, then don't show the sentry
	elseif (strpos($clean_URI, $base_WP_URI.'/wp-cron.php') === 0) {
		return;
	}
	// If the user is requesting a FeedWrangler feed, then don't show the sentry
	elseif (strpos($clean_URI, $base_WP_URI.'/?feed=') === 0) {
		return;
	}
	// If the user is not logged in, but they are trying to log in, then let them see the login page
	elseif (strpos($clean_URI, $base_WP_URI.'/wp-admin/') === 0 || strpos($clean_URI, $base_WP_URI.'/wp-login.php') === 0) {
		return;
	}
	// If the user is trying to access XML-RPC then don't show the sentry
	elseif (strpos($clean_URI, $base_WP_URI.'/xmlrpc.php') === 0) {
		return;
	}

	if ($_SERVER['HTTP_HOST'] != parse_url(get_bloginfo('wpurl'),PHP_URL_HOST))
		{
		header('Location: '.str_replace($_SERVER['HTTP_HOST'], parse_url(get_bloginfo('wpurl'),PHP_URL_HOST), selfURL()));
		}

	// Load the array of email addresses and clean it up (including removing invalid email addresses)

	$PERMITTED_ADDRESSES = explode(chr(13), get_option('email_list'));

	array_walk($PERMITTED_ADDRESSES, 'fo_cleanAddress');

	// Load and clean the address to be notified by email, then sort them so any null addresses are at the end of the list

	$notify_address = explode (',', get_option('notify_address'));
	array_walk($notify_address, 'fo_cleanAddress');
	array_walk($notify_address, 'fo_removeInvalidAddress');
	array_filter($notify_address, 'strlen');
	rsort($notify_address);

	// Process the user provided password

	if (isset($_POST['access_email'])) {

		$supplied_address = strtolower(trim($_POST['access_email']));

		if ( strlen($supplied_address) == 0 ) { $supplied_address = 'blank'; }

		if (!in_array($supplied_address, $PERMITTED_ADDRESSES)) {

	  	//Send email notifying of FAILED login

		if (get_option('notify_fail') && is_email($notify_address[0]) && $supplied_address != 'blank') {
			wp_mail( $notify_address, "[".wp_specialchars_decode(get_bloginfo('name'), ENT_QUOTES)."] FAIL for ".$supplied_address,
	  		"Failed login at ".wp_specialchars_decode(get_bloginfo('name'), ENT_QUOTES)." by ".$supplied_address."\n\nTime: ".date("H:i:s \(\G\M\TP\)")."\nIP: ".$_SERVER['REMOTE_ADDR']." (https://www.ip2location.com/".$_SERVER['REMOTE_ADDR'].")", "From: Friends Only Notification <".get_settings('admin_email').">");
		}

		fo_showLoginForm(get_option('prompt_error'));

	  }
	else {
		// set cookie if password was validated
		setcookie("verify", md5($login.'%'.$supplied_address), 0, parse_url(get_bloginfo('wpurl'),PHP_URL_HOST));

		// Clear password protector variables
		unset($_POST['access_login']);
		unset($_POST['access_password']);
		unset($_POST['Submit']);

		// Send email notifying of SUCCESSFUL login

	    if (get_option('notify_success') && is_email($notify_address[0])) {
	    wp_mail( $notify_address, "[".wp_specialchars_decode(get_bloginfo('name'), ENT_QUOTES)."] SUCCESS for ".$supplied_address,
	  "Successful login at ".wp_specialchars_decode(get_bloginfo('name'), ENT_QUOTES)." by ".$supplied_address."\n\nTime: ".date("H:i:s \(\G\M\TP\)")."\nIP: ".$_SERVER['REMOTE_ADDR']." (https://www.ip2location.com/".$_SERVER['REMOTE_ADDR'].")", "From: Friends Only Notification <".get_settings('admin_email').">");
	    }

	  }
	}

	// Check if password cookie is set

	else {
	  if (!isset($_COOKIE['verify'])) {
	    fo_showLoginForm("");
	  }
	}
}

// This function displays the login form if the user is required to authenticate with the sentry

function fo_showLoginForm($error_message) {

	echo "<!DOCTYPE html>
	<html ";

	echo language_attributes();

	echo ">
	<head>
	<title>";

	echo htmlentities(bloginfo('name'));

	echo "
	</title>
	  <META HTTP-EQUIV='CACHE-CONTROL' CONTENT='NO-CACHE'>
	  <META HTTP-EQUIV='PRAGMA' CONTENT='NO-CACHE'>
	  <META HTTP-EQUIV='CONTENT-TYPE' CONTENT='";

	echo bloginfo('html_type');
	echo " CHARSET=";
	echo bloginfo('charset');
	echo "'>";

	wp_head();

// Reset the CSS styles using the Meyer Reset (https://meyerweb.com/eric/tools/css/reset/) before applying CSS styles

	echo "	<style type='text/css'>

	html, body, div, span, applet, object, iframe,
	h1, h2, h3, h4, h5, h6, p, blockquote, pre,
	a, abbr, acronym, address, big, cite, code,
	del, dfn, em, img, ins, kbd, q, s, samp,
	small, strike, strong, sub, sup, tt, var,
	b, u, i, center,
	dl, dt, dd, ol, ul, li,
	fieldset, form, label, legend,
	table, caption, tbody, tfoot, thead, tr, th, td,
	article, aside, canvas, details, embed,
	figure, figcaption, footer, header, hgroup,
	menu, nav, output, ruby, section, summary,
	time, mark, audio, video {
		margin: 0;
		padding: 0;
		border: 0;
		font-size: 100%;
		font: inherit;
		vertical-align: baseline;
	}

	article, aside, details, figcaption, figure, footer, header, hgroup, menu, nav, section {
		display: block;
	}
	body {
		line-height: 1;
	}
	ol, ul {
		list-style: none;
	}
	blockquote, q {
		quotes: none;
	}
	blockquote:before, blockquote:after, q:before, q:after {
		content: '';
		content: none;
	}
	table {
		border-collapse: collapse;
		border-spacing: 0;
	}

	body {
		font-family : Tahoma, Verdana, Arial;
		font-color: #000000;
		padding-left: 20%;
		padding-top:50px;
		padding-bottom: 50px;
		padding-right: 5%;
		background-color: #FFFFFF;
	}

	p	{
		padding-top: 8px;
		padding-bottom: 8px;
	}

	</style>";

	echo "</head>

	<body>

	<p style='font-size: 2em; padding-bottom: 50px;'>";

	echo bloginfo('name');

	echo "</p>";

	if ($error_message == NULL) {
		echo get_option('prompt_email');
	}
	else {
		echo $error_message;
	}

	echo "
	<p>
	<form method='post'><input style='font-size: 1.2em;' type='input' name='access_email' size='32' />&nbsp;<input type='submit' style='background-color: #DDDDDD; border-color: #AAAAAA; color: #000000; font-family: tahoma, verdana, arial; font-size: 1.2em;' name='Submit' value='";

	echo get_option('prompt_submit');

	echo "' /></form>
	</p>
	<br /><p><a href='";

	echo bloginfo('wpurl');

	echo "/wp-admin/' style='color: #CCCCCC; font-size: small;'>Administrator login >></a></p>
	</body>
	</html>";

	// stop at this point
	die();
}

function fo_cleanAddress(&$value, $key)
	{
	    $value = strtolower(trim($value));
	}

function fo_removeInvalidAddress (&$value, $key)
	{
    if (!is_email($value)) $value = NULL;
	}

function selfURL()
{
    $s = empty($_SERVER["HTTPS"]) ? '' : ($_SERVER["HTTPS"] == "on") ? "s" : "";
    $protocol = strleft(strtolower($_SERVER["SERVER_PROTOCOL"]), "/").$s;
    $port = ($_SERVER["SERVER_PORT"] == "80") ? "" : (":".$_SERVER["SERVER_PORT"]);
    return $protocol."://".$_SERVER['SERVER_NAME'].$port.$_SERVER['REQUEST_URI'];
} 

function strleft($s1, $s2) { return substr($s1, 0, strpos($s1, $s2)); }

?>

Oh, and just so you know, it was an issue with the domain under which the cookie was being set.

If you go to:

https://www.raycastell.co.uk/wordpress

you’ll see the problem

if you go to:

https://raycastell.co.uk/wordpress

you won’t see the problem

Thanks so much Gabe. As I’m just waiting for a bunch of people arriving for dinner I’d better leave this until tomorrow. I’ll get back with results.

I tried modifying sentry.php, but I clearly did something wrong as I couln’t get it to work. When I went to the site afterwards it just displayed code.

However, I’m totally happy to use https://raycastell.co.uk/wordpress as the normal site address. As you say, it then works fine.

This really is a useful plugin.

0.5.2 is now available and should fix this problem.

Gabe

Thanks Gabe. I’ll install it later today.

I may not have updated correctly. I downloaded version 0.5.2 and unzipped it. I then copied the unzipped folder to plugins and selected ‘merge’ when asked, then copy and replace for all other files. Now I find that I am having to log in to every single page both when I access the site using https://www.raycastell.co.uk and https://raycastell.co.uk

Hmm.

I’m not sure what the story is.

I’m not sure how you got to the ‘merge’ prompt, so I would recommend deleting the plugin completely from your installation (settings will be preserved), and then reinstall it from within the WordPress UI (Plugins -> Add New).

Are you on the latest version of WordPress?

Gabe

Sorry Gabe. I see that you’ve tried to enter the site. I’d removed your login. It should be back now.

I deleted friendsonly and reinstalled it at you suggested, but the issue persists I’m afraid.

Let me know if there is anything else you want me to try.

I can’t replicate the bug, sorry. I’m only being asked for my login once (I’ve tried two different browsers).

Can I suggest you make sure that you quit / reopen your web browser and try again?

There’s also a new version of the plugin with a couple of tiny tweaks (but which probably won’t affect the issue you’re seeing).