ElkArte Community

Elk Development => Bug Reports => Topic started by: Steeley on March 04, 2021, 07:42:44 pm

Title: Login Error(?) - Changed Email Reactivation
Post by: Steeley on March 04, 2021, 07:42:44 pm
If a user changes their email address, and email reactivation is configured, the user gets the email reactivation email, activates the link (click, or paste into browser) and is presented with the login screen.

So far,. so good...

If the username and password are saved in the browser, and the user clicks on it to enter the forum, the user is directed to the forum URL:

{forum path}index.php?action=mentions;sa=fetch;api=json;lastsent=0

If the user "reloads" the forum [forum path url] they discover they are indeed logged in, but the user has to figure that out...

I don't think this is a configuration issue unique to my package / platform
(ElkArte v.1.1.6, PHP v. 7.2, Apache 2.4.46 over linux, MySql 5.6.51)

Thoughts?
X
Title: Re: Login Error(?) - Changed Email Reactivation
Post by: Spuds on March 04, 2021, 08:19:17 pm
Tried this (on my local install) and was not able to (yet) reproduce. 
Title: Re: Login Error(?) - Changed Email Reactivation
Post by: Steeley on March 04, 2021, 10:37:13 pm
Well, I just tried it again, and it was repeatable..  except, apparently, if you close the browser first...

Apparently, if I just stay on the page that says I need to reauthorize my account with the email that was just sent, retrieve the new email and click the link, that's when the error occurs. If I closed the browser first, it was fine..

[BTW, @Spuds the reactivation email does NOT have parenthesis around the url, or a "link" tag.. for whatever that's worth regarding the other issue we were fussing over]

[Update: Confirmed, if you get off that notification page - close the browser, click the log-in button, whatever -, it works fine. If you stay on that page and click the re-authorization link in the email , you get the error as you log in.]
Title: Re: Login Error(?) - Changed Email Reactivation
Post by: Spuds on March 04, 2021, 11:43:47 pm
Does it do that only when the browser auto fills in the credentials?

Yeah on the link, I think it all has something to do with if you have the mailing list stuff enabled or not, lets just say there are many paths to sending the email, an area that needs to be cleaned up in 2.0, for now duct tape.
Title: Re: Login Error(?) - Changed Email Reactivation
Post by: Steeley on March 05, 2021, 03:42:43 am
Does it do that only when the browser auto fills in the credentials?


As it turns out it doesn't matter how the credentials are entered.

The "json page" only opens if the browser stays open on the "email address changed" page, when the link is activated and log in through the same browser (either the same tab or a different tab).

It does it in both Firefox and Edge, but,...

It doesn't do it if you make the address change in one browser, stay on the "email address changed" page in that browser, and paste the link in a different browser and log back in with it  - that works fine.

Maybe the easiest thing to do is add a message to the "email address changed" page to close the window before clicking the link  and not worry about why..  :D
Title: Re: Login Error(?) - Changed Email Reactivation
Post by: Steeley on March 05, 2021, 04:22:57 am
Here's another possible wrinkle...

On my server, the forum is running in a username/password authenticated directory path (but the browsers are already "logged in" before the reactivation link is applied).

If you can't replicate the error, it may indeed be unique to my server configuration after all.
Title: Re: Login Error(?) - Changed Email Reactivation
Post by: emanuele on March 07, 2021, 11:14:53 am
@Spuds most likely is the usual problem with the redirect address being stored in session (IIRC) and keeping it eve if it's a json or other general AJAX call?
I remember we added some protection at a certain point, not sure if maybe we missed one piece. *shrugs*
Title: Re: Login Error(?) - Changed Email Reactivation
Post by: Steeley on March 08, 2021, 02:09:32 am
Let me know if I need to provide more data to hunt it down and kill it.
If it's related to a call timing issue (and I'm ignorant of what's going on in the background with authentication in between page loads), it's possible, I'm guessing, that I've got a bit of a race issue with my set up that can't be duplicated otherwise.

I haven't looked into how easy it is to restore authentication data if I temporarily remove the directory protection to see if that's actually involved (there's a lot of users in that 'table'), so I haven't tried it yet.

If nobody else is experiencing it, that sorta puts the burden on me to deal with it. I have some ideas to work around it (I suggested one already), but I certainly wouldn't call any of them "elegant".  :-[
Title: Re: Login Error(?) - Changed Email Reactivation
Post by: Steeley on April 29, 2021, 07:23:26 am
I just deleted a previous reply/request for identifying a file in order to create a work-around. After giving it some more thought, I realized what I had in mind wouldn't solve the issue on my server set up anyway..  ::)