• Hello,

    one of our users has recently received the following error message and cannot log in

    Cannot complete login: Invalid state data. (Invalid nonce)

    What could be the problem, the login works fine with other applications?
    Browser: Chrome, cleared cookies and cache
    WordPress: 6.2

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author Marco

    (@qlcvea)

    Hello,

    this error message appears when the “state” parameter in the callback URL is incorrect.

    The parameter value is generated by the plugin and should be relayed as-is by Microsoft after login is complete, so it is either not being generated properly or it is getting mangled in transit somehow.

    For troubleshooting, could you send the portion of the callback URL (the URL of the page where the error appears) between “state=” and the next “&” symbol?

    • This reply was modified 1 year, 2 months ago by Marco.
    Thread Starter mphilipp

    (@mphilipp)

    Hello,

    here some state paramteters

    %7b%22nonce%22%3a%22351c862e7f%22%7d
    %7b%22nonce%22%3a%221987785f3a%22%7d

    Can you help me?

    Plugin Author Marco

    (@qlcvea)

    The state parameter looks correct, however I am having trouble reproducing the issue.

    The login process relies on WordPress nonces, which get invalidated after logging in or when changing IP address.
    Therefore, I see three possible ways to cause this issue:

    • The user’s IP address changes between when the plugin redirects them to Microsoft for login and when they return; or
    • The user is already logged in and uses the “Homepage / Login URL” in the plugin settings to access the site (for example, form the Office.com homepage) and login cookies are set to SameSite=Strict, which means they won’t be presented by the browser to the website when returning from Microsoft.
    • The user logs in in another tab or window during the portion of the login process that takes place on Microsoft’s website.

    I realize these scenarios are very unlikely. I was unable to come up with other options to trigger this error.

    A list of other plugins in use may be helpful to attempt to replicate the error.

    Thread Starter mphilipp

    (@mphilipp)

    Hello,

    this are the ohter plugins

    • Allow Multiple Accounts
    • Change Mail Sender
    • Contact Form 7
    • CookieYes | GDPR Cookie Consent
    • Customizer Export/Import
    • Enable Media Replace
    • Folders
    • Import WP
    • Kadence WooCommerce Email Designer
    • Local Google Fonts
    • Loco Translate
    • Mail logging – WP Mail Catcher
    • Minimal Coming Soon & Maintenance Mode
    • NinjaFirewall (WP Edition)
    • Pods – Custom Content Types and Fields
    • Polylang
    • Reusable Content Blocks
    • Send Users Email
    • Site Kit von Google
    • The SEO Framework
    • WooCommerce
    • WordPress Importer
    • WP Taxonomy Order
    • WP-Optimize – Clean, Compress, Cache
    • WPBakery Page Builder
    • YaySMTP – Einfache WP SMTP Mail
    • Yoast Duplicate Post

    The error doesn’t happen to everyone, but it’s becoming more common now.

    Plugin Author Marco

    (@qlcvea)

    I’m sorry, unfortunately I can’t reproduce the problem. Out of your plugin list, only Allow Multiple Accounts and NinjaFirewall stand out to me as potentially being able to cause issues, although I do not know how that could happen.

    Thread Starter mphilipp

    (@mphilipp)

    Regarding this part “… and login cookies are set to SameSite=Strict …”:

    Can you tell me which cookies to look for? For example, what could they be called?

    Plugin Author Marco

    (@qlcvea)

    I was referring to the regular WordPress login cookies.

    This plugin does not use cookies itself, instead it uses WordPress’ nonce feature, which relies on an IP address for logged out users and a login cookie for logged in users.

    If a user is already logged in when they start the SSO process (i.e. visiting the /sso_for_azure_ad/start/ or ?sso_for_azure_ad=start URLs shown in the plugin settings) then there may be issues if WordPress cookeis are set to SameSite=Strict, since the user would be issued a nonce tied to their login cookie, but their browser would not present that cookie to WordPress when getting redirected from the Microsoft login page back to the plugin callback page, which would then cause nonce validation to fail.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Cannot complete login: invalid state data. (Invalid nonce)’ is closed to new replies.