Hi @hasinthawk
The problem on your site is that the /wp-login.php is not available, it redirects to your /login page. By default Nextend Social Login uses the /wp-login.php page to handle the login and registration flow.
When the wp-login.php page isn’t accessible then you need to create custom pages for Nextend Social Login to handle the login flow.
First create an empty page what you will not use for anything else, then at Global Settings -> General tab:
https://nextendweb.com/nextend-social-login-docs/global-settings/
you should use the “OAuth redirect uri proxy page” setting. This means that our plugin will no longer use the /wp-login.php page for the API connection, but the custom page you created and selected here. At your API settings you made, for example at Facebook:
https://nextendweb.com/nextend-social-login-docs/provider-facebook/#configuration
you have to change the step 12. setting, to change the URL for the API. This also changes the URL on the social login button.
You’ll need to repeat this step at each configured provier.
Then create another new page again, and also at the Global settings:
https://nextendweb.com/nextend-social-login-docs/global-settings/
you will find a “Page for register flow” setting. To the new page’s description you should add the given shortcode, [nextend_social_login_register_flow]. Then select that page with our settings. This page will be used to ask “custom data”, such as an email address from the users who register with Nextend Social Login.
Hi Romana
Thanks heaps for the prompt response. I did as you advised.
1. Upon clicking the login with facebook button and selecting the fb account to login, i’m getting this error “Error: Unable to validate CSRF state”
2. Unable to enable google provider settings. The popup redirects to the empty page (proxy page) and stays there. Nothing happens
3. Twitter upon selecting the account throws this error “Error: Unexpected response: Request token missing”
Please help. I can provide you backend access if needed.
Best Regards
Hi @hasinthawk
The “Error: Unable to validate CSRF state” error generally happens because of server related cookie caches:
https://nextendweb.com/nextend-social-login-docs/common-error-messages/#csrf
I recommend contacting your host about their cookie caching, and try getting “SESSnsl” whitelisted.
I’ve seen the “Request token missing” error at Twitter happening because of this, so I think sorting the CSRF error will get this fixed. Probably the Google error happens because of the same reason, but let me know if the Google or Twitter error persists after fixing the CSRF state error.
Thanks Romana will check on this.
But we don’t use any cache plugins or caching services.
Is there any other reason that could cause this.
hI Romana,
A question. Is this cookie set by a JS script?
We’ve used HTTPOnly directive in our htaccess file. Could this be the issue causing the problem?
Best Regards
Hi Romana
Removed the HTTPOnly flag and can login using FB now. But google and twitter situations remain the same.
Plugin Support
Laszlo
(@laszloszalvak)
Hi @hasinthawk
The cookie gets set with the PHP setcookie() method:
But returning to your problem, I also checked the linked page and I can still see the same problem with both Facebook and Twitter.
However once you are logged into the provider and you refresh the page (where we display the error), the login starts working.
Also as I see we are able to set the cookie, but the first time when the provider redirects the user back to your site, we are probably not able to get the stored state value from your site, and the problem occurs.
Is it possible that you have an Object Cache? ( You should check it on the Must Use / Drop Ins tab of your plugins list. ) If you do, then I could imagine that, it was configured wrongly, or it wasn’t configured at all, so it messes up the site transients and we won’t be able to get the data from it.
If you have an Object Cache indeed, then you should disable it and see if that makes any difference.
( If you can not find any options to disable it, then you should locate the files of the Object Cache in your /wp-content folder, and move them out from the /wp-content folder, temporarily that should disable it. )
Best regards,
Laszlo.
Hi Lazlo
Good evening
Thanks for the detailed reply. There are not anything listed as Must use or Drop in plugins
Please help
Best Regards
Plugin Support
Laszlo
(@laszloszalvak)
Hi @hasinthawk
In this case, the problem is probably connected to that something blocks the cross-site requests on your server.
Since this problem only seems to occur, if the origin of the request is the provider.
If the origin of the request is your own site, then it seems to allow the request and the login works fine.
As a next step, I would suggest continuing with a Plugin/Theme conflict test. So basically you should:
-disable all plugins on your site ( except Nextend Social Login )
-change your theme to a WordPress default one, like Twenty Twenty-One
-then open a the browser in Incognito mode / Private browsing mode and see if the problem still occurs.
If the problem no longer occurs, then you should start enabling the plugins one by one, or in small groups, then close the Incognito mode browser -> reopen it, and check the login again. ( It is important to close all incognito browser tabs each time you check the results! ) Once the problem starts occurring again, you managed to find the cause of the problem.
As a first guess, I would suggest starting the conflict test with security plugins, if you have any.
Hi Laszlo
Let me copy here an extract from our .htaccess file for your reference
<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000;includeSubDomains;preload"
Header set X-Content-Type-Options nosniff
Header set Referrer-Policy "same-origin"
Header set Feature-Policy "geolocation 'self'"
Header set X-XSS-Protection "1; mode=block"
Header set Permissions-Policy: geolocation=(),camera=()
Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure; SameSite=Strict"
Header append X-FRAME-OPTIONS "SAMEORIGIN"
</IfModule>
Is there any directive that could cause this issue?
Best REgards
Plugin Support
Laszlo
(@laszloszalvak)
Hi @hasinthawk
I added your directives to the .htaccess file of one of my local test sites, and the login still worked fine for me.
Anyways have you managed to perform the plugin/theme conflict test as I suggested in my previous reply? Did you see the problem even if you had all plugins disabled, except Nextend Social Login?
If you did, then you could try removing all of these Headers from your .htaccess, and see if that makes any difference.
If it does, then you could try adding them back, one by one and check the results, that way.
Note: Earlier I have met cases where people experienced problems with the cookies on their website, because of the “SameSite=Strict” attribute, so maybe you could try setting that to “Lax ” or “None”.
Hi Laszlo
Commenting out the directives did work for FB and twitter. However i can’t even verify setting for Google. The popup loads the empty oauth-redirect-uri-proxy-page and that’s it. Nothing happens afterwards.
Could you shed some insight into this.
Best Regards
Plugin Support
Laszlo
(@laszloszalvak)
Hi @hasinthawk
That is strange, since when you click on the Verify Settings button, that should start a “test” authentication process, so that endpoint should redirect you to the authentication screen of Google.
But if you experience this problem only with Google, then some servers have a Firewall ( usually ModSecurity ) that blocks the requests of Google, since when it redirects the user back to your site, they will add query strings:
to the URL, which contains a word ( .profile ) that is black listed by ModSecurity, so the Firewall will automatically block those requests.
So if you have a Firewall on your server, then could you try disabling it and see if that fixes the problem? If it fixes the problem, then you could enable it again, then let me know and I will give you some additional tips.
Best regards,
Laszlo.
Hi Laszlo
Good Evening! many thanks for the detailed response. Highly appreciated.
The problem is no more. dunno the exact reason.
Best Regards
Plugin Support
Laszlo
(@laszloszalvak)
Hi @hasinthawk
As I see meanwhile you managed to enable the Google provider as well, and the login worked fine with that, too.
In either ways I am glad the problem no longer occurs.
If you have any other question or problem, just let us know!
Best regards,
Laszlo.
