Support » Plugin: All In One WP Security & Firewall » Unable to access console when session expired

  • Steps to reproduce:
    1) Install plugins
    all-in-one-wp-security-and-firewall
    two-factor 0.1-dev-20180122
    2) Activate in all-in-one-wp-security-and-firewall option to expire session after specific time
    3) Rename standard access page and enable captcha on login.
    3) Activate U2F factor (or maybe any other) in two-factor
    4) After time expired and session ended try to login again

    Expected results
    5. you will be able to login with no problem

    Actual results
    5. you are not able to login. There is a warning message that session is expired and you had to try again.

    Versions:
    WP core -4.9.4
    two-factor 0.1-dev-20180122
    all-in-one-wp-security-and-firewall 4.3.2

    Author of two-factor told that this is all-in-one-wp-security-and-firewall session problem.
    https://github.com/georgestephanis/two-factor/issues/213#issuecomment-363738331

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Contributor wpsolutions

    (@wpsolutions)

    Hi,
    When you are trying to log back in, does the URL contain many extra parts, ie, query parameters which begin with a “?” character?
    If so, have you tried deleting everything starting from the “?” character to the end and then trying to log in with the base URL which represents your renamed login page?

    Thread Starter VaultDweller

    (@vaultdweller)

    The URL after entering correct OTP password is following

    http://MYURL.DOMAIN/tuktuk?redirect_to=http%3A%2F%2FMYURL.DOMAIN%2Fwp-admin%2F&aiowps_login_msg_id=session_expired

    where MYURL.DOMAIN — is my domain

    If I delete everything after ? then everything is the same. I am not able to login 🙁

    Plugin Contributor wpsolutions

    (@wpsolutions)

    Hi,
    I did some tests and here’s what I think is happening:
    both the aiowps and that two-factor plugins are hooking into the wp_login action hook with the same priority of 10.

    So during login, the two-factor hooks into the “wp_login” before the aiowps plugin.
    The two-factor plugin has a function called “wp_login” where it displays the form and then uses php “exit” command.

    But the problem is that after this, the aiowps plugin does not get a chance to hook into the wp_login action which means it never updates the “last_login_time”.
    In other words the two-factor plugin is terminating execution after it does its thing but this is preventing other plugins from trying to hook into that same action hook.

    For now an easy fix is to set the aiowps priority to 9 which means it will get a chance to hook into that action before the two-factor plugin.

    I will make this small change for the next release but you can manually do it yourself now if you wish.
    Edit the wp-security-core.php file and look for the following line:

    add_action('wp_login', array('AIOWPSecurity_User_Login', 'wp_login_action_handler'), 10, 2);

    Change the above to the following:

    add_action('wp_login', array('AIOWPSecurity_User_Login', 'wp_login_action_handler'), 9, 2);

    This change will fix this issue, but I wonder whether the two-factor code will affect other plugins who are also hooking into wp_login with priority 10 or higher?

    • This reply was modified 4 years, 3 months ago by wpsolutions.
    Plugin Contributor wpsolutions

    (@wpsolutions)

    I forgot to say – it will be a better solution to ask the two-factor plugin developer to bump up the priority number in their code for the wp_login hook, ie, they should use a priority larger than 10.
    By doing that they may prevent issues with other plugins which also use the wp_login hook.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Unable to access console when session expired’ is closed to new replies.