Support » Plugin: Page Security & Membership » User redirect to Login Page causes problem / Security

  • Resolved bcharters

    (@bcharters)


    Since upgrading to the latest Page Security & Membership Version 1.5.15 , we’ve noticed a persistent annoying problem when trying to login – the login screen just shakes and keeps you at the login page rather than taking you in to the site. However, we discovered that the “back to <website>” link takes the user to the site protected by the Page Security plugin (so it seems like a security issue – probably not, since presumably the user being left logged in previously was acceptable).

    After some testing and research, the root cause seems to be that the user is “Logged-in”/authenticated to WordPress already, but WordPress doesn’t handle the “already authenticated user” nicely – there seems to be this fix http://wordpress.stackexchange.com/questions/194878/when-trying-to-login-if-already-logged-in-form-just-shakes-error-message-rema which is one option – ideally the Page and Membership plugin would handle this already authenticated situation by handling this WordPress already authenticated situation by detecting that a user is already authenticated and not re-directing to the login page, or (variation on the code above) handle the WordPress already logged in scenario or start the user from a more consistent spot by force “logging them out” before re-directing the user to the Login Page.

    https://wordpress.org/plugins/contexture-page-security/

Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter bcharters

    (@bcharters)

    Thinking about this, perhaps the simplest would be to check if the user is “Logged in” before re-directing them to the login page and doing:

    if( is_user_logged_in() ) {
    LOG THEM OUT //My pseudo code :<) );
    }

    If you’re going to send them to the login page anyway, because of the “Send anonymous users to login screen” being checked then just log them out so they are in a predictable state for the Login. I’m not a programmer, so I’m not sure why the Plugin thinks they are “anonymous” while WordPress sees them as already logged in, but this only seems to happen when you come to the site for the first time, like entering the URL, so it shouldn’t be a major inconvenience and certainly less inconvenience that the way it is today where we have to tell the users to click on the “back to <website> link.

    Thread Starter bcharters

    (@bcharters)

    Does anyone know which php module the “re-drect” to the Logon screen is in this plugin, so we can add in the :

    if( is_user_logged_in() ) {
    LOG THEM OUT //My pseudo code :<) );
    }

    ourselves to fix the issue?

    Any help appreciated.

    Plugin Author Matt van Andel

    (@veraxus)

    I’m torn as to whether this is in-scope or not.

    This is the function that would achieve what you’re looking for…

    add_action('wp_loaded','wp_login_redirect_logged_in_user',0);
    public static function wp_login_redirect_logged_in_user(){
        global $current_user, $pagenow;
    
        if ( in_array($pagenow, array('wp-login.php', 'wp-register.php') ) ) {
            if( is_user_logged_in() ) {
    
                $profile_page = get_edit_user_link( get_current_user_id() );
    
                wp_safe_redirect( $profile_page );
    
                die();
            }
        }
    }
    Thread Starter bcharters

    (@bcharters)

    We ended up putting a redirect in like recommended in the stack overflow article noted above for now. Essentially:

    add_action( ‘login_head’, ‘wpse_redirect_login’, 1 );
    function wpse_redirect_login() {
    if( is_user_logged_in() ) {
    wp_redirect( admin_url() );
    }
    }

    It does this trick… When the plugin redirects the user to the Login screen (we check to see if the user is already logged in and, if so, we bounce them back, but couldn’t there just be a check to see if the user is already authenticated/logged in before sending them to the login screen?

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘User redirect to Login Page causes problem / Security’ is closed to new replies.