Redirects back to login page after clicking login button

[dhsathiya]

I have noticed that when visiting a site after a while and using the Login-with-Google plugin, after clicking the login button the site gets redirected back to the wp-login page again.

Previous observation:
The last time issue occurred, I checked the requests and found that the redirect was a soft redirect - 302. And the network tab showed that it is from Disk Cache

[nitun]

Hi @abhishekfdd
Please look into this issue and provide an update before EOD.

Keep posting updates on this task.

Thanks,

[aviral-mittal]

Ref Slack thread: https://rtcamp.slack.com/archives/CMPBQ2B09/p1657646249878179

[abhishekfdd]

@dhsathiya Is there any particular step to reproduce this issue, as I was able to login fine every time?

[aviral-mittal]

@abhishekfdd As discussed, please try to set a timeout and see if you are able to reproduce the issue.

[dhsathiya]

@abhishekfdd: I was discussing it with @chandrapatel. He has a theory regarding this. Please talk with Chandra once.

[abhishekfdd]

To replicate:

• Tried clearing cookie.
• tried decreasing session timeout
• setting browser setting to resume with last session.

Nothing worked.

Discussed with @chandrapatel problem seems to be in redirection but still we are not able to replicate the issue.

[nitun]

Thanks for checking this again.

If anyone faces the same issue, we will report it along with a screencast here.

Keeping this task on hold till that.

[aviral-mittal]

@elifvish Can you take a look at this and figure out a solution?

[aviral-mittal]

Hi @elifvish Any updates on this?

[elifvish]

Yes, I was able to reproduce the issue.
The issue is only reproducible when wordpress_logged_in cookie is set and user visits the login page with this reauth=1 in url.
I've few solutions in mind. Will try them today.
cc: @aviral-mittal

[aviral-mittal]

@elifvish Please update with the solutions tried and if any of them worked.

[elifvish]

The root issue is that nonce verification fails if a user visits wp-login.php with reatuth=1 in query args and wordpress_logged_in.
This happens as when nonce is created it checks whether the user is logged in or not. And uses the uid as a part of nonce.
Now when login request is sent wp-verify-nonce fails as reauth=1 parameter logs out the user and now when user id is fetched to verify nonce it returns null.

Yesterday I tried a solution of redirection to wp-login.php
it worked but. I thought I should dig deep to check the root cause.

now that I have found it.
The only way to fix this is to redirect or refresh the login page if visited with reauth=1 and wordpress_logged_in cookie set.
I tested the fix.
Will raise a PR soon once I find the best possible location to place the check.

cc: @aviral-mittal

[aviral-mittal]

@Rink9 Need to test this fix as well.

[Rink9]

@aviral-mittal I have cross checked this issue on chrome, firefox, safari browser with clearing all the caches and cookies. Currently it's working as expected on production site on every browsers. And also redirecting back to login page after clicking on login button issue got resolved on production site. We are good to close this issue as it's working fine now.

Screen.Recording.2022-09-19.at.4.00.30.PM.mov

[dhsathiya]

@gagan0123 Can you please look into this issue? It doesn't seem to be fixed, or it is happening again.
I am sending you a screen recording of the issue as well as an HAR export.

[gagan0123]

@dhsathiya

Thanks for providing the HAR file for debugging, as the issue is quite difficult to replicate.

From the HAR file I've deduced that for the first login attempt, when you are redirected back to the login page, it gives a 200 response code instead of 302 as it should have.

In code there are only three possible ways in which no error message would appear when the user is redirected back to the login page even on failure.

1. The already existing cookies for the site, make WordPress believe you are still logged in, and we already have a $user assigned for your login session (Does not seem to be the case in your request)
2. The returned code or provider parameters are missing when redirected. (Again, not the case in your request)
3. If the Nonce created for the login session gets expired before, you are redirected back to the login page.

The third one seems plausible since the site you reported it for, uses page level caching.

Now if you are being served a cached version of the login page, in that case the issue of nonce failure can occur whenever the cache is older than the nonce expiration.

Will need to test this hypothesis. Keep you posted on the progress.