• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

As designed Password Reset Broken with Cloudflare Smart Errors

#1
The issue is relatively simple.

XenForo_ControllerPublic_LostPassword::actionLost() line 66:
Code:
return $this->responseError(new XenForo_Phrase('requested_member_not_found'), 404);
This line results in a response code of 404, which the Cloudflare Smart Errors interprets as a regular Page Not Found and replaces the page's contents with a help page. While I can temporarily fix this with custom page rules that disable Smart Errors for this particular page, I am very concerned about how many other pages behave similarly. With Cloudflare's insane popularity I think compatibility with it is essential.

My amateur suggestion would be to not ever respond with 404 error codes, because server software and reverse proxies may interpret it in a similar way and lead to some nasty edge cases.
 

imthebest

Well-known member
#2
I also use CF and the XenForo password reset feature works just fine.

Please take in account that some CF features might interfere with proper software operation, features like RocketLoader and in this case SmartErrors.

This being said, I don't see a bug here.
 

Mike

XenForo developer
Staff member
#3
This may be a situation where the 404 is inappropriate, but...
My amateur suggestion would be to not ever respond with 404 error codes, because server software and reverse proxies may interpret it in a similar way and lead to some nasty edge cases.
This is not something that will change. If a reverse proxy is throwing away the error page with specific details of the error because it returns the correct response code for an error of that type, that's a definite issue with the proxy.
 
#4
I also use CF and the XenForo password reset feature works just fine.

Please take in account that some CF features might interfere with proper software operation, features like RocketLoader and in this case SmartErrors.

This being said, I don't see a bug here.
You likely don't have SmartErrors enabled and thus no compatibility issue. While I agree that there are certain instances where what you say is true, I don't think this is one of them.
 

Jeremy P

Well-known member
#5
I'd bet there are more people running XF without CloudFlare than with it (though plenty do use it). I don't really see the appeal of SmartErrors at all to be honest.

Nevertheless, I think the lost password case is an odd one. It probably shouldn't be sending a 404 (seems like a bug), but the software definitely should respond with 404 error codes for pages that actually don't exist (non-existent threads, members, etc). If you don't want SmartErrors to intercept those actual 404 errors, then what exactly do you want it to do?
 

Mike

XenForo developer
Staff member
#7
I've changed the specific example given because I think it is probably wrong to respond with a 404 when a user enters an incorrect username.

However, the crux of the report seems to be that we should always be returning 200, which is definitely not what we're going to do; it's fundamentally incorrect. On that basis, I'm tagging this as "as designed".