XF 2.0 Too many re-directs error at login - forcing user to accept privacy and terms - user errors at /account/security

[Chernabog]

I have a member whose having a challenge when logging into the site that I have not been able to replicate. The server is not throwing any errors for me to review in ACP and the member's browser console is not reporting any errors either.

Here is what the member provided me from their web visit:

it asked me to login, when i do, it forwards me, but I get an error page with "too many redirects" as the message. This will likely be due to a recursion in the url rewriting. The URL in question is
titanx.games/misc/accept-privacy-policy?_xfRedirect=https%3A%2F%2Ftitanx.games%2Faccount%2Fsecurity
refreshing the page with the same url, asks to resubmit my login (as is expected since login was the last action/form) and the page loaded fine

well, i say loaded fine, it loads the page, but the site gives me;
OOPS! IT SEEMS THE PATH YOU HAVE CHOSEN IS BLOCKED, ADVENTURER.
Security error occurred. Please press back, refresh the page, and try again.
however, i am indeed successfully logged in
clicked "Home" - it gave me the error with "too many redirects" again
offending url is
titanx.games/misc/accept-privacy-policy?_xfRedirect=https%3A%2F%2Ftitanx.games%2Faccount%2Fsecurity

appaers it's trying to get me to do the terms of service agreement or something
this registration/login flow will definitely need fixed for new members, i doubt it happens with people already logged in, which is prolly why you haven't had it happen to you
yea, seems that the base url;
titanx.games/account/security

will throw that "too many redirects" error, it cannot be loaded at all

Any help is appreciated, thank you!

 

[Chernabog]

Sorry I was going to try to move this or delete this and repost it in XF2 troubleshooting where it probably is more properly suited. Sorry for the wrong forum/category moderators.

 

[Liam W]

Hmm, do require registered used to have 2fa enabled? It looks like there's a bug where (by default) the terms and rules and 2fa requirements aren't compatible (though in my testing that didn't cause a redirect loop).

Liam

 

[Chris D]

I agree with Liam, there seems to be something else at play here.

I can't actually think of any situation where we would attempt to redirect any user to account/security on login which is what I think is happening here.

Do you have any security related add-ons? Or password related add-ons? Perhaps something that forces a password reset for users, or forces users to change their passwords periodically or something like that?

I'll move to troubleshooting for now, but the bug mentioned above by Liam is fixed (we do not assert policy acceptance for two-step actions any longer in XF 2.0+).

 

[Chernabog]

I agree with Liam, there seems to be something else at play here.

I can't actually think of any situation where we would attempt to redirect any user to account/security on login which is what I think is happening here.

Do you have any security related add-ons? Or password related add-ons? Perhaps something that forces a password reset for users, or forces users to change their passwords periodically or something like that?

I'll move to troubleshooting for now, but the bug mentioned above by Liam is fixed (we do not assert policy acceptance for two-step actions any longer in XF 2.0+).

I did have two step turned on, but turned it off just to test. I am waiting for the end user to let me know if that corrected the challenge. However, I did make it necessary for my staff members to have particular password requirements and resets using @DragonByte Tech Security add-on... I do not see any ACP side errors in my log, but it sounds like from what you're saying @Chris D that perhaps some kind of conflict may be happening between the site wanting the end user to accept terms and policies - while the add-on may be trying to force a password reset/change..?

I haven't had anyone else say it's an issue yet but the the one user.

 

[Chris D]

from what you're saying @Brogan that perhaps some kind of conflict may be happening between the site wanting the end user to accept terms and policies - while the add-on may be trying to force a password reset/change..?

I'm @Chris D not @Brogan But, yes, that's what I suspect right now.

 

[Chernabog]

I'm @Chris D not @Brogan But, yes, that's what I suspect right now.

I don't know WHAT you're talking about - lol !

Okay, I will reach out to DB Tech and see if they have any ideas on that end.... thanks!