XF 1.5 ** URGENT **: LOGIN PROBLEM

flowerpot132

Active member
Our users and us (admins) are experiencing a problem logging into our forum. One of the admins could not login even though he was DEFINITELY typing in the correct password. I sat next to him and watched him.

Also members are saying:
"I have had to reset my password twice in the last couple of days, but still I am not being allowed access to the members content. I have reset it again this morning, but still keep getting the message “ you need to be registered”.

So I reset her password to "password" and told her to login using that.

She said:
"I have just tried that and it still won’t let me in – telling me my password is incorrect. I have tried 3 times."

Nothing has changed on the forum. Addons etc.

Any help, much appreciated. Thank you
 
Note that we don't guarantee staff responses on the forum. If you want a guaranteed staff response, you need to submit a ticket via your customer area.

Is this specifically down to users getting incorrect password errors? Or them not becoming logged in after a successful authentication?

If it's the former, it should affect all users. If so, that would indicate that your PHP version changed from a newer version to a much older version which doesn't support the secure authentication system we use. You'll need to switch your PHP version back.

If it's the latter, does "stay logged in" help? If not, then I suspect the issue may be caching/reverse proxy settings outside of XenForo.
 
Hi Mike

Sorry I wasn't aware of that with the ticket system. Do you want me to start one now?

The password is correct, but the forum won't let them login....
One of the admins could not login even though he was DEFINITELY typing in the correct password. I sat next to him and watched him.

The "stay logged in" wouldn't help as they have not managed to login....
"I have just tried that and it still won’t let me in – telling me my password is incorrect. I have tried 3 times."


caching/reverse proxy settings outside of XenForo.
What does that mean? Nothing has changed our end since last night, then this issue began this morning. On many different computers, networks and set ups.
 
Also members are saying:
"I have had to reset my password twice in the last couple of days, but still I am not being allowed access to the members content. I have reset it again this morning, but still keep getting the message “ you need to be registered”.

So I reset her password to "password" and told her to login using that.

She said:
"I have just tried that and it still won’t let me in – telling me my password is incorrect. I have tried 3 times."
There are potentially two different issues mentioned here.

The first quote suggests they are getting a message "you need to be registered". That doesn't necessarily indicate their password is not being accepted. That sounds like the login isn't taking effect or they are being logged in and they are getting a permissions error (though perhaps a custom one because we don't have a phrase similar to that).

The second quote suggests the password is incorrect.

It really isn't clear if this is an issue affecting a small number of users, or all users, or exactly what they are experiencing. Ideally, we need you to explain in detail how to reproduce the issue.

For example if you reset a password to "password" and then log in yourself, can you? If you can't, what actually happens? Copying and pasting error messages or taking screenshots is going to be more useful than paraphrasing them.

If this isn't affecting everyone, then it's potentially just coincidence or something specific to the affected users.
 
Simply, some users are going to the login page, entering the correct username and password and getting a message saying "incorrect password". Let's say the password is "123hello".

I can login with the same username and password ("123hello") on my computer and log in fine.
 
If the same username and password is working for you, but not working for them, then there's not a lot we can help with. It would suggest a problem exclusively with that user, such as an issue with what they are doing, or a problem with their environment.

It's also worth noting the first quote in your first post didn't mention anything about the password being wrong. It says "you need to be registered". It's not totally clear what would cause such a message as that's not a default error message that we would show.
 
It would suggest a problem exclusively with that user, such as an issue with what they are doing, or a problem with their environment.
I have replicated this on the same machine. Not being able to login on Chrome, then opening up an new incognito browser within Chrome and being able to login. Again using the EXACT same user and password.

It's also worth noting the first quote in your first post didn't mention anything about the password being wrong. It says "you need to be registered". It's not totally clear what would cause such a message as that's not a default error message that we would show.
That's just them going to thread url and our forum displays that message.

Thanks
 
BUMP.
Sorry I wasn't aware of that with the ticket system. Do you want me to start one now?

Users now saying:
"I got logged in but then I tried to navigate to a different section and got thrown out, with the message saying I have to log in to access that section, and then it won’t accept my log in details again."
 
That's a different problem. Your initial problem generally seems to point to a client side issue. The only reason a password wouldn't be accepted in one window while being accepted in another is if a different password is being sent between them. That would presumably be a client side issue.

In terms of the getting logged out thing, please see my first post and the particular question of: does "stay logged in" help? If so, then it is likely some sort of reverse proxy issue. If not, then it could still be a reverse proxy, but the debugging is quite different. That said, this should generally affect most people. (Can you reproduce this?)

As usual, we'd recommend the standard debugging process: disable all add-ons and confirm the issues on a 100% default style. This eliminates a huge number of variables.
 
(Can you reproduce this?)
I have managed to. But not again. It is not affecting everyone.

In terms of the getting logged out thing, please see my first post and the particular question of: does "stay logged in" help?
This is impossible as they can't login in the first place. Also some users do not want to use that, so not a solution.

The forum is some how not remembering the password. It's not client or browser side, it's the website (XF). Must be no?
 
This is impossible as they can't login in the first place. Also some users do not want to use that, so not a solution.
Your last message indicated a user logged in and then being logged out, so I was responding to that.

I'd note that if this spontaneously changed without you doing anything, your host changing something would be the most likely other area to check. That would potentially be fitting with the types of issues.

I would check the issues with all add-ons disabled and with the default style. If users are still having issues, it'd be worth seeing if they register here, if they have similar issues.
 
BUMP.


Users now saying:
"I got logged in but then I tried to navigate to a different section and got thrown out, with the message saying I have to log in to access that section, and then it won’t accept my log in details again."
If one link is https and the othe link is http you can get logged out.

Or maybe it was www. Vs not www links.
 
Last edited:
Ahhhh. Our homepage (magento) is secure but forum (xf) is not yet. Could that be it?
yes, we had a similar issue and enforcing https site-wide has solved it.
You can work around temporarily by manually adding HTTPS:// into your browser at the start of your XF page url, but if you hit a link in the header for example which is specifically pointing to HTTP:// then it will appear to log you out
 
That'd only affect if the URL changed during sessions. For example if they access using one URL, if they access your same site via a different one the session cookie will not be present.

Ensure you're loading the site over the configured board URL then, generally, you should be able to rule out changing URL structure as a reason.

Consider risks before using SSL with XF. e.g. Many video embed sites are still http
 
Top Bottom