XF 1.5 Users not being allowed to login or new accounts being created

[leslie dow]

Hi all
Having an odd issue this am. My site (running v.1.5.5) is not allowing users to log in. When they try they get the login screen again, no errors. But when I try to create a new account, I get a "security error".

I've had some odd problems with the firewall yesterday (I use Sucuri for that) and they are looking into it, but I have active users logged in now and I am logged in just fine.

I don't see any errors in the ACP or in my server error log that might be associated with this. Errors that originate from my IP address, I mean.

I have support requests into my h0sting service and Sucuri, but am trying to cover all my bases. Any suggestions?

Thanks
Leslie

 

[leslie dow]

Oh, also I disabled the onlhy new addon that I have installed in the past week, which was Widget Framework. One that seems to be pretty stable. So I dont think its an addon.
thanks

 

[Paul B]

This sounds identical to a ticket I dealt with yesterday.

As far as I could tell it was related to some sort of caching on the server and Sucuri was involved there too.

It's going to be something server side, which your host will have to investigate and resolve.

 

[SatGuyScott]

Brogan what was the solution to that? I am having this issue as well where some users can log in but they are not logged in except on pages such as help. I am using Sucuri as well.

 

[leslie dow]

Thaks! That is what it looks like on my end. I did disable all the addons and that did not fix it. Just for anyone else with this issue. @Brogan can I reference that issue with Sucuri? It might help resolve this.
leslie

 

[Paul B]

The ticket author hasn't come back with any details on what was causing it and what the fix is.

@Cyb3r, did your host manage to resolve it?

 

[Paul B]

As an aside, checking "Stay logged in" may work - the presence of the additional cookie may be enough to bust the cache.

 

[Cyb3r]

The ticket author hasn't come back with any details on what was causing it and what the fix is.

@Cyb3r, did your host manage to resolve it?

Well they responded too late. I had to install an add-on to force remember the password which fixes the problem temporarily. From my point of view I don't think it's related to server issue since it can be solved with something like remember password. I don't know what it might be because I have done everything on my side, I even disabled all Sucuri features and all add-ons to debug the issue but nothing seems to fix it except force remember password.

 

[Paul B]

From my point of view I don't think it's related to server issue since it can be solved with something like remember password.

It's definitely a server side issue.

I logged in to your site and then opened an incognito window and I was still logged in, in the incognito window.
That should never happen.

 

[Cyb3r]

Oh, also I disabled the onlhy new addon that I have installed in the past week, which was Widget Framework. One that seems to be pretty stable. So I dont think its an addon.
thanks

Use this add-on as a temporarily solution: https://xenforo.com/community/resources/force-remember-password.4250/

Can you please keep us updated with any solution they might come up with because I really hate to wait them to respond 10+ hours after I ask them anything.

For more debugging I will import my site to a sandbox on my other server which doesn't have a firewall and see if that helps.

 

[leslie dow]

FYI, I had this issue as well. I think I have fixed it by doing the following:

"Just to close the loop on this, I passed your information on to Sucuri and then disabled all cachig on the Sucuri side. That fixed the issue. I have let them know. "
Thanks!

 

[Cyb3r]

FYI, I had this issue as well. I think I have fixed it by doing the following:

"Just to close the loop on this, I passed your information on to Sucuri and then disabled all cachig on the Sucuri side. That fixed the issue. I have let them know. "
Thanks!

Yeah that solved my issue. Thanks.

 

[Paul B]

I thought your host said they had already disabled it all?

 

[leslie dow]

@Cyb3r I have also let Sucuir know that the issues that I am seeing is similar to yours. They, of course, say its not their problem. How frustrating! Glad it fixed yours as well.
best
leslie

 

[Cyb3r]

I thought your host said they had already disabled it all?

They only refreshed the cache after I disabled the option "Additional Security Headers added to your site".

But yeah I disabled all the options except the caching because it was on a separate page so I didn't see it. TBH I didn't even know there is an option to clear/disable the cache from my end.

@Cyb3r I have also let Sucuir know that the issues that I am seeing is similar to yours. They, of course, say its not their problem. How frustrating! Glad it fixed yours as well.
best
leslie

Yeah they just responded to me saying I could keep the site caching only instead of disabling it. So I will try that and see.

 

[leslie dow]

They only refreshed the cache after I disabled the option "Additional Security Headers added to your site".

But yeah I disabled all the options except the caching because it was on a separate page so I didn't see it. TBH I didn't even know there is an option to clear/disable the cache from my end.



Yeah, they just responded to me saying I could keep the site caching only instead of disabling it. So I will try that and see.

They did to me as well, but it didn't fix it I had to disable all caching. I've also got another request in to clarify if this means my cache on my server will be used, but no response so far. It';s really annoying, I've been having odd security issues on and off for a couple of weeks. Nothing reproducible between accounts, but very reproducible for each individual account and user. But now that I disabled caching they have all disappeared (Who knew???). Oh, also, I never had the Additional Security Headers set to on. They couldn't explain to me what in blazes those were and I didn't want to enable something that sounded like voodoo. I mean I get they have secret sauce to protect but sometimes they are a bit much.

Anyway, it's been more than 8 hours now since I "fixed" it...so far so good.....

Thanks! and I'll update if they ever get back to me.

Leslie

 

[Cyb3r]

They did to me as well, but it didn't fix it I had to disable all caching. I've also got another request in to clarify if this means my cache on my server will be used, but no response so far. It';s really annoying, I've been having odd security issues on and off for a couple of weeks.

Yes the firewall has some issues. Here's my current setup:

Spoiler

Be Careful with the last option it might block any API requests without a valid header (if you have any sort of API on your site). You can disable it if you are not worried much about DDoS attacks.

As for the "Additional Security Headers added to your site" I don't know either what it used for I just enabled it as a precaution.

Nothing reproducible between accounts, but very reproducible for each individual account and user. But now that I disabled caching they have all disappeared (Who knew???). Oh, also, I never had the Additional Security Headers set to on. They couldn't explain to me what in blazes those were and I didn't want to enable something that sounded like voodoo. I mean I get they have secret sauce to protect but sometimes they are a bit much.

Anyway, it's been more than 8 hours now since I "fixed" it...so far so good.....

Thanks! and I'll update if they ever get back to me.

Leslie

Yeah the fix is good so far. Though i'm using site caching and it work fine. You can try and enable it now and check after few hours if the issue is back or not. Because it take sometime to cache everything.

 

[leslie dow]

Thanks for that. I turned on site caching this morning and so far so good. Been about 10 hours now. We'll see. I've really been impressed with their ability to stop attacks. I had a pretty awful one a couple of months ago and since going to them have not had a bobble. I guess it's worth dealing with some issues like this.

thanks!
My settings attached.