1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.5 Users not being allowed to login or new accounts being created

Discussion in 'Troubleshooting and Problems' started by leslie dow, Mar 6, 2016.

  1. leslie dow

    leslie dow Active Member

    Hi all
    Having an odd issue this am. My site (running v.1.5.5) is not allowing users to log in. When they try they get the login screen again, no errors. But when I try to create a new account, I get a "security error".

    I've had some odd problems with the firewall yesterday (I use Sucuri for that) and they are looking into it, but I have active users logged in now and I am logged in just fine.

    I don't see any errors in the ACP or in my server error log that might be associated with this. Errors that originate from my IP address, I mean.

    I have support requests into my h0sting service and Sucuri, but am trying to cover all my bases. Any suggestions?

  2. leslie dow

    leslie dow Active Member

    Oh, also I disabled the onlhy new addon that I have installed in the past week, which was Widget Framework. One that seems to be pretty stable. So I dont think its an addon.
  3. Brogan

    Brogan XenForo Moderator Staff Member

    This sounds identical to a ticket I dealt with yesterday.

    As far as I could tell it was related to some sort of caching on the server and Sucuri was involved there too.

    It's going to be something server side, which your host will have to investigate and resolve.
  4. SatGuyScott

    SatGuyScott Active Member

    Brogan what was the solution to that? I am having this issue as well where some users can log in but they are not logged in except on pages such as help. I am using Sucuri as well.
  5. leslie dow

    leslie dow Active Member

    Thaks! That is what it looks like on my end. I did disable all the addons and that did not fix it. Just for anyone else with this issue. @Brogan can I reference that issue with Sucuri? It might help resolve this.
  6. Brogan

    Brogan XenForo Moderator Staff Member

    The ticket author hasn't come back with any details on what was causing it and what the fix is.

    @Cyb3r, did your host manage to resolve it?
  7. Brogan

    Brogan XenForo Moderator Staff Member

    As an aside, checking "Stay logged in" may work - the presence of the additional cookie may be enough to bust the cache.
  8. Cyb3r

    Cyb3r Well-Known Member

    Well they responded too late. I had to install an add-on to force remember the password which fixes the problem temporarily. From my point of view I don't think it's related to server issue since it can be solved with something like remember password. I don't know what it might be because I have done everything on my side, I even disabled all Sucuri features and all add-ons to debug the issue but nothing seems to fix it except force remember password.
  9. Brogan

    Brogan XenForo Moderator Staff Member

    It's definitely a server side issue.

    I logged in to your site and then opened an incognito window and I was still logged in, in the incognito window.
    That should never happen.
    Cyb3r likes this.
  10. Cyb3r

    Cyb3r Well-Known Member

    Use this add-on as a temporarily solution: https://xenforo.com/community/resources/force-remember-password.4250/

    Can you please keep us updated with any solution they might come up with because I really hate to wait them to respond 10+ hours after I ask them anything.

    For more debugging I will import my site to a sandbox on my other server which doesn't have a firewall and see if that helps.
  11. leslie dow

    leslie dow Active Member

    FYI, I had this issue as well. I think I have fixed it by doing the following:

    "Just to close the loop on this, I passed your information on to Sucuri and then disabled all cachig on the Sucuri side. That fixed the issue. I have let them know. "
    Cyb3r likes this.
  12. Cyb3r

    Cyb3r Well-Known Member

    Yeah that solved my issue. Thanks.
  13. Brogan

    Brogan XenForo Moderator Staff Member

    I thought your host said they had already disabled it all?
  14. leslie dow

    leslie dow Active Member

    @Cyb3r I have also let Sucuir know that the issues that I am seeing is similar to yours. They, of course, say its not their problem. How frustrating! Glad it fixed yours as well.
    Cyb3r likes this.
  15. Cyb3r

    Cyb3r Well-Known Member

    They only refreshed the cache after I disabled the option "Additional Security Headers added to your site".

    But yeah I disabled all the options except the caching because it was on a separate page so I didn't see it. TBH I didn't even know there is an option to clear/disable the cache from my end. :confused:

    Yeah they just responded to me saying I could keep the site caching only instead of disabling it. So I will try that and see.
  16. leslie dow

    leslie dow Active Member

    They did to me as well, but it didn't fix it I had to disable all caching. I've also got another request in to clarify if this means my cache on my server will be used, but no response so far. It';s really annoying, I've been having odd security issues on and off for a couple of weeks. Nothing reproducible between accounts, but very reproducible for each individual account and user. But now that I disabled caching they have all disappeared (Who knew???). Oh, also, I never had the Additional Security Headers set to on. They couldn't explain to me what in blazes those were and I didn't want to enable something that sounded like voodoo. I mean I get they have secret sauce to protect but sometimes they are a bit much.

    Anyway, it's been more than 8 hours now since I "fixed" it...so far so good.....

    Thanks! and I'll update if they ever get back to me.

    Cyb3r likes this.
  17. Cyb3r

    Cyb3r Well-Known Member

    Yes the firewall has some issues. Here's my current setup:


    Be Careful with the last option it might block any API requests without a valid header (if you have any sort of API on your site). You can disable it if you are not worried much about DDoS attacks.

    As for the "Additional Security Headers added to your site" I don't know either what it used for I just enabled it as a precaution.

    Yeah the fix is good so far. Though i'm using site caching and it work fine. You can try and enable it now and check after few hours if the issue is back or not. Because it take sometime to cache everything.
  18. leslie dow

    leslie dow Active Member

    Thanks for that. I turned on site caching this morning and so far so good. Been about 10 hours now. We'll see. I've really been impressed with their ability to stop attacks. I had a pretty awful one a couple of months ago and since going to them have not had a bobble. I guess it's worth dealing with some issues like this.

    My settings attached.

    Attached Files:

    Cyb3r likes this.

Share This Page