XF 1.5 WP Security causing trouble with XF Cookie?

[tihasz]

Hi,


I noticed a strange behavior on our Forum. The user gets logged out after a few hours (2-3h). When I log in , i see the xf_user cookie in the Developer console, and the Expiration date is set for 2 months from that moment. The user Is logged in for 2-3 and then suddenly when he revists the forum, hes logged out. (stay logged in doesnt work etc)

The forum is installed in a subfolder www.domain.com/forum, and I have a wordpress install in the root.

Anybody had similar problems?

Here the .htacces file from the root, maybe someone notices something strange about it, thx


# BEGIN All In One WP Security
#AIOWPS_BASIC_HTACCESS_RULES_START
<Files .htaccess>
order allow,deny
deny from all
</Files>
ServerSignature Off
LimitRequestBody 10240000
<Files wp-config.php>
order allow,deny
deny from all
</Files>
#AIOWPS_BASIC_HTACCESS_RULES_END
#AIOWPS_PINGBACK_HTACCESS_RULES_START
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
#AIOWPS_PINGBACK_HTACCESS_RULES_END
#AIOWPS_BLOCK_SPAMBOTS_START
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} ^(.*)?wp-comments-post\.php(.*)$
RewriteCond %{HTTP_REFERER} !^http(s)?s://(.*)?\.domain\.com [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule .* http://127.0.0.1 [L]
</IfModule>
#AIOWPS_BLOCK_SPAMBOTS_END
# END All In One WP Security

# BEGIN W3TC Browser Cache
<IfModule mod_deflate.c>
<IfModule mod_headers.c>
Header append Vary User-Agent env=!dont-vary
</IfModule>
<IfModule mod_filter.c>
AddOutputFilterByType DEFLATE text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/html text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon application/json
<IfModule mod_mime.c>
# DEFLATE by extension
AddOutputFilter DEFLATE js css htm html xml
</IfModule>
</IfModule>
</IfModule>
# END W3TC Browser Cache
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

 

[Chris D]

I suspect it's actually because your site is available via http:// and https://. It's also available with and without the www. subdomain.

I recommend having redirects in place to ensure that your visitors can only reach one version of the URL. Also ensure your board URL correctly reflects the desired URL.

 

[tihasz]

Hmm I think that's not it, as the forum works on this setup for months (the only new thing was Wp Security which was installed shortly before those things appeared to happen). The Board is on https, also while visiting https, www, without etc, the user stays logged in.

I got a feeling somethings cleans the connection to the cookie of the user (if that's even possible). Man, this gets really frustrating, any other ideas

 

[Steve F]

Hmm I think that's not it, as the forum works on this setup for months (the only new thing was Wp Security which was installed shortly before those things appeared to happen). The Board is on https, also while visiting https, www, without etc, the user stays logged in.

I got a feeling somethings cleans the connection to the cookie of the user (if that's even possible). Man, this gets really frustrating, any other ideas

If you search the forums here you'll see @Chris D 's recommendation is valid and most likely the issue. If it isn't your problem those recommendations should be followed anyways.

 

[Chris D]

There could be other causes, but that's usually the most obvious one.

It's exasperated over time, especially if different users who use different URLs are all posting links to slightly different versions of the same URLs. I would certainly implement that first to eliminate that being a possibility. It might not be the only cause, but it can be a contributory factor that will be worth eliminating otherwise it will make the general debugging of this even more difficult.

 

[tihasz]

I am 99% sure that's not the issue, because:

1. The site works for Months on this setup, nothing changed on the forum, server etc. (only recent change the WP Security plugin)
2. I always open the same https www url, so Its not like I use different ones and It logs me out while I visit them.

Anyway, thanks for the help. I will probably try to disable the wp security plugin and revert some changes made by it for a few hours and see what happens before I implement the suggestion above. If you have any other ideas what my cause this feel free to post, I will update the theme if I find the cause and solution

Thx

 

[Chris D]

You may be right but it's still best practice and highly recommended.

 

[Martok]

I am 99% sure that's not the issue, because:

1. The site works for Months on this setup, nothing changed on the forum, server etc. (only recent change the WP Security plugin)
2. I always open the same https www url, so Its not like I use different ones and It logs me out while I visit them.

Anyway, thanks for the help. I will probably try to disable the wp security plugin and revert some changes made by it for a few hours and see what happens before I implement the suggestion above. If you have any other ideas what my cause this feel free to post, I will update the theme if I find the cause and solution

Thx

You're missing the point. You should redirect www to non-www or vice versa. Not only can it cause login issues, not doing so can also cause duplicate content in search engines. Google wouldn't suggest you do so otherwise.

https://support.google.com/webmasters/answer/44231?hl=en

I really would listen to Chris, he knows what he's talking about.

 

[Chris D]

As I say, it may only be one factor. It's odd the issue is happening suddenly so there may well be something sinister that has triggered it.

But from the point of view of debugging the issue removing that factor simply makes sense and solves other potential problems.

I'm out at the moment but there may be other things to eliminate too. I'll report back later.

 

[SneakyDave]

Could it be that WP Security is basically forcing the issue, basically expiring those sessions in which those domains aren't quite the same? Or would that only apply to your WP installation?

 

[tihasz]

As I say, it may only be one factor. It's odd the issue is happening suddenly so there may well be something sinister that has triggered it.

But from the point of view of debugging the issue removing that factor simply makes sense and solves other potential problems.

I'm out at the moment but there may be other things to eliminate too. I'll report back later.

I disabled this morning the All In One Wp Security plugin for a few hours, and the Log Out still occurred. Damn. I am probably gonna take your advice and move everything to https and www, but its a big site so I need to do it carefully and over the weekend.

One thing which i noticed is that the cookie xf_user disappears while I come back and I am logged out. I checked google chrome, and it seems that the xf_user cookie is still there (when I go to the settings and checking cookies). But when I hit F12 and go to Ressources and Cookies, I can't see it. After I hit log in, it appears and I am back in. Really weird behavior. I got a feeling something on the server is causing this, like a clean up or reset. Never saw this before. Is there anything server related which you recommend for XenForo, like php version, or a module or a php command which needs to be set specifically. Thx in advance.

 

[tihasz]

As I say, it may only be one factor. It's odd the issue is happening suddenly so there may well be something sinister that has triggered it.

But from the point of view of debugging the issue removing that factor simply makes sense and solves other potential problems.

I'm out at the moment but there may be other things to eliminate too. I'll report back later.

Hey Chris, I forgot to mention that we use a Amember + XenForo integration. The guys at Amember checked the issue and said:

"From these screenshots I see that xenforo removes xf_user cookie for some reason.
Also the strange thing is that cookie is different for the same user sometimes and this is an issue.
do you have any security modules or plugins installed in xenforo itself?"

I dont have any kind of plugin installed in xenforo...

Any advice on this matter?

thx