Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Sign In doesn't work after Sign Out

edited December 2016 in Vanilla 2.0 - 2.8

Sign In doesn't work after Sign Out

There is a huge problem with jsConnect 1.5.3 and Vanilla 2.3 (I haven't tried earlier versions yet).

When a user enters https://forum.***.com/sso , is works perfectly (a forum user is created; username, photourl and roles are synchronized). It seems to work until the first logout or switching of users in the same browser, then it breaks permanently for this user.

If the user enters https://forum.***.com/sso again, jsConnent sends to endpoint an unsigned request (without timestamp and signature). The endpoint correctly responds with only {"name":, "photourl":}. The forum recognizes the user and shows "Howdy stranger... Sign in with ***". If I click on "Sign in with ***", jsConnect sends an unsigned request again. It receives the same reply from the endpoint and login doesn't happen, page refreshes, but it has "Howdy stranger" again. There is no way to re-login.

Clearing browser cookies has no effect.

It's as if something about the user changes after logout and jsConnect "forgets" to send signed requests for this user. If the endpoint gives a full reply (with roles, signature, etc.) to an unsigned request, it still doesn't cause login.

Is it supposed to be like that? How is "Sign in with ***" link supposed to work? Has anyone encountered this problem?

Thank you!

Comments

  • edited December 2016

    I'm sorry for some incorrect information in the previous message.

    When clicking on "Sign with ***", jsConnect sends a signed request, then receives a signed response, then sends an unsigned request and receives an unsigned response.

    But login doesn't happen, like described above.

    Some users on the same computer can logout and login multiple times; other can't. I couldn't find a pattern or a sequence of actions that breaks login.

  • edited December 2016

    It has something to do with roles. A user successfully logs in with roles "Moderator", "Member" or non-existing role "aaa". But he sometimes can't log in with existing roles "Local moderator" or "LocalModerator". Changing roles affects whether a user can login, but the behavior is not 100% repetitive. This is some obscure bug and probably can't be helped on this forum, but at least it can be avoided by not using custom roles.

    Thanks to everyone who reads this and tries to help users out there!
    To moderators: it's ok to close this discussion.

  • LincLinc Detroit Admin

    Verify all your roles have the Garden.SignIn.Allow permission.

  • @Linc Thank you a lot! That was the problem!

Sign In or Register to comment.