Wordpress_logged_in cookie not destroyed on logout - wordpress

Users get stuck in a login/out loop experience - ONLY on the /login screen.
I have a membership plugin activated (Restrict Content Pro) that utilizes a login shortcode which I'm using on a /login page. I have a global login/out link, utilizing wp_logout_url(); for logging out.
Behavior works as expected everywhere on the site except the login page. If I logout then return to the login page, I'm shown content as if I were logged in. If I attempt to logout from this page I'm thrown to the "You are attempting to log out of 'x'. Are you sure you want to do this?" error page.
The cookie 'wordpress_logged_in_' is also present only on this page. So, I'm under the impression this is why the site is displaying the 'logged-in content'. My question is - why would this specific cookie only be saved on this specific page? Can I completely destroy it on a log out?
Thanks in advance.

This issue seems to be persistent till date. Are there any updates on solutions for this? Seems to me that WP is not destroying all the cookies relevant to login. After investigating a little I found that the login cookie was set for a particular path(in my case it was /my-account). Maybe WP is missing this cookie as this is not set to /.

Related

The security token did not match. The request was aborted to prevent any security breach. Please try again

I've got the error above in my Joomla website when I either try to log in or create a new account from the side site. I have also noticed the two following things:
if I create a new user from the backend, this doesn't appear in the _users table;
a file named ".myjoomla.configuration.php.md5", containing an alphanumeric string, is automatically generated in the website root every time I try to log in vainly from the frontend. Besides, it turns up again if I remove it manually through FTP.
Did my website get hacked? How could I fix it?
".myjoomla.configuration.php.md5" contains the md5 hash of the configuration.php file and appears on your site as part of the mySites.guru service you either subscribed to or trialled. It is part of the near-realtime alerting service which detects when configuration.php has been changed and alerts you if you are a paying subscriber of the mySites.guru service. It is NOT an indication of a hack at all.
Disclaimer: It is code I wrote and a service I run, so I know what Im talking about.
Not being able to create users - Im guessing you have Admin Tools or RSFirewall installed and configured, both these products stop users being created IF configured that way.
Token issues: These are well covered in Joomla documentation and forums. They are CSRF tokens and if yours is not validating then try NOT double clicking the buttons, check your session handlers are working, and check your cookies are working as expected
Nothing you say leads me to believe your site is hacked
The issue I've encountered was about the Joomla native Login module. As I published it in all the pages of my website and clicked on the login link appeared on the frontend side, I was redirected to a link that looked like
mysite.com/index.php/component/users/?view=login&Itemid=yourid
which displayed the login page correctly. Yet, once filled in the form and submitted it, the warning message in question popped out. The same problem occurred when either trying to register a new account or reset the password.
Although I couldn't find an explanation to the issue, I managed to fix it by creating a Login, Reset and Registration menu items under the main menu and then hidden them as I didn't want them to show up among the other menu items on the frontend.
Went back to the frontend and clicked on login, I was now redirected to a different url that looks like
mysite.com/login
where "login" is the alias that I had chosen for the Login menu item.
After having filled in the form and submitted it, I was able to log in successfully. Likewise, Registration and Reset operations worked.

ASP.net forms authentication redirect to log in page issue

When I use:
FormsAuthentication.SignOut()
FormsAuthentication.RedirectToLoginPage()
The URL will show a ReturnUrl string, is this normal? Is there a way to prevent this?
I could just use a response.redirect, but was wondering why it shows the Return URL also.
Thanks
This is used when a user requests a secure url, they are then redirected back to this page after authenticating.
Take a look at this resource, very useful. Forms Authentication
As for removing this part of the URL, I don't think this is possible (but I haven't looked into it since it's a useful feature). You often get links to things such as news articles. You don't mind re-authenticating, but if you were to then just go to a random home page, that would be annoying, the desired action would be to have the site automatically redirect to the page you initially requested.
Edit: Another reason besides a direct link that you need to authenticate for, could be a scenario where you're reading a multi-page article, you click next page and the session has expired. You're taken back to the login page, authenticate and then return to the page you were reading. It would be undesirable to return to the homepage for you to search for that article again.
The FormsAuthentication.RedirectToLoginPage() documentation states that this method is for when you want to redirect the user to the login page, for example if a user logs out and wants to log back in as somebody else.
The returnurl is so that they are returned to the page they started on after a successful login.
It sounds like if you want them to go to the home page or some other url then you shouldn't use FormsAuthentication.RedirectToLoginPage() here. A response.redirect would be a fine alternative in my view.
To answer your question, it doesn't seem that there is a way to disable the ReturnUrl and still use FormsAuthentication.RedirectToLoginPage().

Get reason for login prompt when using asp.net membership

I have an asp.net website using the SQL ASP.net membership system. When users are logged in to the website and are inactive for 20 minutes, they get sent to the login page on the next page request. I would like to show some text on the login page that says "you were logged out due to inactivity" when this happens. Is there a built-in way to do this? Or any other ways I could distinguish why the user has been sent to the login page (for inactivity or some other reason)? I have scoured SO and Google but haven't been able to come up with anything.
The reason we need to do this is because we recently migrated from a previous version of the website that was lax about security and didn't have auto logout, so we're getting lots of feedback from users thinking there's something wrong with the website when they are prompted to login again.
Thanks in advance.
It is better to use javascript for this and be proactive about it, showing the timeout remaining if possible otherwise just alerting the user with a messagebox showing that his session has timed out and then redirecting him to the login page. Have a look here for a simple example.
To redirect him to the login page add the following to the below line as in the example:
alert("Your current Session is over."); window.location = "YourLoginPage.aspx";
For purposes of closure, I'll answer my own question. I couldn't find a clean way of doing what I'd like, so I ended up setting a cookie with the login time after the user logs in. Then on the login form page, I see if the login time in the cookie is greater than 30 minutes old (my auth timeout in asp.net) and display a "logged out due to inactivity" message. Otherwise it doesn't display the message.
Not great, but it seems to work. Satisfies the requirement for the vast majority of our users.

How can I stop user from navigating to the previous page

I am developing a simple email portal as my college assignment and I refer gmail for various features.Now when we sign into a gmail account and then if we hit the back button of the browser we somehow still remain on the inbox page.In my case after login if I press back button I comeback to the login page.Please suggest how can I achieve this.Also I am a newbie to ASP.NET so keep it detailed
Very simple. When loading the login page, check the user's current session state, and if they're already logged in, redirect them to their inbox.
The trick is to use javascript's "history.replace(...)" function:
http://www.hunlock.com/blogs/Mastering_The_Back_Button_With_Javascript
In essence, you remove previous history entries.

hit back in the browser

When i hit back in the browser the user is still logged in. can someone help please?
I'm assuming mean:
"After the user logs out, if they then press back in the browser the page says they are still logged in. How do I stop this?"
If so, what the user is seeing is the browsers cached version of the page - they are not actually still logged in, and if they were to browse elsewhere, then they would see that they are now logged out.
I often get around this by having the LoginStatus control have a LogoutAction of Redirect, and the LogoutPageUrl set to something like the homepage.
That is the correct behaviour for most web applications. Being logged in is a question of state, and does not rely on the page you are viewing.
If you want the back button to log the user out, then it would seem that it is a case of whichever page the previous one was, is where you want logged in users to be automatically logged out. It might be the case that the previous page (accessed through the back option) is the login page, where you would want logged in users to automatically be logged out.
To get a more accurate and more helpful answer, you should specify what behaviour you are expecting, and include details about the authentication system you are using (for example ASP.NET membership).

Resources