View Issue Details

IDProjectCategoryView StatusLast Update
0010930mantisbtsignuppublic2016-05-10 06:30
ReporterjreeseAssigned Tojreese 
PriorityurgentSeverityblockReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.0rc2 
Target Version1.2.0rc2Fixed in Version1.2.0rc2 
Summary0010930: User verification results in redirection loop
Description

User verification was logging out the user, and then calling auth_api functions that implicitly logged in the anonymous user, resulting in an endless redirection loop. By adding a parameter to the appropriate auth_api function, the verification page can specify that the anonymous user should not be implicitly logged in.

TagsNo tags attached.

Relationships

has duplicate 0011292 closedjreese Not able to create new account in MantisBT own tracker 
related to 0010926 closeddhx Login problems, logging crashes httpd.exe 
related to 0011031 closedjreese Can not view changelog page without login as user 
related to 0020893 acknowledged Redirection Loop on Signup link [already saw the bug 0010930] 

Activities

jreese

jreese

2009-09-12 20:32

reporter   ~0022908

Fix committed to 1.2.x and master branches.

dhx

dhx

2009-12-01 05:48

reporter   ~0023832

Are you able to explain a step-by-step process for replicating this bug? I have reverted this patch (locally) to fix 0011031 and haven't noticed any side effects with respect to endless login loops.

jreese

jreese

2009-12-03 09:27

reporter   ~0023843

Last edited: 2009-12-03 09:28

View 2 revisions

This is required when an already-logged-in user (including an anonymous user) is visiting the signup verification url, and I think other places as well. I'll simply take the original fix a bit further to resolve both issues.

j-b-m2

j-b-m2

2009-12-08 03:32

reporter   ~0023880

Hi! I am currently running mantis from git master 1.2.x and this issue reappeared when opening the url to complete a registration (cyclic link found...).

The recent fix for bug 0011031 made this issue appear again, and user sign up is now impossible!

jreese

jreese

2009-12-08 08:05

reporter   ~0023881

On what page are you getting the redirect loop? The fix for 11031 should not have regressed this issue.

j-b-m

j-b-m

2009-12-08 09:02

reporter   ~0023883

Last edited: 2009-12-08 09:04

View 3 revisions

This happens when trying to open the link in the email sent after completing the signup page.

The email says:

Thank you for registering. You have an account with username "jb_test". In order
to complete your registration, visit the following URL (make sure it is entered
as the single line) and set your own access password:

http://www.kdenlive.org/mantis/verify.php?id=684&confirm_hash=20aa1e6db59eb06cf24a1be193f959c3

If you did not request any registration, ignore this message and nothing will
happen.

If I click on the link, I get the cyclic link error.
If I revert the last change in core/authentication.api and try again, I can open the link without problem...

Edit: I removed the test user, so the link above won't work, but you get the idea...

jreese

jreese

2009-12-17 16:30

reporter   ~0023929

This regression has been fixed in 1.2.x and master branches.

Related Changesets

MantisBT: master-1.2.x aa34cdfd

2009-09-13 00:13:59

jreese

Details Diff
Fix 0010930: Fix verification redirect loop

User verification was logging out the user, and then calling auth_api
functions that implicitly logged in the anonymous user, resulting in an
endless redirection loop. By adding a parameter to the appropriate
auth_api function, the verification page can specify that the anonymous
user should not be implicitly logged in.
mod - core/authentication_api.php Diff File

MantisBT: master 0abe9b45

2009-09-13 00:13:59

jreese

Details Diff
Fix 0010930: Fix verification redirect loop

User verification was logging out the user, and then calling auth_api
functions that implicitly logged in the anonymous user, resulting in an
endless redirection loop. By adding a parameter to the appropriate
auth_api function, the verification page can specify that the anonymous
user should not be implicitly logged in.
mod - core/authentication_api.php Diff File

MantisBT: master-1.2.x 0085bcd7

2009-12-03 14:33:19

jreese

Details Diff
Fix 0011031, 10930: fix anonymous user auto-login

The original issue with 10930 was that user verification, when checking
to see if a user was logged in, would trigger automatic login of the
anonymous user account, which would lead to a redirect loop, where each
page load would auto-login the anonymous user and immediately log them
out and redirect.

The original fix for this disabled auto-login of the anonymous user
account when calling auth_is_user_authenticated(), which broke
expectations of much of the codebase. By re-enabling auto-login, but
offering optional bypass of this process, it fixes both issues.

Any page expecting to correctly work with unauthenticated users will
need to pass a False parameter to the function to bypass automatic
anonymous login.
mod - verify.php Diff File
mod - core/authentication_api.php Diff File

MantisBT: master aa042ae6

2009-12-03 14:33:19

jreese

Details Diff
Fix 0011031, 10930: fix anonymous user auto-login

The original issue with 10930 was that user verification, when checking
to see if a user was logged in, would trigger automatic login of the
anonymous user account, which would lead to a redirect loop, where each
page load would auto-login the anonymous user and immediately log them
out and redirect.

The original fix for this disabled auto-login of the anonymous user
account when calling auth_is_user_authenticated(), which broke
expectations of much of the codebase. By re-enabling auto-login, but
offering optional bypass of this process, it fixes both issues.

Any page expecting to correctly work with unauthenticated users will
need to pass a False parameter to the function to bypass automatic
anonymous login.
mod - verify.php Diff File
mod - core/authentication_api.php Diff File

MantisBT: master-1.2.x 4dab8016

2009-12-17 21:17:19

jreese

Details Diff
Fix regression of issue 0010930 in commit 0085bcd7

The initial fixes for 0010930 and issue 0011031 did not take into account
the usage of auth_is_user_authenticated() in multiple locations during
the core bootstrap routines. By defining and looking for a global flag,
rather than an argument to the function, we fix both the problems and
the regression.
mod - core/authentication_api.php Diff File
mod - core.php Diff File
mod - verify.php Diff File

MantisBT: master 429448ee

2009-12-17 21:17:19

jreese

Details Diff
Fix regression of issue 0010930 in commit 0085bcd7

The initial fixes for 0010930 and issue 0011031 did not take into account
the usage of auth_is_user_authenticated() in multiple locations during
the core bootstrap routines. By defining and looking for a global flag,
rather than an argument to the function, we fix both the problems and
the regression.
mod - core.php Diff File
mod - core/authentication_api.php Diff File
mod - verify.php Diff File

Issue History

Date Modified Username Field Change
2009-09-12 20:19 jreese New Issue
2009-09-12 20:30 jreese Resolution open => fixed
2009-09-12 20:30 jreese Fixed in Version => 1.3.0-beta.1
2009-09-12 20:30 jreese Changeset attached master-1.2.x aa34cdfd =>
2009-09-12 20:30 jreese Changeset attached master 0abe9b45 =>
2009-09-12 20:32 jreese Note Added: 0022908
2009-09-12 20:32 jreese Status assigned => resolved
2009-09-12 20:32 jreese Fixed in Version 1.3.0-beta.1 => 1.2.2
2009-10-07 14:19 jreese Status resolved => closed
2009-10-19 11:22 vboctor Relationship added related to 0010926
2009-12-01 05:16 dhx Relationship added related to 0011031
2009-12-01 05:48 dhx Note Added: 0023832
2009-12-01 05:48 dhx Status closed => feedback
2009-12-01 05:48 dhx Resolution fixed => reopened
2009-12-03 09:27 jreese Note Added: 0023843
2009-12-03 09:27 jreese Status feedback => assigned
2009-12-03 09:28 jreese Note Edited: 0023843 View Revisions
2009-12-03 09:40 jreese Status assigned => resolved
2009-12-03 09:40 jreese Resolution reopened => fixed
2009-12-03 09:40 jreese Changeset attached master-1.2.x 0085bcd7 =>
2009-12-03 09:40 jreese Changeset attached master aa042ae6 =>
2009-12-08 03:32 j-b-m2 Note Added: 0023880
2009-12-08 08:05 jreese Note Added: 0023881
2009-12-08 09:02 j-b-m Note Added: 0023883
2009-12-08 09:03 j-b-m Note Edited: 0023883 View Revisions
2009-12-08 09:04 j-b-m Note Edited: 0023883 View Revisions
2009-12-17 16:30 jreese Changeset attached master-1.2.x 4dab8016 =>
2009-12-17 16:30 jreese Changeset attached master 429448ee =>
2009-12-17 16:30 jreese Note Added: 0023929
2009-12-17 16:33 jreese Relationship added has duplicate 0011292
2010-04-23 23:22 dhx Status resolved => closed
2016-05-10 06:30 dregad Relationship added related to 0020893