View Issue Details

WikiRelated ChangesetsJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0010930mantisbtsignuppublic2009-09-12 20:192016-05-10 06:30
Reporterjreese Assigned Tojreese  
PriorityurgentSeverityblockReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.0rc2 
Target Version1.2.0rc2Fixed in Version1.2.0rc2 
Summary0010930: User verification results in redirection loop
Description

User verification was logging out the user, and then calling auth_api functions that implicitly logged in the anonymous user, resulting in an endless redirection loop. By adding a parameter to the appropriate auth_api function, the verification page can specify that the anonymous user should not be implicitly logged in.

TagsNo tags attached.

Relationships

has duplicate 0011292 closedjreese Not able to create new account in MantisBT own tracker 
related to 0010926 closeddhx Login problems, logging crashes httpd.exe 
related to 0011031 closedjreese Can not view changelog page without login as user 
related to 0020893 closeddregad Redirection Loop on Signup link [already saw the bug 0010930] 

Activities

jreese

jreese

2009-09-12 20:32

reporter   ~0022908

Fix committed to 1.2.x and master branches.
dhx

dhx

2009-12-01 05:48

reporter   ~0023832

Are you able to explain a step-by-step process for replicating this bug? I have reverted this patch (locally) to fix 0011031 and haven't noticed any side effects with respect to endless login loops.
jreese

jreese

2009-12-03 09:27

reporter   ~0023843

Last edited: 2009-12-03 09:28

This is required when an already-logged-in user (including an anonymous user) is visiting the signup verification url, and I think other places as well. I'll simply take the original fix a bit further to resolve both issues.
j-b-m2

j-b-m2

2009-12-08 03:32

reporter   ~0023880

Hi! I am currently running mantis from git master 1.2.x and this issue reappeared when opening the url to complete a registration (cyclic link found...).

The recent fix for bug 0011031 made this issue appear again, and user sign up is now impossible!
jreese

jreese

2009-12-08 08:05

reporter   ~0023881

On what page are you getting the redirect loop? The fix for 11031 should not have regressed this issue.
j-b-m

j-b-m

2009-12-08 09:02

reporter   ~0023883

Last edited: 2009-12-08 09:04

This happens when trying to open the link in the email sent after completing the signup page.

The email says:

Thank you for registering. You have an account with username "jb_test". In order
to complete your registration, visit the following URL (make sure it is entered
as the single line) and set your own access password:

http://www.kdenlive.org/mantis/verify.php?id=684&confirm_hash=20aa1e6db59eb06cf24a1be193f959c3

If you did not request any registration, ignore this message and nothing will
happen.

If I click on the link, I get the cyclic link error.
If I revert the last change in core/authentication.api and try again, I can open the link without problem...

Edit: I removed the test user, so the link above won't work, but you get the idea...
jreese

jreese

2009-12-17 16:30

reporter   ~0023929

This regression has been fixed in 1.2.x and master branches.

Related Changesets

MantisBT: master-1.2.x aa34cdfd

2009-09-12 20:13

jreese


Details Diff		 Fix 0010930: Fix verification redirect loop

User verification was logging out the user, and then calling auth_api
functions that implicitly logged in the anonymous user, resulting in an
endless redirection loop. By adding a parameter to the appropriate
auth_api function, the verification page can specify that the anonymous
user should not be implicitly logged in.		 Affected Issues
0010930
mod - core/authentication_api.php Diff File

MantisBT: master 0abe9b45

2009-09-12 20:13

jreese


Details Diff		 Fix 0010930: Fix verification redirect loop

User verification was logging out the user, and then calling auth_api
functions that implicitly logged in the anonymous user, resulting in an
endless redirection loop. By adding a parameter to the appropriate
auth_api function, the verification page can specify that the anonymous
user should not be implicitly logged in.		 Affected Issues
0010930
mod - core/authentication_api.php Diff File

MantisBT: master-1.2.x 0085bcd7

2009-12-03 09:33

jreese


Details Diff		 Fix 0011031, 10930: fix anonymous user auto-login

The original issue with 10930 was that user verification, when checking
to see if a user was logged in, would trigger automatic login of the
anonymous user account, which would lead to a redirect loop, where each
page load would auto-login the anonymous user and immediately log them
out and redirect.

The original fix for this disabled auto-login of the anonymous user
account when calling auth_is_user_authenticated(), which broke
expectations of much of the codebase. By re-enabling auto-login, but
offering optional bypass of this process, it fixes both issues.

Any page expecting to correctly work with unauthenticated users will
need to pass a False parameter to the function to bypass automatic
anonymous login.		 Affected Issues
0010930, 0011031
mod - verify.php Diff File
mod - core/authentication_api.php Diff File

MantisBT: master aa042ae6

2009-12-03 09:33

jreese


Details Diff		 Fix 0011031, 10930: fix anonymous user auto-login

The original issue with 10930 was that user verification, when checking
to see if a user was logged in, would trigger automatic login of the
anonymous user account, which would lead to a redirect loop, where each
page load would auto-login the anonymous user and immediately log them
out and redirect.

The original fix for this disabled auto-login of the anonymous user
account when calling auth_is_user_authenticated(), which broke
expectations of much of the codebase. By re-enabling auto-login, but
offering optional bypass of this process, it fixes both issues.

Any page expecting to correctly work with unauthenticated users will
need to pass a False parameter to the function to bypass automatic
anonymous login.		 Affected Issues
0010930, 0011031
mod - verify.php Diff File
mod - core/authentication_api.php Diff File

MantisBT: master-1.2.x 4dab8016

2009-12-17 16:17

jreese


Details Diff		 Fix regression of issue 0010930 in commit 0085bcd7

The initial fixes for 0010930 and issue 0011031 did not take into account
the usage of auth_is_user_authenticated() in multiple locations during
the core bootstrap routines. By defining and looking for a global flag,
rather than an argument to the function, we fix both the problems and
the regression.		 Affected Issues
0010930, 0011031
mod - core/authentication_api.php Diff File
mod - core.php Diff File
mod - verify.php Diff File

MantisBT: master 429448ee

2009-12-17 16:17

jreese


Details Diff		 Fix regression of issue 0010930 in commit 0085bcd7

The initial fixes for 0010930 and issue 0011031 did not take into account
the usage of auth_is_user_authenticated() in multiple locations during
the core bootstrap routines. By defining and looking for a global flag,
rather than an argument to the function, we fix both the problems and
the regression.		 Affected Issues
0010930, 0011031
mod - core.php Diff File
mod - core/authentication_api.php Diff File
mod - verify.php Diff File