WP Plugin login error


#1

I’m a Creator using the WP plugin on my site, and several of my Patrons have trouble logging in.

One explained the problem like this: “I click the Unlock with Patreon button at https://www.lawlessfrench.com/vocabulary/mot-du-jour/gratter-mdj and I see the message which says that Patreon wants to access information. When I click Allow, I get “sorry aborted Patreon login for security reasons.” Originally I created my account with Patreon with facebook but after stopping Mot du Jour, the next time I set up an account I did it with my email and a different password. I can log into the Patreon site but not the Patreon posts on WP.” (This patron also sent me her https://whatsmybrowser.org link to aid in troubleshooting.)

Others say they get a slightly different error: “Sorry. Aborted Patreon login for security because security cookies don’t match.”

Last week Tal told me that there was an updated version of the plugin that might fix these issues, but that I’d need to uninstall the old version and delete it completely from the site before installing the new version.

Doing this would mean that I’d have to edit all of my existing posts to re-add the Patreon threshold, so I’m wondering if instead I can just overwrite the existing plugin and then clear the cache or something?


#2

Doing this would mean that I’d have to edit all of my existing posts to re-add the Patreon threshold

That shouldnt happen - that info is saved in post meta table, and it should not go away when plugin is uninstalled. Our plugin doesnt delete its info when uninstalled.

When uninstalling and then reinstalling, you shouldnt need to configure anything, even the API access info - since they are saved in the database from before.

If you have any plugin which prunes the database after uninstalling a plugin by checking if there were any post meta which existed before, but now removed, such a plugin could delete all your data. But, if you did not install something specific purposefully, there should be no such problem.

Still it is always a good idea to take backups of your database before doing anything like this, for peace of mind. There are a multitude of backup plugins which allow you to back up WP db and then restore it if necessary.


#3

Thanks for responding. I uninstalled and deleted the plugin, then installed the new one and you’re right - everything was still there.

However, I heard back from one of my patrons and unfortunately it has not resolved the issue:

it still doesn’t work. I get the same message. I tried 2 different browsers and also made sure to sign into Patreon first, just in case… I’ll contact support.


#4

Can you get information on the browser/os and environment which that user has?

Especially, any adblocker addons, antivirus application they are using, or whether they are behind a proxy or similar setup?

From what i understand, it is not all of your patrons who have this problem. It seems to be particular users.

A good route would be to detect a common pattern these users with issues seem to have.


#5

You’re right, it’s only 3 patrons AFAIK.

Patron 1: iPad. No proxy as far as I am aware. I simply operate via my iPad’s software provided by Apple. I link to the internet via my service provider in the UK who is British Telecom. I don’t explicitly use antivirus software as I rely on Apple to keep things secure and clean. See screenshots for ad and other settings.


#6

Patron 2: I’m not sure what you mean by behind a proxy. I am accessing the site from home, using my AT&T DSL line that has an ethernet and wifi connectivity. I use Ad Block and Ad Block Plus, but I disabled these and still had the same message. I use Sophos anti virus protection. I’ve tried using it with safari: whatsmybrowser.org/b/WQSJW3P and with firefox: whatsmybrowser.org/b/G4JFH3C


#7

In 1-2 days I will try to set up a test via browsertack to simulate the environment to test your website and see if i can reproduce this situation.


#8

Sounds good. :slight_smile:

Here’s patron 1’s browser info: https://whatsmybrowser.org/b/RU7J5GB


#9

As far as I can tell, 100% of my patrons are getting this error as well.

I can only publish 2 links per post as a new user so I’ve broken all of the links below with double asterisks (**), which just turns things bold, meaning that you can still copy-paste links. :roll_eyes:

Update: I’ve also replied below, uploading images so you can see the issue with the nonces.

Here’s a condensed copy-paste of my conversation with @tal l that he’s asked me to move to these boards:

My patrons are getting an error message when they try to use the plugin on my site. I have everything setup properly. I have even deleted my client, re-setup everything, and cleared my patron account’s cache in order to fully test everything.

Error message: “Sorry. Aborted Patreon login for security because security cookies dont match.”

Error URL: https://[DOMAIN].com/[POST_TITLE]/?patreon_message=patreon_nonces_dont_match
(https://straty.com/bitcoin/?patreon_message=patreon_nonces_dont_match)

So far 4 users (3 + me) have experienced this issue and reported it to me. All are Mac/iOS users. Browsers are Chrome, Safari (both iOS and Mac OS), and Opera.

The site itself:
WP Engine is my host.
WordPress Version: 4.9.2 (latest)
PHP Version: 5.6
WP Engine Plugin v3.2.1 (latest)
Patreon Plugin: Version 1.0.1 (latest)

I have easy access to my HW/OS/browser details so I’ll give you those:

Hardware Overview:
Model Name: iMac
Model Identifier: iMac14,2
Processor Name: Intel Core i7
Processor Speed: 3.5 GHz
Number of Processors: 1
Total Number of Cores: 4
L2 Cache (per Core): 256 KB
L3 Cache: 8 MB
Memory: 16 GB
Boot ROM Version: IM142.0123.B00
SMC Version (system): 2.15f7
Serial Number (system): D25M801RFLHH

System Software Overview:
System Version: macOS 10.13.1 (17B1003)
Kernel Version: Darwin 17.2.0
Boot Volume: Macintosh HD
Boot Mode: Normal
Secure Virtual Memory: Enabled
System Integrity Protection: Enabled

Browsers I’ve personally tried:

  1. Google Chrome: Version 63.0.3239.xx (Official Build) (64-bit)
    I use Ad Block in Chrome. I tried disabling it and it had no effect. I also use a password manager (LastPass)
  2. Safari: Version 11.0.1 (13604.3.5)
    The only extension I have is a password manager
  3. I also tried the whole process on my iPhone X in Safari - same failure. From logs:
    [14/Jan/2018:05:04:04 +0000] “GET /patreon/ HTTP/1.0” 200 18814 “https://straty.com/” "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_1 like Mac OS X) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0 Mobile/15C153 Safari/604.1"
    I don’t use any extensions or anything special with Safari on iOS

Given all of that, I would say this doesn’t appear to be a browser, OS, or hardware specific issue.

Screenshots:

  1. Hit paywall: https://www.dropbox.com/s/lhulxog4y47ct9y/Screenshot%202018-01-14%2015.00.11.png?dl=0
  2. Sign up / Login: https://www.dropbox.com/s/qun6q5i1c8cm6y5/Screenshot%202018-01-14%2015.00.53.png?dl=0
  3. Grant permissions: https://www.dropbox.com/s/70xmhtvu7u8allu/Screenshot%202018-01-14%2015.01.03.png?dl=0
    4a) Fail (Chrome): https://www.dropbox.com/s/wa4doq4qjl6m73d/Screenshot%202018-01-14%2015.01.19.png?dl=0
    4b) Fail (Safari): https://www.dropbox.com/s/m85qrtm3cnaqlbf/Screenshot%202018-01-14%2015.17.00.png?dl=0

Fail URL: https://straty.com/bitcoin/?patreon_message=patreon_nonces_dont_match
I’ll leave this defunct post live for you.

“Unlock with Patreon” button URL: https://www.patreon.com/oauth2/become-patron?response_type=code&min_cents=100&client_id=12df3bcd6a271f4cf27ae82fa7048c9f01563566c5f4a6204c4f32e3baba023e&redirect_uri=https://straty.com/patreon-authorization/&state=YToyOntzOjE4OiJmaW5hbF9yZWRpcmVjdF91cmkiO3M6Mjc6Imh0dHBzOi8vc3RyYXR5LmNvbS9iaXRjb2luLyI7czoxMzoicGF0cmVvbl9ub25jZSI7czozMjoiNTg5MzRlYWRkNmFkY2E3M2M4YjQ4OTE1NDA5NTQzZDEiO30=

Of course, I’m trying all of this signed OUT of my Creator account and signed IN to a Patron-only account with the appropriate Patron level.

I’ve noticed something interesting… I tried to sign in one last time after resetting my cookies. But this time I had the Chrome inspector panel open to the cookies settings. Notice how the “patreon_nonce” changes every time the site loads.
1) First straty.com visit: https://www.dropbox.com/s/itgjaf3tk3ltdvg/Screenshot%202018-01-14%2016.05.09.png?dl=0
2) Click on Patron WP post: https://www.dropbox.com/s/y9bmdbeip1way07/Screenshot%202018-01-14%2016.05.21.png?dl=0
3) Return to WP site after auth: https://www.dropbox.com/s/aawlinsqvjujudd/Screenshot%202018-01-14%2016.07.41.png?dl=0

Surely the nonce is supposed to persist a bit longer than each page load… The other 3 cookies pictured are related to Google Analytics…

Thanks - I really hope we can get this working for everyone!

Best, Andrew


#10

Continued from above - here are the screenshots of changing nonces added as images instead of as links (enlarge or zoom to view nonce):

  1. First straty.com visit:

  2. Click on Patron WP post:

  3. Return to WP site after auth:


#11

That’s some good data for debugging, thank you very much!

Good catch on the patreon_nonce cookie situation. I suspected that something was happening in apple systems with cookies, this will make tracking the issue much faster.

It seems that the browsers in apple systems (at least in your case) are destroying the browser-session length cookie at every new page load. This cookie was set to browser length, so it was supposed to be destroyed only when browser is entirely closed. It behaves like that in other systems. But not in this case.

We can have a try at setting it to 1 hour length to see if this will fix the issue.

If you can, please give a try at changing line 59 in classes/patreon_routing.php from

setcookie(‘patreon_nonce’,$nonce, 0, COOKIEPATH, COOKIE_DOMAIN );

to

setcookie(‘patreon_nonce’,$nonce, time()+3600, COOKIEPATH, COOKIE_DOMAIN );

… and see if this changes anything with the current issue.


#12

I wasnt able to reproduce this on a test site.

Is it possible that you can put up a patron-only test post at your website so that i can test over that post?


#13

@codebard, The test post is here: https://straty.com/bitcoin/
Will attempt to change the cookie timeout now and report back


#14

@codebard - good idea… but…

The 60 minute expiration didn’t fix it… but I think it’s progress. Now the patreon_nonce is constant (for an hour) for each page, but the nonce still changes every time I move to a new page.

  1. https://straty.com/bitcoin/ (nonce is: 05a6f08d0f498c915526ec7045dce0ec)

  2. https://straty.com/bitcoin/?patreon_message=patreon_nonces_dont_match (nonce is: ec0762f00183d06419e3fc8315146b65)

  3. I go back to https://straty.com/bitcoin/ (nonce is back to: 05a6f08d0f498c915526ec7045dce0ec from #1)

The nonce is now constant for a given page, but not site-wide and not even if the URL is slightly different https://straty.com/bitcoin/
vs
https://straty.com/bitcoin/?patreon_message=patreon_nonces_dont_match
vs
https://straty.com/bitcoin/? (—> Nonce is: 13224194efaf3c54f8738740bc3256ea)

Shouldn’t the nonce be constant for all pages across the entire domain for until expiration - whether it’s session or t = x seconds?


#15

PHP isn’t my specialty so I’m shooting in the dark a bit here…but…

What could cause the nonce to be different for each page?

  • Is the cookie not persisting as a new page is loaded?
  • Is patreon_nonce being unset someplace?
  • Is the logic of the if statement in line 57 incorrect and the nonce is being reset every time this function is called?
  • Should the if statement (again, ln 57) be grabbing the patreon_nonce from $_COOKIE or from $state?
if(isset($_COOKIE['patreon_nonce']) == false) {
		$nonce = md5(bin2hex(openssl_random_pseudo_bytes(32) . md5(time()) . openssl_random_pseudo_bytes(32)));
		setcookie('patreon_nonce',$nonce, time()+3600, COOKIEPATH, COOKIE_DOMAIN );
		$_COOKIE['patreon_nonce'] = $nonce;
}

If I comment out the if statement starting at line 93 and the problem went away immediately - allowing me to access the protected content as designed.

if($state['patreon_nonce'] != $_COOKIE['patreon_nonce']) {
	// Nonces do not match. Abort, show message.

	$redirect = add_query_arg( 'patreon_message', 'patreon_nonces_dont_match', $redirect);

	wp_redirect( $redirect );
	exit;
}

I put the code back in and then tweaked it to be:

if($state['patreon_nonce'] != $_COOKIE['patreon_nonce']) {
	// Nonces do not match. Abort, show message.

	//$redirect = add_query_arg( 'patreon_message', 'patreon_nonces_dont_match', $redirect);
	
	$redirect = add_query_arg( "state_nonce", $state['patreon_nonce'], $redirect);
	$redirect = add_query_arg( "cookie_nonce", $_COOKIE['patreon_nonce'], $redirect);
	
	wp_redirect( $redirect );
	exit;
}

…a hack so that I can get both nonces (state and cookie) spit back out in the URL… (I did mention I have limited PHP expertise, right?)

The result: https://straty.com/bitcoin/?state_nonce=badaa9a39dc990cbe8eaaae51ead711a&cookie_nonce=54e8086c58f0198c3fe241c604174760

The two nonces are obviously different. My state_nonce was the correct/original nonce… and of course the nonce in the cooking for that URL is completely different yet again (7eee9320637255c86f52d828156b3f07).

What are our theories for why patreon_nonce in $_COOKIE is changing for every new page?

Almost certainly, the issue is within one of these 2 if statements…


#16

Wow, Andrew - don’t take this the wrong way, but I’m so glad you’re having this issue too. The info you’ve shared and the troubleshooting you’re doing are miles beyond the pitiful details I have. Thank you!

FWIW, here’s my 3rd patron’s info: "I’m not behind a proxy and I’ve tried turning off both my adblocker and antivirus. I’m using Chrome but have also tried in Microsoft Edge and am having the same difficulties. Below is the link from the website you sent me; whatsmybrowser.org/b/HLTAA6B "

And a 4th patron: https://whatsmybrowser.org/b/GD8D4YVh and https://whatsmybrowser.org/b/Y8337U3
His specific error is “Sorry. Aborted Patreon login for security because security cookies dont match.”

Interestingly, patron #3 the only one not on Apple something - that’s the extent of the extrapolations I can make. :-/


#17

If you disable the security nonce check, the problem goes away indeed - but also the security check goes away. We want to have that security check.

As it stands, the nonce cookie that is being set at your site seems to be being reset every time - this is probably due to the cookie being deemed expired - despite the browser not having been closed. It is hard to say what is exactly happening.

I will be running a test on your site soon today to try to reproduce it.


#18

I just ran a test on your website, and i was able to login and view the protected post by pledging $1 without issues on Macos High Sierra and Safari 11.

When i tried with Iphone X, I received

“Sorry. Logging in with Patreon is disabled in this Website. Please contact administrator.”

…message. This would mean that you have disabled login with Patreon in your WP admin settings. If you just did that, then you would need to turn it on back again, otherwise patrons wont be able to login.


#19

I’ve checked the “Enable Login with Patreon” button.
I’ve also put the plugin code back to it’s original state (except that I’ve kept the 3600s expiration date on the nonce)
The result remains the same for my test account: “Sorry. Aborted Patreon login for security because security cookies dont match.”


#20

@lkl - You’re welcome!

I need to get this working ASAP or I’ll have to change platforms - which would be a shame given the number of patrons out there. I just can’t launch my site to my audience until this is working so I’m highly incentivized to do what I can to get it there.

By the way, I couldn’t tell from your original post, @lkl, are any of your patrons able to sign in successfully using the plugin?