WTF? Two-Factor Authorisation - Couldn't login

[Athan]

For some reason yesterday these forums decided I was logged out.

So, username/password, get 2FA challenge, pull phone out and enter that, now I'm on what looks like the account sign up page and it's complaining the username is already taken.

Do the clear cookies and force-refresh dance - no change.

Ended up disabling possibly interfering Chrome extensions: AdBlock, NotScripts, Ghostery, TamperMonkey. But still the same.

Tried an Incognito window and for some reason that could login. After a bit more faffing I eventually used this to disable 2FA, and now I can login using a normal window with the extensions enabled.

 

[MYstIC G]

@Deebs oh @Deebs

 

[Deebs]

Strange, I am using Yubikey as my second auth method, @TdC also uses 2FA.

I can see that you logged in at 11.22 and 11.26 with 2FA fine (according to the logs) and at 11.27 you disabled 2FA on your account. Not sure what else to suggest as you said you deleted the xf_session, xf_user, xffh_session cookies.

Saying that I have had the exact same issue before and I cannot remember what I did on my end to fix it (client end). Btw, did you try a different browser?

 

[Athan]

I suspect the successful 2FA logins were when using the Incognito window, once just to test, and later when I decided to try switching 2FA off. Anything in your logs with regards to 2FA *other* than those times for me since you tweaked the cookie prefix yesterday ?

The only 'other browser' I tried was Chrome in Windows, which didn't seem to exhibit the problem.

 

[Athan]

I just re-enabled 2FA, and logged in without issues using the rather old Firefox ('iceweasel') in Debian Wheezy. I'll try it again with Chrome....

 

[Athan]

Nope, still won't work with Chrome.

For completeness that's "Version 36.0.1985.125" on Linux, running on Debian Wheezy (stable), with all current updates.

 

[Deebs]

You added a device last night around 10.22pm, then just successful authentication attempts.

On this machine Chrome is on Win 8.1 and is version 35.0.1916.153. At home it is the latest version but cannot test until tonight. THere should be 5 cookies associated with FH,

_pk_id.xxxxx
_pd_ses.xxxx
uid
xffh_notification
xffh_session

and if you click the "remember me" option when logging in:

xffh_user

Since you tried it just now in Chrome and it failed I checked the logs and only see successful attempts so it is definately something to do with sessions but not sure what considering it works on FF.

 

[TdC]

@TdC also uses 2FA.

lies! I do not have that stuff of that thing that you said that I may do be using of that thing. unless it's the google thing. which I may have. maybe.

 

[SheepCow]

You're not the only one that seems to have these issues, I believe it's something to do with an invisible form item being autofilled which confuses the hell out of the back end :/

 

[Ctuchik]

lies! I do not have that stuff of that thing that you said that I may do be using of that thing. unless it's the google thing. which I may have. maybe.

So what you're saying is that you're not at liberty to be free to deny the fact that such a thing may or may not be true?

 

[TdC]

I can neither confirm or deny your statement.

 

[Deebs]

You're not the only one that seems to have these issues, I believe it's something to do with an invisible form item being autofilled which confuses the hell out of the back end :/

Anything we can do to debug? For me it is working fine on Safari, Chrome and Firefox.

 

[SheepCow]

@Athan - can you send me the source (and URL) of the login pages as you login? I'm failing to reproduce the problem at my end although I've definitely seen it before.

You'll want to **** out your password in the src of the page that you enter your 2-factor key!

 

[Athan]

I've PM'd Shee

@Athan - can you send me the source (and URL) of the login pages as you login? I'm failing to reproduce the problem at my end although I've definitely seen it before.

You'll want to **** out your password in the src of the page that you enter your 2-factor key!

PM'd URLs to the saved files to you.