Intermittent "Access Denied" messages logging into the website

e107 CMS » Forums » e107 v1.x Support » Core Code Support << Previous thread | Next thread >>
Go to page  1 2
VR6Pete
Mar 08 2012, 08:51AM
Registered Member #2353
Joined: Jul 28 2003, 11:21AM
Location: Stoke-on-Trent
Posts: 1246
A few users have said they receive " access denied" messages when logging into my website.

I have yet to be able to identify the cause if this, im currently going through with a test user unloading plugins to see if its caused by these or not.

I cant seem to be able to locate the thread that assist with tracking down these access denied messages, my security level is set to [5] Balanced.

a couple of questions - can I edit the " Access Denied" message to include my email address so I can actually get a guage for how many people are affected, or if there is anything in common?

This does not happen for all my users, and when I was provided with the password for a user that was receiving the message, i was able to log in fine, and then the user could also log in fine after....? seems very strange and something i cannot track down...

is there anything I can do? I've enabled developer mode, and not seen anything odd ?

Thanks

Pete
Go to top
Website
VR6Pete
Mar 08 2012, 09:03AM
Registered Member #2353
Joined: Jul 28 2003, 11:21AM
Location: Stoke-on-Trent
Posts: 1246
I have a thought

I have some jquery being delivered in a shortcode that pops up a notification etc... and also in the featurebox.... would I need to include define('e_TOKEN_FREEZE', true);
in these too?
Go to top
Website
Moc
Mar 08 2012, 12:47PM
  • e107 Site administrator
  • e107 Security Team
  • e107 Support Team
  • e107 Documentation Team
Registered Member #44563
Joined: Apr 12 2008, 03:01AM
Location: The Netherlands
Posts: 3524
As for your last question: yes.

To prevent loads of useless frustration, please check this common error related to session files: [-link-]

Lets check those first, otherwise we might just be wasting time. As soon as we've ruled out the above two we'll continue to debug but I strongly recommend to check both javascript/ajax calls and the session files before checking anything else.
Go to top
VR6Pete
Mar 08 2012, 03:09PM
Registered Member #2353
Joined: Jul 28 2003, 11:21AM
Location: Stoke-on-Trent
Posts: 1246
Ok... Session php info


Directive Local Value Master Value
session.auto_start Off Off
session.bug_compat_42 On On
session.bug_compat_warn On On
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_httponly Off Off
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 100 100
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.hash_bits_per_character 4 4
session.hash_function 0 0
session.name SESSVR6OC PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path /tmp /tmp
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies On Off
session.use_trans_sid 0 0

Checked the plugin list and I'm not running of those plugins... 

global $tp, $sql;
parse_str($parm);
$pm_file1 = e_PLUGIN."pm/pm_func.php";
include_once(is_readable($pm_file1) ? $pm_file1 : e_PLUGIN."pm/pm_func.php");
$pm_inbox = pm_getInfo("inbox"); // This will retrieve the pm_info array from pm_getInfo function

$new = intval($pm_inbox['inbox']['unread']); // new messages are passed in the array with 'new', not with 'unread'
if ( $new > 0 )
{
    $messageSpam = $new." ".($new == 1 ? "New message" : "New messages");
}

if (USER)
{
	if ($new > 0)
	{
	$ret = "  
	<script language='JavaScript'>
		jQuery(document).ready(function()
		{
			jQuery.sticky('<a href=".e_PLUGIN_ABS."pm/pm.php?inbox><b>You have $messageSpam</b></a>');
		});            
	</script>
	<div class='topnav'>
		&nbsp;<a href='".e_PLUGIN_ABS."pm/pm.php?inbox'>$messageSpam</a>
		&nbsp;<a href='".e_BASE."usersettings.php'>".X_THEME_16."</a> 
		&nbsp;<a href='".e_BASE."user.php?id.".USERID."'>".X_THEME_17."</a> 
		&nbsp;<a href='".e_BASE."index.php?logout'>".X_THEME_18."</a>
	</div>";
	}
	else
	{
	$ret = "
	<div class='topnav'>
        <a href='".e_PLUGIN_ABS."pm/pm.php?inbox'>Your messages</a>
		&nbsp;<a href='".e_BASE."usersettings.php'>".X_THEME_16."</a>
		&nbsp;<a href='".e_BASE."user.php?id.".USERID."'>".X_THEME_17."</a>
		&nbsp;<a href='".e_BASE."index.php?logout'>".X_THEME_18."</a> 
	</div>";
	}
} 
else
{
	$ret = "
	<div class='topnav'>
		<a href='".e_BASE."signup.php'>".X_THEME_9."</a>
		&nbsp;<a href='".e_BASE."login.php'>".X_THEME_10."</a>
	</div>";
}

if (ADMIN)
{
	$ret .= "
	<div class='topnav'>
		<a href='".e_ADMIN."admin.php'>".X_THEME_19."</a>
	</div>";
}

if (!USER && defined("LOGINMESSAGE") && LOGINMESSAGE != "")
{
    $ret = "
	<div class='topnav'>
		".X_THEME_20." <a href='".e_BASE."login.php'>".X_THEME_21."</a> 
		&nbsp;".X_THEME_22." <a href='".e_BASE."fpw.php'>".X_THEME_23."</a>
	</div>";
}
return $ret;


Would I need the e token freeze thing in the above and if so - where?

Cheers
Go to top
Website
VR6Pete
Mar 08 2012, 03:18PM
Registered Member #2353
Joined: Jul 28 2003, 11:21AM
Location: Stoke-on-Trent
Posts: 1246
I also have this feature box template using the below template .. 

<?php
/*
+ ----------------------------------------------------------------------------+
|     e107 website system
|
|     Copyright <img src='http://e107.org/e107_images/emotes/MSN_Crystal_Matte/cup.png' alt='' style='vertical-align:middle; border:0' />  2001-2002 Steve Dunstan (jalist@e107.org)
|     Copyright <img src='http://e107.org/e107_images/emotes/MSN_Crystal_Matte/cup.png' alt='' style='vertical-align:middle; border:0' />  2008-2010 e107 Inc (e107.org)
|
|
|     Released under the terms and conditions of the
|     GNU General Public License (http://gnu.org).
|
|     $URL: <a href="https://e107.svn.sourceforge.net/svnroot/e107/trunk/e107_0.7/e107_plugins/featurebox/templates/centered.php"  rel="external">[-link-]</a> $
|     $Revision: 11678 $
|     $Id: centered.php 11678 2010-08-22 00:43:45Z e107coders $
|     $Author: e107coders $
+----------------------------------------------------------------------------+
*/

if (!defined('e107_INIT')) { exit; }

$FB_TEMPLATE = "
<div>
<script type='text/javascript'>
	jQuery(function(){		   
    jQuery.easyNotification({
        text: '$fb_text',
        cookieName: 'VR6OCMembershipActive',
        cookieEnable: true,
        cookieDays: 3,
        parent: '#NotifyArea'
    });				
	});
</script>
<div id='NotifyArea'> 
    </div>
</div>
";

?>
Go to top
Website
VR6Pete
Mar 08 2012, 03:23PM
Registered Member #2353
Joined: Jul 28 2003, 11:21AM
Location: Stoke-on-Trent
Posts: 1246
The above scripts use a number on .js scripts etc... Which I have loaded using e_meta.php in a plugin I created.... Here is the code;

  <?php

/*
+ ----------------------------------------------------------------------------------------------------+
|        e107 website system 
|        Plugin Meta File :  e107_plugins/fancybox/e_meta.php
|        Revision  2.0.4
|        Date      14.12.2011
|        Author    VR6Pete
+----------------------------------------------------------------------------------------------------+
*/
if (!defined('e107_INIT')){ exit; }
$lb_path = e_PLUGIN.'fancybox/';
include_lan($lb_path."languages/".e_LANGUAGE.".php");

echo '
<link rel="stylesheet" href="'.THEME.'js/sticky.css" type="text/css" />
<script type="text/javascript" src="'.e_PLUGIN.'fancybox/scripts/jquery-1.7.1.min.js"></script>
<script type="text/javascript" src="'.e_PLUGIN.'fancybox/scripts/jquery.easing-1.3.pack.js"></script>
<script type="text/javascript" src="'.THEME.'js/sticky.js"></script>
<script type="text/javascript" src="'.THEME.'js/easy.notification.js"></script>

<script>(function(d, s, id) {
  var js, fjs = d.getElementsByTagName(s)[0];
  if (d.getElementById(id)) return;
  js = d.createElement(s); js.id = id;
  js.src = "//connect.facebook.net/en_GB/all.js#xfbml=1&appId=108099175920739";
  fjs.parentNode.insertBefore(js, fjs);
}(document, \'script\', \'facebook-jssdk\'));</script>
<div id="fb-root"></div>
';
?>



Ok so question is. Am I missing anything in regards to e_token in any of the code snippets?

Cheers. Pete
Go to top
Website
Moc
Mar 08 2012, 03:39PM
  • e107 Site administrator
  • e107 Security Team
  • e107 Support Team
  • e107 Documentation Team
Registered Member #44563
Joined: Apr 12 2008, 03:01AM
Location: The Netherlands
Posts: 3524
I'm not an experienced coder in e107 so I don't know, I'll leave that to someone else.
Now, use the debugger to find those errors about session in the wiki. [-link-]
If you don't get those error messages, you're fine. My best bet would be the etoken freeze or plugin incompatibility.
Go to top
VR6Pete
Mar 09 2012, 01:03AM
Registered Member #2353
Joined: Jul 28 2003, 11:21AM
Location: Stoke-on-Trent
Posts: 1246
Hi Moc, no errors related the debug about sessions... my site is hosted by the same company as e107.org.
Go to top
Website
Moc
Mar 09 2012, 02:02AM
  • e107 Site administrator
  • e107 Security Team
  • e107 Support Team
  • e107 Documentation Team
Registered Member #44563
Joined: Apr 12 2008, 03:01AM
Location: The Netherlands
Posts: 3524
Ok you should be fine then
I would say a plugin/code mod is causing the problems, though I'm not an expert in javascript and I am not able to give clear advice on how to implement the etoken freeze option in your scripts. Hopefully someone else with more knowledge about this will comment on it
Go to top
C6Dave
Mar 09 2012, 03:45AM
  • e107 Site administrator
  • e107 Support Team Leader
Registered Member #9506
Joined: Jul 31 2004, 12:57AM
Location: North East UK
Posts: 12342
VR6Pete wrote ...

... my site is hosted by the same company as e107.org.

Used to be, not any more Pete

I'm on Fused and get no Access Denied errors so doubt it's a serverside issue
Go to top
Website
VR6Pete
Mar 09 2012, 07:22AM
Registered Member #2353
Joined: Jul 28 2003, 11:21AM
Location: Stoke-on-Trent
Posts: 1246
ah right. cheers Dave for that....

im still waiting for my test subject to come back to me while i continue disabling other plugins...
Go to top
Website
VR6Pete
Mar 09 2012, 03:31PM
Registered Member #2353
Joined: Jul 28 2003, 11:21AM
Location: Stoke-on-Trent
Posts: 1246
I just don't understand why it randomly only happens to some users? I log in multiple times every day from various browsers and all seems to be fine... Just don't seem to be able to pinpoint the trigger...
Go to top
Website
C6Dave
Mar 09 2012, 11:16PM
  • e107 Site administrator
  • e107 Support Team Leader
Registered Member #9506
Joined: Jul 31 2004, 12:57AM
Location: North East UK
Posts: 12342
Too many windows open Pete or using the backspace key to often were the original triggers
Go to top
Website
VR6Pete
Mar 10 2012, 12:32AM
Registered Member #2353
Joined: Jul 28 2003, 11:21AM
Location: Stoke-on-Trent
Posts: 1246

Nah it's not that I don't think

This user simply requested a password reset, received the email, e107 generated new password, and when the user then tries logging in they get access denied message on all subsequent attempts to log in, regardless of closing the window and re-opening etc...

As I can't reproduce the issue, I can't try the debugging with the live http headers as per the wiki and my users are not skilled enough to do it for me...
Go to top
Website
Moc
Mar 10 2012, 01:08AM
  • e107 Site administrator
  • e107 Security Team
  • e107 Support Team
  • e107 Documentation Team
Registered Member #44563
Joined: Apr 12 2008, 03:01AM
Location: The Netherlands
Posts: 3524
Do you run any custom template files? Check if they're up-to-date with the latest version.
Go to top
bigbadwolf
Mar 10 2012, 03:49AM
Registered Member #21221
Joined: Sep 27 2005, 07:48AM
Location: Long Island NY
Posts: 368
Pete,

Nothing to do with the login issues but if you are still using SLIR and the default e_meta we provide, you are double loading Jquery from the looks of the code you posted.
Go to top
Website
VR6Pete
Mar 19 2012, 02:59AM
Registered Member #2353
Joined: Jul 28 2003, 11:21AM
Location: Stoke-on-Trent
Posts: 1246
hi mate, tweaked the e_meta you provided to remove the call for jquery

still having issues with the access denied...

what would be nice is if the " Access denied" message was more useful to the user that they could submit to the webmaster, I.E what has caused the e_token regeneration etc...

Pete
Go to top
Website
Nowwhat
Mar 19 2012, 06:11AM
  • e107 Support Team
Registered Member #38024
Joined: Jul 05 2007, 12:08PM
Location: Europe (France)
Posts: 1729
Hi all,

The message " Access denied" comes from class2.php
You'll find it on line 197 and 504.
Change both, like
die('+++ Access denied: line 197');
and
die('--- Access denied: line 504');

This way, you could ask: what was the number?
Knowing this,you (we) will know more about when they are happening.

Better yet, replace the simple ' Access denied' message with a more sophisticated log to file (or database) - as can be seen on lines 492-499.
Go to top
Website
VR6Pete
Mar 19 2012, 11:26AM
Registered Member #2353
Joined: Jul 28 2003, 11:21AM
Location: Stoke-on-Trent
Posts: 1246
Hi mate. Would you be able to create a debug version of class2.php please ? Not entirely sure how I could inplement some useful feedback that would allow me to identify where the regeneration came from..
Go to top
Website
omen1975
Mar 31 2013, 06:24AM
Registered Member #148718
Joined: Mar 31 2013, 06:13AM
Location: Poland
Posts: 1
I had this problem for almost a year and no one was able to help. On my site did not work the password recovery option that causes fpw.php file. The problem was in the e_TOKEN that is not properly assigned or read for some e107 templates !!!!. My template is custom and comes from a very old version of e107. Access Denied disappeared since swapped e107_themes/templates/fpw_template.php file from an earlier version of the script. Perhaps the same can be done with turning admin_template.php admin area. On this moment the problem is FIXED for me
Go to top
Go to page  1 2  

Jump:     Back to top

Syndicate this thread: rss 0.92 Syndicate this thread: rss 2.0 Syndicate this thread: RDF
Powered by e107 Forum System
e107 - Free CMS | Open Source Content Management System
http://www.arvixe.com/4363-148-1-569.html
© 2008 - 2013 e107 Inc.
All product names mentioned herein are the trademarks of their respective owners. In addition, images, logos, pictures or other material may be trademarks or registered trademarks of their respective owners. Emote images by seb, released under the GPL license. With the kind support of Corllete Lab Studio. Forum Icons by Axialis Team.
Created by e107 Inc