Login link in mail has to many parameters does not work with 7G firewall

  • Resolved agenciesFirst

    (@agenciesfirst)


    9 months, 2 weeks ago

    Hello friends,

    I have noticed something interesting that I would like to share with you.
    The last, including the current “Magic Login” versions has a problem with Firewall 7G.

    We also have the 7G firewall (from Jeff Starr) active on NGINX servers for WordPress installations and for a few weeks now this “Magic Login link” sent in the mail no longer works because said 7G prevents it. This behavior was probably triggered by security updates from Debian and NGINX, which is correct and desired.

    Now I have installed an older “Magic Login” version 1.7 and lo and behold, this version works perfectly with the 7G firewall.
    Why is that? Well, I investigated and found it.
    The link sent by “Magic Login” in version 1.7 does not contain any attached parameters with “&”, but only “?magic-login=1”.
    You can even omit the parameter “?magic-login=1” completely, so that only the hashed token in the link works for login.
    It may be because the “&” character is not quoted correctly or not quoted at all, or the “https://”, or another character. But it could also be that the attached parameters are simply too long. My tests are not 100% clear.

    It would be excellent if you could investigate my concern and fix this in future versions.Otherwise, great plugin, keep it up and best regards and good luck

    Thank You
    Jan

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Mustafa Uysal

    (@m_uysl)

    Hi Jan (@agenciesfirst)

    Thank you for pointing this out. I’ve run into the same issue before and adjusted the 7G firewall rules to address it, specifically for cases involving “magic login” links with tokens and redirects, to avoid unintended blockages.

    eg:

    
# magic login links with token and redirection can cause blocking
if ($request_uri ~ "magic-login"){
    set $gfwreason "allow";
}

    (It was the rule for runcloud; you might need to modify it like this)

    
if ($request_uri ~ "magic-login"){
    set $7g_drop_bad_request 0;
}

    > But it could also be that the attached parameters are simply too long.

    When I checked the firewall logs, the block matched with rule 16, likely due to the &redirect_to=https:// part. Encoding redirection URLs could be a better solution.

    I’ve started working on a fix for this, which you can follow here: https://github.com/HandyPlugins/magic-login/issues/25

    In the meantime, could you test the URL without the redirect_to parameter?

    Cheers,

    Thread Starter agenciesFirst

    (@agenciesfirst)

    Hi Mustafa,
    great to hear and thanks for your quick response.


    Your first snippet works also for me, the second one not.

    # magic login links with token and redirection can cause blocking
if ($request_uri ~ "magic-login"){
    set $gfwreason "allow";
}

    Worked.

    The token Link has now no redirect_to param.

    Only token with “&magic-login=1” and that works, but is not needed.

    Token only is enough, so when I cut out everything to token, it works.

    Why you need the real https url handing over? Maybe it’s necessary for some setups or best practice coding rules I don’t know.

    Cheers,

    Plugin Author Mustafa Uysal

    (@m_uysl)

    Hi @agenciesfirst,

    I’m glad to hear that the snippet did the trick.

    > Only token with “&magic-login=1” and that works, but is not needed.

    I’ve added a custom magic-login parameter to enhance third-party support. It’s unnecessary if your login URL is wp-login.php (the default login URL), but it becomes somewhat problematic when users begin using plugins that rewrite or alter the default behavior of wp-login.php. This is because the URL structure changes, for example, to https://example.com/login/?token=login-token-here. (https://github.com/HandyPlugins/magic-login/blob/2.0.1/includes/login.php#L278-L285)

    > Token only is enough, so when I cut out everything to token, it works.

    Did you remove user_id too?

    > Why you need the real https url handing over? Maybe it’s necessary for some setups or best practice coding rules I don’t know.

    It’s designed for flexibility. Essentially, it enables the addition of redirection if wp_safe_redirect is capable of handling it. For example, you might have courses accessible at example.org, but you use example.com as your landing page. Once people log in to your “members only” area, you might still want to redirect them to the landing page (I’m not sure why there’s a need for this kind of redirection, but it is what it is). So, it provides more flexibility in this way.

    Of course, the target URL would be better in an encoded format; I will fix that in the next version. Based on my tests, if you send redirect_to in the encoded format, it doesn’t get blocked 7G firewall. (roughly tested)

    I hope this helps.

    Cheers,

    Plugin Author Mustafa Uysal

    (@m_uysl)

    Hello @agenciesfirst,

    I’m excited to announce the release of Magic Login v2.1! This latest update enhances security by encoding the target URL, effectively addressing the issues encountered with nG firewall in our testing environment.

    To support this improvement, I’ve also published comprehensive documentation specifically for configuring nG firewall with Magic Login, which you can access here: https://handyplugins.co/magic-login-pro/docs/ng-firewall/

    Given that the previous solution has successfully resolved your concern, I’ll be marking this thread as resolved. If you have any further questions or need additional assistance, please don’t hesitate to reach out.

    Regards,

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Login link in mail has to many parameters does not work with 7G firewall’ is closed to new replies.