• If I (purposely) type in a wrong username in the login form (any template), I get an error saying:

    “The username ####### is not registered on this site. if you are unsure of your username, try your email address instead.”

    However, if you enter a registered email address for a user, the login freezes the screen and pops up the following error:

    {“result”:false,”error”:”Invalid nonce or user supplied.”}

    You have to refresh the page to clear the error. This also clears the login form, but the user has been logged in, and the redirects and 2FA have been by-passed. I get the same results if input a user email address directly, without first inputting an incorrect username.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter Ian MP

    (@ianmp)

    OK, firstly let me say out straight – I think this is a BRILLIANT plugin! I have long searched for a clean login option where I could do away with a dedicated login page (and therefore eliminate one more target for bots) and this plugin fits the bill perfectly. I have already incorporated it into my site (in beta) and will be using it live if I can resolve this issue.

    Alright: clearly, as most people have found out, you CAN login with an email, instead of a username without any problems. SO, a bit more explanation is needed. There is ONE occasion when you cannot use an email address: if 2FA is turned on and only ONE 2FA is activated then, if a user who has NOT setup their 2FA and tries to login with an email instead of a username, the above error appears.

    Let me explain. Here is the result of a detailed test.

    Believe it or not, there are actually 96 different scenarios to logging in, calculated as follows: 6 templates and 4 2FA options (none, plus 3 options), which equates to: (6×1) [no 2FA] +(6×3) [choice: 1, 2, or 3] +(6×3) [choice: two set = 1+2, 1+3, or 2+3] +(6×1) [choice: all three] = 48×2 (username or email) = 96.

    In 95 of the above scenarios, you can log in with either a username or email address: in ONE of these occasions, (where a User tries to login with their email address when 2FA is turned ON with just ONE option but the User has not setup their 2FA) the error will occur. If this happens then the plugin skips 2FA and redirection, and the code jumps to line 226 in login-with-ajax.php, which says as follows:

    ” ‘error’ => ‘Invalid nonce or user supplied.’, // not translated as this is a bug and edge (if at all) ” [sic]

    I have tested each of the above 96 scenarios on two sets of browsers, Mozilla-based (including Firefox) and Chrome-based (including Microsoft Edge). I have not tested on an Apple Mac as I don’t have one. The above error is repeatable in that single circumstance described.

    I think that, based on the comment the developer has entered in line 226, this is a known bug but that a user is not expected to get here. Hopefully now however, as the circumstances in which this CAN happen has been identified, the error can be addressed so that someone who has the email address and has guessed the password, cannot bypass the 2FA. Sorry, but I’m not a programmer so I cannot say WHY this happens, only show WHEN it happens. I hope this helps.

    cemlstrut

    (@cemlstrut)

    I have this very same issue. This will be a problem for new accounts on the site, because who remembers their username?

    This should be an easy fix for the dev, where it should match the user account by user_email not user_id. Did support ever get back to you?

    I have purchased the pro addon as well but i didn’t get any answer from support.

    Thread Starter Ian MP

    (@ianmp)

    No, the developer has not responded. From what I can see, there has been no response to ANYBODY for at least 4 months. However, he does appear to be still active as I received a response from him within two days when I informed him that I could not access his demo site as his SSL certificate had expired.

    I have now decided to drop ‘Login with AJAX’ in favour of the similarly named free ‘AJAX Login’ (also available on www.ads-software.com). It does not have 2FA built-in but it can be paired with ‘Wordfence login Security’ (a subset of the full ‘Wordfence Security Firewall’), which offers a very flexible 2FA, also free on www.ads-software.com. I have been testing both, these past few weeks, and so far everything works fine. I don’t yet know what the ‘AJAX Login’ support is like but I will post an update on that plugin page in due course.

    I’m really sorry ‘Pixelite’ but a major bug on an otherwise excellent login plugin is just too much of a risk to take on a membership site.

    I will open a ticket to ask for a refund on the pro addon. I hope they will reply to that at least. Thank you for the extra info, really appreciate it!

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.