Authorizer – Endless Loop

Resolved blindtechie
(@blindtechie)

8 years, 8 months ago

Hello,

I just installed Authorizer on a fresh WordPress installation and am experiencing an endless redirect loop after entering my credentials on our organization’s CAS server. The relevant section of our Apache error log is below:

[Wed Sep 20 05:19:45.948035 2017] [:error] [pid 22000] [client 127.0.0.1:57712] PHP Warning: session_start(): The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and ‘-,’ in /path/wp-content/plugins/authorizer/vendor/CAS-1.3.5/CAS/Client.php on line 931, referer: https://example.com/wp-login.php?redirect_to=%2F
[Wed Sep 20 05:19:45.948110 2017] [:error] [pid 22000] [client 127.0.0.1:57712] session id: ST-Q2FuYWRpYW5CbGluZG5lc3NTZXJ2aWNlc01lbWJlcnN8aHR0cHMlM0ElMkYlMkZjYW5hZGlhbmJsaW5kbmVzc3NlcnZpY2VzLmNvbSUyRndwLWxvZ2luLnBocCUzRmV4dGVybmFsJTNEY2FzJTI2cmVkaXJlY3RfdG8lM0QlMjUyRnwxNTA1ODk5MjE1LjAxMDd8NzUzYjIyNzdiYWI5MzkyZDA5ZDUwM2U4YzIyNjk2NjczNTI2ZDllMQ, referer: https://example.com/wp-login.php?redirect_to=%2F
[Wed Sep 20 05:19:45.949484 2017] [:error] [pid 22000] [client 127.0.0.1:57712] PHP Warning: session_write_close(): The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and ‘-,’ in /path/wp-content/plugins/authorizer/vendor/CAS-1.3.5/CAS/Client.php on line 1658, referer: https://example.com/wp-login.php?redirect_to=%2F
[Wed Sep 20 05:19:45.949528 2017] [:error] [pid 22000] [client 127.0.0.1:57712] PHP Warning: session_write_close(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/path/to/sessions) in /path/wp-content/plugins/authorizer/vendor/CAS-1.3.5/CAS/Client.php on line 1658, referer: https://example.com/wp-login.php?redirect_to=%2F

I am getting the above errors for every redirect attempt that is made. I’ve verified that the session files are not being created on the server. Manually setting the session id results in empty files being created and the same errors.

I am running an Apache server on Linux behind a reverse proxy.

The only other thing of note I can think of is the fact that when I inspect the cookies in my browser, they are set correctly, though do not have the secure flag set.

Grateful for any help you are able to provide.

Respectfully,
Blind Techie

Viewing 2 replies - 1 through 2 (of 2 total)

Plugin Author Paul Ryan
(@figureone)

8 years, 8 months ago

The errors are being thrown by the phpCAS library, so there’s not a whole lot I can do; maybe open a ticket with them to see if they’ve encountered this before?
https://github.com/apereo/phpCAS

That said, this sounds like evidence of tampering, so you may want to have a look at the servers. Session ID generation should be internal to PHP, so if it’s an invalid value that may mean it’s being changed somewhere in the chain.
https://github.com/symfony/symfony/issues/14761#issuecomment-137813575
https://stackoverflow.com/questions/3185779/the-session-id-is-too-long-or-contains-illegal-characters-valid-characters-are

It’s also possible that the reverse proxy isn’t properly forwarding the cookie data? That seems unlikely, just trying to come up with ideas.
https://stackoverflow.com/questions/42332499/apache-reverse-proxy-cookies-not-working

Plugin Author pkarjala
(@pkarjala)

8 years, 4 months ago

@blindtechie checking in; do you need any additional assistance with this issue?

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Authorizer – Endless Loop’ is closed to new replies.

Tags