Intermittent Cached Login End Point (served as homepage) Loop Issue

  • samwickins32

    (@samwickins32)


    1 month, 2 weeks ago

    Hi,

    I’m currently using WP Remote Users across multiple related platforms within an educational setup, and I’ve encountered an intermittent issue that I’m hoping you can help clarify.Setup Overview

    • I have a central site (Site A) which acts as the main authentication source.
    • Several other sites (Site B, C, D, etc.) are configured to accept incoming login from Site A.
    • Outgoing login is only enabled from Site A → other sites.
    • The other platforms (e.g. Site B) do not have outgoing login enabled back to Site A.

    In terms of usage:

    • Teachers typically log in via the central site (Site A), and their login is synchronised across the other platforms.
    • Students, however, generally log in directly on their specific platform (e.g. Site B) and are not expected to authenticate via the central site.

    The Issue

    On a few occasions now, users visiting the homepage of one of the secondary platforms (e.g. Site B) are unexpectedly redirected into a login loop involving:

    /wprus/login?wprusdata=…&token=…

    This results in:

    • The homepage appearing as a “processing” or redirect loop
    • Continuous refresh behaviour in the browser
    • High server load due to repeated requests to the login endpoint

    Importantly:

    • This affects all public visitors, not just the user initiating the login
    • Clearing the server-side cache immediately resolves the issue and restores normal homepage behaviour

    Key Question

    It appears that under certain failure conditions, a login request on site A communicating to site B (or its resulting redirect) may be reused or persist on site B in a way that affects subsequent visitors to the site.

    I have mitigated the issue by:

    • Preventing caching of /wprus/* endpoints
    • Preventing caching when wprusdata or token query parameters are present

    This hopefully has stopped the issue from affecting all users (but time will tell), but I would like to better understand the root cause.

    Questions

    1. Is there any known scenario where a failed login attempt could repeatedly trigger /wprus/login requests?
    2. Should WP Remote Users ever retry login automatically after a failure, or could this indicate a misconfiguration?
    3. Are there recommended safeguards to ensure login endpoints are strictly one-time use and cannot affect general page loads?
    4. Is there any known interaction with caching layers (e.g. NGINX / FastCGI cache) where login responses or redirects could inadvertently be cached / reused?

    I’d really appreciate any insight into whether this behaviour is expected under certain conditions, or if there’s a configuration adjustment I should be making.

    Thanks very much for your time and for the plugin, it’s been very useful for our setup.

    Kind regards

You must be logged in to reply to this topic.