jester48

this is what I have, still no joy

function sbci_start_session() {
    if(!session_id()) {
        session_start();
    }
}
add_action('init', 'sbci_start_session', 1);


function sbci_get_user_pass($user, $password){
    if(!session_id()) {
        session_start();
    }
    $_SESSION["pwd"] = $password ;
    return $user;
}
add_filter('wp_authenticate_user', 'sbci_get_user_pass',1,2);

I have disabled everything but the 2FA and received a critical error.

is it possible top flush the settings on logout ot after x minutes of inactivity so as to force 2fa?

1. Can you try with OTP via email as well (once email sending is enabled on the site)? Even using an email log plugin for the test could confirm if the behavior is the same across methods.
   • I will request activation of email on the test server
2. You mentioned using incognito – does the same happen in a regular browser session, or in another browser altogether?
   • I tried in firefox, same issue, I primarily use chrome
3. Since the test environment isn’t configured for email, is there anything else disabled or not configured yet, there that could affect logins (e.g. caching, security plugins)?
   • no, i am on the staging site and, with the exception of the email, all settings match production
4. Do you see any errors in the browser console or PHP logs when logging in?
   • No errors in any logs
5. As a deeper test, could you try disabling all other plugins and switching to a default theme, leaving only WP 2FA active? Then re-enable things one by one to see if the issue reappears.
   • I will try this option

Also worth checking: sometimes must-use (MU) plugins interfere with the login flow on a lower level – if you have any of those, it’s good to test with them disabled too.

There are no plugins/code in the MU directory

Can you tell me if you are using the latest 2.9.3 version of the plugin when this occurs? If not, make sure you update the plugin to it’s latest version.

Yes, I have version 2.9.3

can you tell me what 2FA method are you using (OTP via email or via authenticator app) and if this does happen for all users and all 2FA methods?

currently using the authenticator as my test environment is not configured for sending emails, but live environment will be email only

does this happen on the native WordPress log in form as well? If you are using a custom log in form, I suggest trying both and check where this happens and where it’s not.

Yes, the bahaviour is in both the native form and the custom form.

does the behavior “2FA only asked on first login” does get reset at any point (e.g. after some time, or after clearing cookies or changing your browser)? I would like to understand if 2FA is only asked once in total, or once per browser session etc, therefore trying to find a pattern.

I use an incognito window each time I log in, i was prompted for the first login, but never again

Thanks

I am trying to make a custom unsubscribe process for users with a specific role, would it be better to use another process?

thanks for the feedback, much appreciated, i’ve been going in circles and needed a fresh set of eyes.

Some of the wp_die blocks were removed after posting, I was still testing and forgot to take them out., the file cleanup block I am still trying to figure out, I rearranged the code a few times trying to determine the cause for the double post creation.

I did var_dumps throughout the code before posting, the duplicate record is created right at the following code block, a var_dump here and and exit then a check of the posts table shows two records created

// upload file
            $attachment_id = media_handle_upload( 'mycode-file-upload', 0 );
            // move file to secure directory
            $moved = rename(get_attached_file( $attachment_id ), $secure_dir . DIRECTORY_SEPARATOR . $base_file_name);
            if($moved){
                chmod($secure_dir . DIRECTORY_SEPARATOR . $base_file_name, octdec(755));
            }

I think i have made all the changes you recommended, code can be seen here: https://gist.github.com/james-gerard-rodgers/34a69cb47f81a5208dfa9043d5cbdc08

the error message is:

Sorry, you are not allowed to access this page.

I traced the issue to the the function user_can_access_admin_page in /wp-admin/includes/plugin.php and the following values:

• $_wp_submenu_nopriv = array();
• $_wp_menu_nopriv = array();