Password recovery from hell

[eRe4s3r]

Lo,

Site claimed my password is incorrect (it actually wasn't but let's move beyond that, my PW manager does not make mistakes)
After 3 login attempts, it brought me to a reset password page and here the fun starts, it asked me to enter my username or email, I entered username (so far, so good)

The IP listed in the mail request does not match my actual IP, which usually indicates something...

False
IP: 162.158.x.x
Username: eRe4s3r

Correct
IP: 92.78.x.x
Username: eRe4s3r

But that is not the best, the best is that the password fields and the text (the ***) in the change dialog are white on white, and I can't see what I am typing nor whether I even typed anything in the fields, best: I can't copy paste passwords (you know, kinda required for 20+ random chars) in the verify password field. Only way I could get the site to even let me in is force Lasspass to generate and fill both fields with a password it generated.

So yeah....

For some reason it refuses to accept the (newly generated) PW entirely after a certain time as well despite it working fine (once) to log in... something is really broken

[BadgerBadger]

Oddly, while my password is still accepted, I find myself needing to log in every time I visit (seemingly) after months of being just auto logged-in.

[eRe4s3r]

Yeah something odd is going on that's for sure, Lastpass informed me that the site has 3 known passwords, and it listed Mantis as one of them (one of the BIG problems of running Mantis on your forum domain by the way)

Today when I came here, I was logged out and informed my password (from the previously working auto-login) was invalid. Since I have Lastpass set to auto-login on this site this threw me off, since I *know* that the password Lastpass had for this site was correct, I mean, it logged me in correctly at least a few years now ;P

On pw regen it let me log-in with the newly generated password and when I came back (it was set to time-out after 60m) I was logged out and could no longer log in with the newly genned pw... 2nd time I used a password with .. ehm, less chars to see if this was a related, and it seems like it is related to PW length.... when I pasted a 20 char pw in the field it did not let me login, I think something is really going wrong with the salting and hashing when PW has specific chars or char numbers.. but maybe that's totally wrong ;p

Either way, something odd is going on on top of the "bugs" with the PW reset as a whole. Did the domain or structure change?

Btw, it doesn't even show my correct IP in this forum info thingy but that's probably not related.

[x4000]

Lots o' text here.

Quinn has fixed things up so that the wiki and the forums use the same password now, but a recent forum update busted some stuff relating to logging in in general.

Mantis now has its own subdomain to try to solve that issue with password keychains.

If you're still having this problem this morning, please let us know!

[eRe4s3r]

So a case of odd timing then? Changing password while logged in at least worked fine.. let's hope it continues working ;p

[keith.lamothe]

The wrong-IP thing is probably cloudflare-related.

[x4000]

So a case of odd timing then? Changing password while logged in at least worked fine.. let's hope it continues working ;p

I think that is accurate.

The wrong-IP thing is probably cloudflare-related.

That's almost certainly the case.  Although I thought we had a workaround for that, but such is life.

[Draco18s]

My stored password worked just fine.

* Draco18s shrugs

[Dominus Arbitrationis]

Okay, so here's what has been going on.

SMF released a core update which included some security changes. As a result of the changes, our theme had to be updated. However, the changelogs didn't say you needed to make a theme change, so the change was not made at first. Only when people got errors did I notice, and I found the issue and corrected it.

Since the need for a theme change wasn't documented, I went through the normal troubleshooting steps. I disabled my local cache, nothing. I cleared the server page cache, nothing. I eventually got around to the sessions, and purged the sessions. Still nothing. After spending quite a lot of time trying to sort it out, I finally stumbled upon the theme issue, and corrected it there. Now, everything seems to work.

What happened when you logged out was the data pertaining to your login was purged entirely (As intended). This normally works perfectly, but due to the changes made in the update, if the form wasn't updated, it would lie about what was happening and say something about the session or password being wrong.

Oddly, while my password is still accepted, I find myself needing to log in every time I visit (seemingly) after months of being just auto logged-in.

This is probably because of the session purge. It should be stable now, so you should auto login now. If not, let me know.

Either way, something odd is going on on top of the "bugs" with the PW reset as a whole. Did the domain or structure change?

The cookie changed, but other than that, everything remained the same.

Yeah something odd is going on that's for sure, Lastpass informed me that the site has 3 known passwords, and it listed Mantis as one of them (one of the BIG problems of running Mantis on your forum domain by the way)

I'm assuming you are referring to the fact that Mantis and the Forums share a base domain? They both use different subdomains, and you can't access the old Mantis URL without being redirected. You could use the old forums URL, but I do need to get around to changing that.

So a case of odd timing then? Changing password while logged in at least worked fine.. let's hope it continues working ;p

I think that is accurate.

The wrong-IP thing is probably cloudflare-related.

That's almost certainly the case.  Although I thought we had a workaround for that, but such is life.

Yep to both. As for the Cloudflare workaround, can you email me with what you originally had set up to correct the issue? I have a few ideas on what I can do to fix it, but if you have a known good solution (That hasn't been invalidated by updates to SMF or Cloudflare), I'd prefer to use that.

[x4000]

Honestly I have no recollection as to what the old solution WAS.  I think maybe you had figured it out, I'm not sure.  Thanks for the writeup!

[eRe4s3r]

Yeah it seems I still had old redirect login page as origin domain for my auto-login for mantis (guess I now know why that never worked right ,p) but this ended up to be really confusing, because Lastpass isn't stupid, it notices when you can't login with your data and so it actually asks you which account you are using, and at that point I was completely lost, because suddenly I had 3 "arcengames" accounts with 3 identical usernames but different pw's (only that none of them worked, or appeared to work apparently ,p)

Anyway, guess this means I just changed my PW for nothing, so that's good too. More security is better security.

Either way, you said to bring up all site issues, and appearing to be logged out when the auto login from lastpass said it "logged me in" is definitely one of those imo ;P

Glad you got that figured out it gave me a right darned scare, as you can imagine when lastpass says you log in and the site says you aren't, instantly questions pop up like "where did it just log-me-in" and it ain't like XSS attacks on the auto-login are not a thing already, hence why I only have it for very few sites on. Give SMF some serious hell for not mentioning that in their update notes ^^

Ps.: And yep, it all works now, new genned passwords ftw (just random more security I guess) ;P