No Code Attached Yet
avatar nikosdion
nikosdion
29 Mar 2022

Steps to reproduce the issue

  • Install Joomla 3.10.6

  • Set your session timeout to 1 minute

  • Create a secondary user, let's call it joomlalala

  • Log into the site's frontend with joomlalala checking the Remember Me setting

  • Close the browser and wait for one minut

  • Log into the backend of the site with your primary Super User account

  • Update to Joomla 3.10.7

  • Go to the frontend of the site

  • You are logged into the site with joomlalala using cookie authentication (Remember Me).

  • Log out of the site

  • Try to log back into the site with user joomlalala using a password

Expected result

You are logged into the site

Actual result

You are NOT logged into the site

System information (as much as possible)

Completely irrelevant.

Additional comments

You are blindly setting the user's authProvider field to whatever the login method's type is, without checking if it corresponds to an existing plugin in the authentication group or it's a placeholder or if it's even a secondary authentication method, like the cookie authentication!

You are then using that to lock the user to that non-existent or secondary authentication plugin which means that the user can no longer log in. Since the cookie was destroyed when the user logged out they can never log into the site again.

Related issue on Joomla 4: #37411

avatar nikosdion nikosdion - open - 29 Mar 2022
avatar joomla-cms-bot joomla-cms-bot - change - 29 Mar 2022
Labels Added: No Code Attached Yet
avatar joomla-cms-bot joomla-cms-bot - labeled - 29 Mar 2022
avatar nikosdion nikosdion - change - 29 Mar 2022
The description was changed
avatar nikosdion nikosdion - edited - 29 Mar 2022
avatar SniperSister
SniperSister - comment - 29 Mar 2022

Confirmed and clearly a stupid mistake, see #37416

avatar richard67 richard67 - change - 29 Mar 2022
Status New Closed
Closed_Date 0000-00-00 00:00:00 2022-03-29 21:07:13
Closed_By richard67
avatar richard67
richard67 - comment - 29 Mar 2022

Closing as having a pull request. Please test #37416 . Thanks in advance.

avatar richard67 richard67 - close - 29 Mar 2022
avatar nikosdion
nikosdion - comment - 29 Mar 2022

I disagree that anything is fixed by that PR. You guys have broken Joomla in a fundamental way.

avatar richard67
richard67 - comment - 29 Mar 2022

The PR fixes the issue reported here and does not claim to fix others.

avatar sentixGmbH
sentixGmbH - comment - 30 Mar 2022

I disagree that anything is fixed by that PR. You guys have broken Joomla in a fundamental way.

You are so right and i really hope they hear on you.

avatar nikosdion
nikosdion - comment - 30 Mar 2022

@sentixGmbH They did and this mess is being addressed right now.

avatar sentixGmbH
sentixGmbH - comment - 30 Mar 2022

Thx!

Add a Comment

Login with GitHub to post a comment