Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#42783] - Too many redirects when privacy consent expired and MFA enabled

No Code Attached Yet bug
avatar JohnVesey
JohnVesey
11 Feb 2024

Steps to reproduce the issue

Login to frontend when privacy consent expired and MFA enabled on the account.

Expected result

User profile page opens (to accept/renew privacy consent).

Actual result

"Too many redirects" occurs. Website unusable by user as actually logged in.

System information (as much as possible)

Joomla 5.0.2 (b/c plugin enabled)
PHP 8.2.9
Maria-db 10.6.15-live

Additional comments

Redirect loop occurs when privacy consent expired and MFA enabled. Logging in to frontend should go to User Profile page to accept privacy consent but redirect loop occurs. User is actually logged in but can't do anything due to redirect loop/expired privacy consent.

Work around: Login to Admin and logout the logged in user, disable account's MFA in admin, login to frontend, accept privacy consent, logout of frontend, reset MFA on the account in Admin.

Hope this helps

John V

Votes

# of Users Experiencing Issue
1/1
Average Importance Score
4.00
avatar JohnVesey JohnVesey - open - 11 Feb 2024
avatar JohnVesey JohnVesey - change - 11 Feb 2024
Labels Removed: ?
avatar joomla-cms-bot joomla-cms-bot - change - 11 Feb 2024
Labels Added: No Code Attached Yet
avatar joomla-cms-bot joomla-cms-bot - labeled - 11 Feb 2024
avatar Kostelano
Kostelano - comment - 12 Feb 2024

Confirmed.

Work around: Login to Admin and logout the logged in user, disable account's MFA in admin, login to frontend, accept privacy consent, logout of frontend, reset MFA on the account in Admin.

You won't be able to "log out" a user unless you use the session metadata tracking option. You can simply disable MFA.

There are also a few simple workarounds for a quick fix, but it's a bummer. The problem is serious for the end user in fact.

avatar JohnVesey
JohnVesey - comment - 12 Feb 2024

Particularly serious when the User doesn’t have admin access.

Similar to reported issues around password resets with MFA enabled?

avatar Kostelano
Kostelano - comment - 12 Feb 2024

Particularly serious when the User doesn’t have admin access.

No way without an admin. There are many options with access to the database.

By the way, this applies to all new consents (not only expired ones).
Let's say you use MFA and decide to add this option to your site by enabling the appropriate privacy plugins. That’s it, no one (using MFA) will be able to log in.

avatar JohnVesey
JohnVesey - comment - 12 Feb 2024

Understood.

Other than disabling/not using MFA, what’s the best workaround, pending a core update/bugfix?

Many thanks ?

avatar hehemrin
hehemrin - comment - 20 Mar 2024

I have same or similar problem on Joomla 4.4.3. If you agree, please add that this bug also affects J4 and not only J5.

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/42783.

avatar Hackwar Hackwar - change - 24 Mar 2024
Labels Added: bug
avatar Hackwar Hackwar - labeled - 24 Mar 2024
avatar Hackwar Hackwar - change - 24 Nov 2024
Status New Closed
Closed_Date 0000-00-00 00:00:00 2024-11-24 22:45:04
Closed_By Hackwar
avatar Hackwar Hackwar - close - 24 Nov 2024
avatar Hackwar
Hackwar - comment - 24 Nov 2024

I've created a PR #44522 to fix this. Please test it. Since we have a PR for this, I'm closing this issue.

Add a Comment

Login with GitHub to post a comment