aad-sso-wordpress icon indicating copy to clipboard operation
aad-sso-wordpress copied to clipboard
verified publisher icon psignoret

login url on another page keeps getting ANTIFORGERY_ID mismatch

Open mounirface3 opened this issue 8 years ago • 12 comments

Tried to add this code , on a certain hook for a custom login page ...but the response is always

global $ultimatemember;

$aad=  AADSSO::get_instance();
?>
 <div class="um-center">
    <a href="<?php echo $aad->get_login_url(); ?>" class="azure-button" >Sign in with Azure</a>
</div>

<?php

mounirface3 avatar Oct 30 '17 13:10 mounirface3

It's not sufficient to just sent the user to the login URL, because there is additional configuration "work" that takes place. The most relevant of these is that the ANTIFORGERY_ID value is generated and stored. If you use the default login page, do you still see this issue?

psignoret avatar Oct 30 '17 17:10 psignoret

I fixed it .. by adding the session_start in the functions.php

function sess_start() {
    if (!session_id())
        session_start();
}
add_action('init','sess_start');

the problem was that the $_SESSION['aadsso_antiforgery-id'] was not being saved in the session I am not using the default login page.. I am using a custom one generated by a membership plugin.

mounirface3 avatar Oct 30 '17 17:10 mounirface3

If I have 10 domains, do I also need to create 10 azure keys/secrets?

anormore avatar Dec 08 '17 18:12 anormore

It's not sufficient to just sent the user to the login URL, because there is additional configuration "work" that takes place. The most relevant of these is that the ANTIFORGERY_ID value is generated and stored. If you use the default login page, do you still see this issue? @psignoret

How can we make sure the antiforgery_id is properly set when using a custom login page? Is there an action/filter hook we can call or use to get the proper antiforgery_id? Do we need to send the antiforgery_id to Azure AD along with the request for this work?

odeland avatar Jan 29 '18 14:01 odeland

@odeland The antiforgery ID should be property set even if you have a custom login page. (Basically, if the SSO with Azure AD gets triggered--it should work.) If it's not working, let's dig into the specific issue. Can you share more details on your setup?

psignoret avatar Jan 29 '18 17:01 psignoret

I'm having the identical issue that @odeland did. On the struggle bus with antiforgery_id with a custom login page. I used the get_login_url code from issue #178 to no avail... any other ideas?

8biteric avatar Dec 03 '19 19:12 8biteric

@8biteric Same question: can you share the details of your setup?

psignoret avatar Dec 06 '19 00:12 psignoret

I'll do this in a few messages. I gave up on the custom login page, and I managed to get things working by sticking with wp-login.php and customizing the hell out of it. I'll try to detail my original plan as best as I can remember.

Project is a private corporate intranet that needed to use Azure for logins. Pretty vanilla Wordpress install outside of the Azure login process. I originally wanted to bypass wp-login.php just so that users wouldn't be confused with two different login options – do they enter their credentials in the Wordpress login fields, or do they click the "Sign in with Azure" button?

So I tried the custom page route. I used some code in the header to redirect all users not logged in to it:

<?php
if ( !is_user_logged_in() ) {
	wp_redirect( '[URL GOES HERE]custom-login-url/' );
} else {
	echo '<!-- User is logged in -->';
}
?>

For the login link on the custom page, I quickly realized I couldn't simply cut/paste the URL from the wp-login.php link. I found the get_login_url(); ?> snippet from this thread, and as I recall, that got me to the antiforgery issue. Tried everything I could find, including leviatorkilsheyggi's code from https://github.com/psignoret/aad-sso-wordpress/issues/178.

That said, there's one more plugin that might have been causing some issues. Once users logged in, I didn't want them coming to the Dashboard – I wanted them to go to the home page. So I used Peter's Login Redirect to create that redirect.

Apologies if that's not enough detail. Like I said, I was able to work around things. I'll posted my setup in a new thread.

8biteric avatar Dec 06 '19 16:12 8biteric

Hey why are you writing a custom login page? It's actually useless -- bounce them straight over to SSO and bang, they're in.

So the flow is:

  • Landing page
  • [Login][Register] --> Over to Azure SSO
  • Login to MICROSOFT
  • Return to landing page / dashboard

You literally don't need a 'custom login page'. Perhaps you can create a customize profile page for further information on your user.

We use it for https://my.YorkvilleU.ca/ -- check it out.

anormore avatar Dec 06 '19 19:12 anormore

Yep, you're right on the money. In my case, though, there's a few other factors thrown in the mix.

  • If you work with ad agencies and such, they are very fussy with how things look. The Wordpress login screen isn't going to cut it when it comes to matching brand colors, logos, etc. So they like to design their own login pages and have everything work. (Thankfully, I was able to modify the login page enough to satisfy those demands.)

  • I've also got a pile of non-Azure content managers that need to be able to access the website. (Specifically, the aforementioned ad agency folks who set up the website in the first place.) So I can't have the Wordpress login totally bypassed by the plugin.

This project was a bit of an outlier, just wanted to pass along a couple of tips in case others were going insane.

8biteric avatar Dec 06 '19 20:12 8biteric

I fixed it .. by adding the session_start in the functions.php

function sess_start() {
    if (!session_id())
        session_start();
}
add_action('init','sess_start');

the problem was that the $_SESSION['aadsso_antiforgery-id'] was not being saved in the session I am not using the default login page.. I am using a custom one generated by a membership plugin.

We did this too... now we have a site health issue with an open PHP session in wordpress... how do you close this session without it breaking the functionality of this and throwing the antiforgery_id mismatch error? See my stackexchange writeup on it here: https://stackoverflow.com/questions/70596757/how-can-i-close-this-php-session-start-without-losing-functionality

BrentPirolli avatar Jan 05 '22 17:01 BrentPirolli

We ended up redirecting all logins to use the main wp-login.php page directly instead. We also added the following to our theme's functions.php to replace the single line of text that is easily missed to log in, with a graphic we made... The Learndash LMS plugin we use had a login module we were trying to inject this AAD option into and it wasn't working properly... so everyone goes to the main login now. We built pages on each LearnDash course that have a box that shows if they are logged out, encouraging them to log in to track course progress and such, and the "login" button there directs them to the wp-login.php page but we added a redirect link on the end so a user is redirected BACK to the page where they clicked log-in from.

https://YOURSITE.com/wp-login.php?redirect_to=%20https://YOURSITE.com%2Fcourses%2Ftraining%2F

Here is the code we used to make it look nicer:

/**
 * Override text with graphic for "sign in with your CedarCreek account" on the login page.
 */
function image_login() { ?>
    <style type="text/css">
	.aadsso-login-form-text a:first-child { background: url(/wp-content/uploads/login-logo.png) center no-repeat; display: block; height: 130px; width: 350px; text-indent: -9999px; }
    </style>
<?php }
add_action( 'login_enqueue_scripts', 'image_login' );

BrentPirolli avatar Jan 11 '22 17:01 BrentPirolli