Wrong social auth token!

Closed
Advanced Security - PHP Register/Login System Advanced Security - PHP Register/Login System July 28, 2018
Login to reply
Milos Stojanovic Support Agent
4 months ago

Hey Roger,

Awesome, I'm glad you fixed it! :)

- Milos

SNAC.IO
4 months ago

SOLVED :)


There was no duplication of app('register')->socialToken();...


However, I was getting 302 redirect error because favicon.ico was not loaded on my server. Once loaded everything went back to normal.


I want to thank you for offering to look at my code even though the script worked perfectly out-of-the-box.

Roger

Milos Stojanovic Support Agent
4 months ago

Hey,

Hmmm... The app should not generate a new token at all unless you have the app('register')->socialToken();  call somewhere else on the page too. 

Can you confirm that you have call that socialToken() function only once on that page?

If so, can you please provide me some temporary FTP/SSH credentials so I can take a look and see what can be an issue?

- Milos

SNAC.IO
4 months ago

Hi Milos,

Ok, what is happening is socialauth.php refreshes and generates a new $token which obviously doesn't match with initial $_GET['token'] from login.php:


login.php (and register.php):

$token = app('register')->socialToken();
ASSession::set('as_social_token', $token);


socialauth.php:

if ($token == '' || $token == null || $token !== ASSession::get('as_social_token')) { 


How do i prevent socialauth from generating a new token?


Btw I tested google/twitter by removing $token !== ASSession::get('as_social_token') in socialauth.php:


from:

if ($token == '' || $token == null || $token !== ASSession::get('as_social_token')) {

to:

if ($token == '' || $token == null) {


In this case both google and twitter login correctly... 

Thank you for your help,

Roger

SNAC Team
4 months ago

Yes, $token info is at the top of login.php, register.php and resetpass.php
(the originally login.php in three separate files)

ie:

Milos Stojanovic Support Agent
4 months ago

Hey Roger,

I'm not sure how exactly you modified the login page and stuff but make sure that you have the following code at the top of your login.php file (the same way it is set up in the original login.php):

$token = app('register')->socialToken();
ASSession::set('as_social_token', $token);

- Milos

SNAC.IO
4 months ago

Hi Milos,


I am getting a 'Wrong social auth token!' with Google login (only using Google for social)... Originally Google worked fine but I have been adding pages and tables and somewhere along the way I created a problem.


I tried:

- Tried PHP 7.1 and 7.2

- Updated all sessions to ASSession

- ASConfig.php: define('SESSION...SECURE,HTTP,COOKIES) try a variety of settings (true, false)


test site: [PRIVATE]


Any suggestions?

Thank you,

Roger