Login redirect loop only from subdomain blogs

Most of my users log in from the login widget on the root blog’s edu-clean theme, which works without problem. However, a user tried to log in from their mapped domain’s Meta login, and they get a redirect loop

http://theechelongroup.bestagentblogs.com/wp-login.php?redirect_to=http%3A%2F%2Fechelonrealestate.com%2Fwp-admin%2F

I have buddypress and bbpress integrated without issue, so there are the usual auth salts etc. in wp-config. I added the admin_cookie_path just in case (suggested here: http://mu.wordpress.org/forums/topic/9872), but it makes no difference that I can tell. Of course cookies deleted before each test.

define( ‘COOKIE_DOMAIN’, ‘.bestagentblogs.com’ );

define( ‘SITECOOKIEPATH’, ‘/’ );

define( ‘COOKIEPATH’, ‘/’ );

define(‘ADMIN_COOKIE_PATH’, ‘/’:wink:;

Could my cookie_domain be part of the problem? Any suggestions appreciated.

  • Andrew
    • Champion of Loops

    Hiya,

    The problem is caused by the wp_redirect security. Basically you’re trying to redirect the user to a different domain and that function doesn’t care for that (at all).

    We’ll see about working around this issue but for now just remove the plugin.

    Thanks,

    Andrew

  • Andrew
    • Champion of Loops

    Do you think it would make a difference to what I’m seeing here if I upgraded?

    Your call entirely. We can only assist with our plugin though.

    Will I need to re-add all the mapped domains or do they survive the upgrade intact?

    The latest version should be compatible with the other domain mapping plugin.

    Thanks,

    Andrew

  • Christopher Price
    • The Incredible Code Injector

    OK, I updated to Domain Mapping v1.0.2 and the problem remains: Users can only log in from the login widget on the edu-clean themed root domain, and not from userblog.com/wp-login.

    First of all, the problem only exists on blogs with custom domains mapped. Sub-Domain blogs work just fine.

    On mapped domain blogs, if the correct username and password are entered, there is no error, the user is just presented with another blank login opportunity and this URL:

    http://bestdenveragent.com/wp-login.php?redirect_to=http%3A%2F%2Fbestdenveragent.com%2Fwp-admin%2F

    If the incorrect password is entered, the following error is presented:

    ERROR: Incorrect password. Lost your password?

    ERROR: Cookies are blocked or not supported by your browser. You must enable cookies to use WordPress.

    I set up this blog as an example:

    http://www.bestdenveragent.com

    username: hank

    password: password

    root blog: http://www.bestagentblogs.com

  • Christopher Price
    • The Incredible Code Injector

    Sorry, I don’t know what you mean by "wrap that line." You mean comment it out?

    Update: I did comment it out, and it seems to work. I’m testing things now… Are there any particular downsides of just commenting out that line that I should be looking for?

    Another update: It *mostly* works, but here is how I can break it:

    1. Login from user blog Meta

    2. Go to Root blog and logout from widget (Shows logged out, buddypress bar is gone)

    3. Go back to user blog and I’m still logged in and buddy press bar returns.

    Clearly, I’m just hacking around now, but this is what I see in wp-config:

    $base = ‘/’;

    /** define(‘DOMAIN_CURRENT_SITE’, ‘bestagentblogs.com’ ); */

    define(‘PATH_CURRENT_SITE’, ‘/’ );

    define(‘BLOGID_CURRENT_SITE’, ‘1’ );

    /**#@+

    * Authentication Unique Keys.

    *

    * Change these to different unique phrases!

    * You can generate these using the {@link http://api.wordpress.org/secret-key/1.1/ WordPress.org secret-key service}

    *

    * @since 2.6.0

    */

    $wp->cookiedomain = ‘.bestagentblogs.com’;

    $wp->cookiepath = ‘/’;

    $wp->sitecookiepath = ‘/’;

    define( ‘COOKIEHASH’, ‘b257fba77b067d0d00a5d34787893c58’ );

    /** define( ‘COOKIE_DOMAIN’, ‘.bestagentblogs.com’ ); */

    define( ‘SITECOOKIEPATH’, ‘/’ );

    define( ‘COOKIEPATH’, ‘/’ );

    define(‘ADMIN_COOKIE_PATH’, ‘/’:wink:;

  • Christopher Price
    • The Incredible Code Injector

    Bah! This cookie stuff is maddening!

    After many long hours, this is the best I came up with:

    In wp-config, I need to comment out both:

    $wp->cookiedomain = ‘.bestagentblogs.com’;

    define( ‘COOKIE_DOMAIN’, ‘.bestagentblogs.com’ );

    Commenting out the second and replacing it with the suggestion above, gives identical results…

    If I log in from the root domain the educlean widget shows I’m logged in, but if I go to the mapped blog domain, Meta shows I’m not logged in.

    However, if I log in to the dashboard from the root blog widget, the proper dashboard appears, and if I visit site, Meta shows me logged in.

    If I log in from the blog’s wp-login, then immediately log out from the dashboard, Meta shows me logged out. But if I go to the root educlean blog, I am logged in.

    With those 2 lines commented out, I get it mostly right and users are able to log in from their blog’s wp-login. With those two lines left in tact, users can only log in from the root educlean widget and not from their own wp-login.

  • Andrew
    • Champion of Loops

    I agree 100%. Getting the cookies to work right is a very annoying task. It feels like you’re going around in circles trying different things most of the time.

    Honestly, if you’ve got it to a point where you can live with it I’d call it a day. You can always revisit it at another time when you have nothing else to do.

    Thanks,

    Andrew