Page MenuHomePhabricator
Create Task
Maniphest T8496

Inactive users are unable to establish web sessions in order to see "You must wait for approval" messages
Closed, ResolvedPublic
Actions

Description

I deployed a phabricator on a mac mini for my team and configured Username/Password auth provider.
But when a team member registered an account and tried to login, the error page showed and the information is as follows:
Login cookie was set correctly, but your login session is not valid. Try clearing cookies and logging in again.

We had tried chrome , safari and Firefox , but could not login in yet.
Any one can help me work this out ?
Thanks.

Rick

Revisions and Commits

rP Phabricator
D13239rP8d6209b70113 Don't require users be activated in order to establish Web sessions

Related Objects

Event Timeline

rickyu created this task.Jun 10 2015, 9:44 AM
rickyu raised the priority of this task from to Needs Triage.
rickyu updated the task description. (Show Details)
rickyu added a subscriber: rickyu.
kefayati added a subscriber: kefayati.Jun 10 2015, 7:03 PM
chad merged a task: T8504: User can't log in.Jun 10 2015, 8:08 PM
chad added projects: Auth, Restricted Project.
chad added subscribers: angie, jhurwitz.
chad added a subscriber: epriestley.
chad added a subscriber: chad.

See also T8504, which uses Google for auth source.

epriestley added a comment.Jun 10 2015, 8:12 PM

I can't reproduce this locally.

jhurwitz added a comment.Jun 10 2015, 8:15 PM

Do any of the details I provided in T8504 (like the mention of the gray circle) help you understand what's going on here?

epriestley added a comment.Jun 10 2015, 8:16 PM

Maybe. Do you have approval queues on, or email verification on?

jhurwitz added a comment.Jun 10 2015, 8:17 PM

auth.require-approval is false
auth.require-email-verification is false

epriestley added a revision: D13239: Don't require users be activated in order to establish Web sessions.Jun 10 2015, 8:24 PM
epriestley added a comment.Jun 10 2015, 8:29 PM

D13239 will fix this in some cases.

The grey dot indicates that the account is not activated. There are three conditions which make accounts "not activated":

  • Account is disabled.
  • Account is not approved.
  • Email address is not verified (and verification is required).

I can't immediately identify a way for an account to be "not activated" with those options off.

D13239 may reveal whatever the root issue is.

Can you show me the result of this?

mysql> SELECT isDisabled, isEmailVerified, isApproved FROM phabricator_user.user WHERE username = 'username';
epriestley renamed this task from login fail to Inactive users are unable to establish web sessions in order to see "You must wait for approval" messages.Jun 10 2015, 8:30 PM
jhurwitz added a comment.Jun 10 2015, 9:14 PM
+------------+-----------------+------------+
| isDisabled | isEmailVerified | isApproved |
+------------+-----------------+------------+
|          0 |               0 |          1 |
+------------+-----------------+------------+

Some more useful data:

  • Last week (before we upgraded Phabricator), I needed to create a user for something. I created a user from /people/, used ./bin/auth recover to log in as that user, and then the web UI immediately presented me with a "you must verify your email to use the website" screen.
  • Today, I just went through the same steps -- and instead of seeing "you must verify your email," I see the "login failure" page.
  • I checked our database to find a full list of all users with isEmailVerified=0. It's a bunch of really old test accounts, and then new accounts created this week. Every other account on our install is email verified.
  • I double-checked our settings. auth.reuqire-email-verification displays as "false" in the list of all config settings, but when I click into it, it says "Value (Use Default)" and then further clarifies "By default, verification is optional unless auth.email-domains is nonempty." Our auth.email-domains setting is non-empty, so I think we do require email verification.

So, it very likely is the email verification requirement that's causing this problem. Will D13239 fix the issue in this case?

epriestley added a comment.Jun 10 2015, 9:15 PM

Oh, is auth.email-domains set?

jhurwitz added a comment.Jun 10 2015, 9:15 PM

Yes, it is.

epriestley added a comment.Jun 10 2015, 9:15 PM

Sorry, bad at reading. Yeah, that's the issue. D13239 will fix things.

epriestley added a comment.Jun 10 2015, 9:16 PM

You can likely work around it in the meantime by setting isEmailVerified to 1 in that table. (I expect D13239 will land in the next few hours.)

kefayati removed a subscriber: kefayati.Jun 10 2015, 9:27 PM
epriestley added a commit: rP8d6209b70113: Don't require users be activated in order to establish Web sessions.Jun 10 2015, 10:34 PM
epriestley closed this task as Resolved.Jun 11 2015, 6:33 PM
epriestley claimed this task.

Presuming this is resolved since we found a reasonable explanation for the case above. Let me know if anyone is still seeing issues.

angie moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Jun 16 2015, 8:39 PM
angie moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Jun 16 2015, 8:58 PM
Phabricator · Built by Phacility