Fork me on GitHub

Marcus Povey

Time, Space, and Plexiglas

Main menu

Skip to content
  • Home
  • Known Plugins
  • About
  • Hire Me!
  • Elgg Multisite
  • Known

Tag Archives: login

Post navigation

Login via Facebook API just broke, here’s how to fix it…

Posted on March 30, 2017
by Marcus Povey

If you, like me, have been asked on more than one occasion to write a Facebook login integration for a site, you’re likely to have used the Facebook api library. You also, like me, have had a number of sites that are using older versions of this library which you’ve not had a chance to update – often these libraries are bundled with plugins – for Elgg, the now increasingly ancient “social_connect” plugin is common.

Social_connect, in particular, uses HybridAuth, which is no longer maintained, and itself bundles a rather old version of the Facebook API library.

Anyway, point is, you’ve got some legacy stuff out there. You’ve got the warnings from Facebook about version 2.2 of their API, scanned the changelog and run their migration tool. Today, you’ve suddenly got a bunch of emails from clients saying that the API logins no longer work.

When you take a look, you find that every attempt to log in either spits out an error about no valid User ID being returned or goes into an infinite redirect loop.

How to fix this

It took me a fair amount of digging to track this down, but what has happened is that the API has changed the response format of the request for an access token.

If this was mentioned in the changelog, I missed it. Newer versions of Facebook’s API will handle this, but if you’re using an older version (or rolled your own), you need to change the bit of your code that parses the access token out from the auth code request to handle JSON.

In the legacy Facebook API library, this is found in the method getAccessTokenFromCode() found in base_facebook.php, and you need to replace the following:

1
2
3
4
5
6
$response_params = array();
parse_str($access_token_response, $response_params);
if (!isset($response_params['access_token'])) {
  return false;
}
return $response_params['access_token'];

with…

1
2
3
4
$response_params = json_decode($access_token_response);
if (empty($response_params->access_token))
    return false;
return $response_params->access_token;

Hopefully this will result in a less high blood pressure day for you…

Share this:

  • Email
  • LinkedIn
  • Twitter
  • Facebook
  • WhatsApp
  • Skype
Posted in Web | Tagged api, broken, changes, facebook, login | 5 Comments

Blocking no-referrer script kiddie login attempts

Posted on September 17, 2015
by Marcus Povey

Ok, so here’s a quicky.

Like anyone who runs a wordpress site, I get numerous attempts from script kiddies attempting to guess the login. The vast majority of these are handled by fail2ban, but I’ve noticed an increase in the distributed kind of attack – multiple attempts to log in, but all from different IPs.

These fell below the ban threshold, so were getting through. Since strength in depth is good, and I wanted quiet logs, I thought I’d do something about this.

On inspection, it looked like the scripts aren’t terribly smart, in that they just make a POST to wp-login.php without first loading the login form, meaning they attempted to POST without setting a referrer. So, I wrote a rewrite rule that will block POST attempts to wp-login.php that have no referrer set.

This is by no means foolproof, the referrer can be easily faked, but it raises the bar slightly for them.

Blocking the scripts

Place the following in your .htaccess file, or http.conf for your wordpress site:

1
2
3
4
5
6
RewriteEngine On
 
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} /wp-login\.php
RewriteCond %{HTTP_REFERER} ^$
RewriteRule .* - [F,L]

What this does is block all POST requests to wp-login.php that have an empty referrer, returning a 403 error when this occurs.

It’s very simple, and easy to work around, but seems to block most script kiddies.

Testing

To test, use curl; the following should fail:

1
curl -d 'test' https://example.com/wp-login.php

But this will return some content:

1
curl -d 'test' --referer foo.bar https://example.com/wp-login.php

Share this:

  • Email
  • LinkedIn
  • Twitter
  • Facebook
  • WhatsApp
  • Skype
Posted in Wordpress | Tagged curl, hack, login, scriptkiddies, wordpress | 3 Comments

Post navigation


Artisanal bit wrangler, Hacker, Wanderer. Have laptop, will travel.

Read more...

Follow me on: mapkyca.com, LinkedIn, Twitter, Github, RedBubble Store

Marcus Povey marcus@marcus-povey.co.uk mapkyca https://orcid.org/0000-0002-7615-8299
ORCID iD iconhttps://orcid.org/0000-0002-7615-8299

Top Posts & Pages

  • Using Tor as a HTTP Proxy
    Using Tor as a HTTP Proxy
  • Howto: Printing to any printer with an iPad/iPhone and Apple Airprint
    Howto: Printing to any printer with an iPad/iPhone and Apple Airprint
  • Blocking referrer spam with mod_security
    Blocking referrer spam with mod_security
  • Automatic Create and Modified timestamps in MySQL
    Automatic Create and Modified timestamps in MySQL
  • Configuring STARTTLS in Exim
    Configuring STARTTLS in Exim
  • Using Webhooks with IFTTT.com
    Using Webhooks with IFTTT.com
  • "Did I shut the window?" a simple Raspberry Pi home security system
    "Did I shut the window?" a simple Raspberry Pi home security system
  • Running multiple PHP versions (7.2 and 7.3) side by side
    Running multiple PHP versions (7.2 and 7.3) side by side
  • Lets Stamp Out Cleartext: Encrypting DNS lookups
    Lets Stamp Out Cleartext: Encrypting DNS lookups
  • Importing CSV file into MariaDB (and probably MySQL too)
    Importing CSV file into MariaDB (and probably MySQL too)

mapkyca.com

    All content is © Copyright Marcus Povey 2008-2019 and released under a licence unless otherwise stated.

    loading Cancel
    Post was not sent - check your email addresses!
    Email check failed, please try again
    Sorry, your blog cannot share posts by email.