2fa not working after upgrade to 7.14.7

Recently I upgraded from 7.14.6 to 7.14.7. Everything went smoothly I thought, until I logged out and tried to log back in. I got the “you have logged out because your session has expired” error!

I set 2fa to ‘0’ in the DB and I could log-in again. When 2fa is set and I logout, I get the “you have logged out because your session has expired” error when trying to log-in again. This happens for both admin and users.
Outgoing emails send ok from admin and users but no 2fa email is received.

I know there have been previous posts about this error but I have found none with an answer that helped.

I have reset permissions which did not help.

Can anyone help me please because I feel vulnerable without 2fa set.

Thanks

Have you tried in the different browser?

I hate this error! I have run into it many times. Not sure it’s directly related to 2FA this may be a new issue. I know in this version there were some tweaks to persistent user data to fix some bugs.

Here is what has worked for me in the past:

   echo ini_get("session.save_path");

Create a php file with this in it and find your sesssion.save_path. Ensure it’s writable by SuiteCRM. This is mostly the problem.

If that doesn’t work in config:
$sugar_config[‘verify_client_ip’] = false;

Also (I’m sure in your case its fine since you’ve been using it for some time):
Make sure your hostname and siteurl in config is correct.

Also don’t rule out browser cache, make sure you shift F5 in chrome to flush it (several times).

Is it same as below?

Admin>System Settings>Advanced>Validate user IP address: TURN OFF

Yes, but if you can’t get in, changing admin settings in the GUI is not possible.

If you are running a Debian based system. Can you please under your root directory run “df -H” and copy your results? It will show us your drive size and %Percent usage. We have seen a vary similar issue(s) in the 7.14 version line. If your results show good this could be a new issue/bug.

Another thing we do when testing upgrades is we activate an admin account that doesn’t have 2 factor set. That way, if something is buggy you can always get in. Then after we test the upgrade and we find it ready for production we deactive that admin account that doesn’t have 2 factor on.

Good morning and thanks for replies.

To clarify SCRM is running on a Linux Host with PHP8.2. My local machine is a MAC with Chrome.

Tried running on Safari. No success.
Back on Chrome… Tried setting ‘Validate user IP address’ off. Saved. Turned on 2fa in profile. Saved. Result: locked out.

Cleared cookies and tried running in ‘incognito mode’. Still locked out.

Session path was /php/session with permission set to 755. It was full of session files but I tried 775 to give group access anyway. No luck.

Result of df -H

Filesystem Size Used Avail Use% Mounted on
/dev/sda2 116G 101G 9.0G 92% /
/dev/sdc1 1.4T 1.2T 58G 96% /tmp
tmpfs 16G 1.2M 16G 1% /run/dbus
tmpfs 16G 0 16G 0% /dev/shm

Looks ok to me.

I’m still at a loss as to why this isn’t working. Any other ideas please?

An update:
I put this problem aside for the time being and went ahead to try and set up OAuth with GMail. It took me 2 days to sort it out, but I got it solved with a few code changes.
Once I had email working, I thought I’d try 2fa again and hey presto it’s all working. Not sure why but I suspect it’s all tied up together somehow.

In trying to solve the OAuth / Gmail, I’ve noticed many have tried but failed which ofcourse didn’t help me. To do my bit I’ll put up in a seperate post how I got it working if anyone is interested.
Cheers

After upgrading to 7.15.1 this bug has struck me again. All my old tricks listed above haven’t worked. cleared cookies. Checked drive space. I have an admin account set without 2 factor so I’m able to get logged back in to SuiteCRM. It seems to be an issue with emails from system emails. When I go in and hit the test email button from system. The test email send as expected. The 2-factor login emails, reminder call emails, and anything from system will not send outside of the test emails. Any advice here?

Hi @TerryL
The most likely fix is that your SMTP credentials got corrupted or incorrectly re-encrypted during the upgrade. Go to Admin → Email Settings → Outbound Email, edit the system email account, change the password to something temporary like 123456, hit Save, then immediately edit it again with the correct password and Save once more. Repeat this for any individual user outbound accounts as well. This forces SuiteCRM to properly re-store the credentials, and has resolved the exact symptom you’re describing where test emails work fine but system-triggered emails like 2FA codes simply never send.

Hello @Rolustech Thank you very much! This worked for us! @pstevens, when you run into this, try this solution. @TerryL, can you please mark his answer as the solution? Thank you all for looking into this.

Thanks @IJLfinancial I’ve tried resetting the password in SuiteCRM and by email password reset. The root of the problem is the password never gets written in the DB for some reason. Its kind of random and I havent’ figured out what exactly causes it. The only solution I found so far is to physically enter the new password directly in the DB.

I’m now running 7.15 and have found that the 2fa tick box in the profile of a logged-in user does not save.

That is to say it does not save ticking or un-ticking. I needed to resort to DB direct modification in ‘users’.

@TerryL Something seems off on that one. I haven’t been able to reproduce. Let’s start a new thread. You will get more attention. My 1st suggestion is to clear cookies. Try a different browser. Try on different versions of browsers. Reboot the server.

Thanks @IJLfinancial Just thought it might be related to @pstevens password issue. I’ll start a new thread coz your suggestions did not work.