Can't login with MFA

💬 General Discussion
7

I searched the error message and the corresponding string key is LBL_SESSION_EXPIRED.

LBL_SESSION_EXPIRED appears in a few javascript and particularly one php script:
. modules/Users/authentication/SugarAuthenticate/SugarAuthenticate.php
. include/javascript/alerts.js (as well as consolidated and cached files with this file)
. include/MVC/SugarApplication.php

Concentrating on the first file the portion of code is:

        if (!$this->userAuthenticate->loadUserOnSession($_SESSION['authenticated_user_id'])) {
            session_destroy();
            header("Location: index.php?action=Login&module=Users&loginErrorMessage=LBL_SESSION_EXPIRED");
            $GLOBALS['log']->debug('Current user session does not exist redirecting to login');
            sugar_cleanup(true);
        }

This is part of a function called postSessionAuthenticate, which is called immediately after the authentication of a user. The call takes place from a function called sessionAuthenticate wich can be found in the same file:

		if (isset ($_SESSION['authenticated_user_id'])) {

			$GLOBALS['log']->debug("We have an authenticated user id: ".$_SESSION["authenticated_user_id"]);

			$authenticated = $this->postSessionAuthenticate();

		}

For some reason, after the session appears to be set correctly it is no longer correctly set immediately after.

I haven’t continued to reverse engineer because I don’t have time now and because I don’t have the possibility to test as I don’t have MFA.

In any case I hope this puts you in the right track.

Here are some thoughts of the potential causes that I can think of now:

  1. MFA does something to the session variables
  2. The OS user/owner of the MFA processes is not the same as the one of SuiteCRM so, at some point some (OS level) permission fails.
  3. Ajax: there may be some Ajax calls which expect some response. If there is something unexpected in the response the remaining part of the code may fail. To prevent this you should check your configuration in php.ini and look for error_reporting and correct it to avoid any output on screen. Normally I set it in the following way:
error_reporting = E_ALL & ~E_NOTICE & ~E_DEPRECATED & ~E_STRICT & ~E_WARNING