Logging in: You have been logged out

rtx · April 13, 2021, 6:37pm

Just upgraded to 1.7.10. I also updated all plugins that needed updating. I switched on 2FA. Now every time I login to admin I get a message saying I’m logged in, immediately followed by a little red popup saying “You have been logged out”. I never get to the admin page. Anybody got any suggestions, please?

pamtbaau · April 13, 2021, 7:17pm

@rtx, Seems to be a know issue. If your issue is the same, it should be fixed in next release. See issue at Admin repo. Scroll down to see the ‘You have been logged out’ issue.

rtx · April 14, 2021, 9:52am

Thanks @pamtbaau. My issue is not the invalid security token issue of the original bug report, but it is identical to the report and image posted by Eihrister in the same dialogue. From the dialogue sequence on Github, I’m not sure whether or not this issue has been addressed in a pending release - I hope so.

I’ve managed to get in to the admin panel by editing my user/accounts/{name}.yaml file from the hosting control panel. I wasn’t sure what I was doing, so I used as a template the yaml file from a site that I hadn’t enabled 2FA on. There were a number of differences between the files. I wasn’t sure which to change and which not, but it was not sufficient just to change the twofa_enabled: setting to false. I deleted some lines and changed the hashed_password setting to the actual password (having deleted the “hashed_” part of the field name.

pamtbaau · April 14, 2021, 10:32am

@rtx, Down the thread it says:

All issues should be fixed now (tested with this site), so closing the issue.

Fixes are in the next release.

Then, if you look in the CHANGELOG, it says:

v1.10.11

04/13/2021

IMPORTANT Fixed security vulnerability that allows installation of plugins with minimal admin privileges GHSA-wg37-cf5x-55hq

Fixed You have been logged out message when entering to 2FA authentication due to /admin/task:getNotifications AJAX call

Fixed broken 2FA login when site is not configured to use Flex Users #2109

Fixed error message when user clicks logout link after the session has been expired

Usually, when a new release is in the making, it has no date set. This one has, so version v1.10.11 should have been released yesterday, but unfortunately the new version isn’t yet detected by Admin nor $ bin/gpm update. Shouldn’t take long though…