Context Navigation

← Previous Changeset
Next Changeset →

Changeset 3452630

Timestamp:

02/03/2026 07:33:19 AM (5 weeks ago)

Author:

basecloud

Message:

Update to version 1.2.8 from GitHub

Location:

basecloud-shield

Files:

: 8 edited
: 1 copied

tags/1.2.8 (copied) (copied from basecloud-shield/trunk)
tags/1.2.8/CHANGELOG.md (modified) (1 diff)
tags/1.2.8/basecloud-shield.php (modified) (4 diffs)
tags/1.2.8/package.json (modified) (1 diff)
tags/1.2.8/readme.txt (modified) (2 diffs)
trunk/CHANGELOG.md (modified) (1 diff)
trunk/basecloud-shield.php (modified) (4 diffs)
trunk/package.json (modified) (1 diff)
trunk/readme.txt (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

basecloud-shield/tags/1.2.8/CHANGELOG.md

-                      r3452601
+                      r3452630
 All notable changes to BaseCloud Shield will be documented in this file.
+## [1.2.8] - 2026-02-03
+### 🔥 Critical Hotfix
+- **FIXED**: "Suspicious session detected" error blocking legitimate logins
+- **FIXED**: Session token validation now works correctly
+- Session token generation now uses consistent secret instead of time-based
+- Users can successfully complete login flow without false security alerts
+### ✨ Improvements
+- Enhanced OTP lock mechanism to prevent unnecessary duplicate OTP generation
+- Existing valid OTP is reused if user attempts login multiple times
+- Better handling of page refreshes during OTP verification process
+- Reduced false positive security alerts for legitimate users
+### 🐛 Bug Fixes
+- Session token mismatch that was flagging all logins as suspicious
+- OTP lock mechanism now properly redirects to verification page
 ## [1.2.7] - 2026-02-03

basecloud-shield/tags/1.2.8/basecloud-shield.php

-                      r3452601
+                      r3452630
  * Plugin Name:       BaseCloud Shield
  * Description:       Enterprise-grade 2FA security. Supports Central Manager Notifications, WP Email, SendGrid, WhatsApp, SMS, and Webhooks.
  * Version:           1.2.7
+ * Version:           1.2.8
  * Author:            BaseCloud Team
  * Author URI:        https://www.basecloudglobal.com/
 …
 if (!defined('ABSPATH')) { exit; }
 define('BCSHIELD_VERSION', '1.2.7');
+define('BCSHIELD_VERSION', '1.2.8');
 define('BCSHIELD_MAX_ATTEMPTS', 5);
 define('BCSHIELD_LOCKOUT_DURATION', 900);
 …
         // Prevent duplicate OTP generation (lock mechanism)
         $lock_key = 'bcshield_otp_lock_' . $user->ID;
+        if (get_transient($lock_key)) {
+            // OTP already generated recently, skip duplicate
+            return $user;
+        $existing_otp = get_transient('bcshield_otp_' . $user->ID);
+        // If OTP already exists and is valid, redirect to verification page without generating new OTP
+        if ($existing_otp && get_transient($lock_key)) {
+            $session_token = $this->generate_session_token($user->ID, $client_ip, $user_agent);
+            setcookie('bcshield_pending_user', $user->ID, time() + ($opts['otp_validity'] ?? 10) * 60, '/', '', true, true);
+            setcookie('bcshield_session', $session_token, time() + ($opts['otp_validity'] ?? 10) * 60, '/', '', true, true);
+            $base_url = site_url();
+            $redirect = add_query_arg('bcshield_action', 'verify_otp', $base_url);
+            wp_redirect($redirect);
+            exit;
+        }
 …
     private function generate_session_token($user_id, $ip, $user_agent) {
+        $secret = wp_salt('nonce') . time();
+        // Use a consistent secret (not time-based) so token remains valid during OTP entry
+        $secret = wp_salt('nonce') . BCSHIELD_VERSION;
         return hash_hmac('sha256', $user_id . $ip . $user_agent, $secret);
+    }

basecloud-shield/tags/1.2.8/package.json

r3452601	r3452630
1	1	{
2	2	"name": "basecloud-shield",
3		"version": "1.2.7",
	3	"version": "1.2.8",
4	4	"description": "WordPress 2FA Security Plugin - Build and deployment scripts",
5	5	"scripts": {

basecloud-shield/tags/1.2.8/readme.txt

-                      r3452601
+                      r3452630
 Requires at least: 5.0
 Tested up to: 6.9
 Stable tag: 1.2.7
+Stable tag: 1.2.8
 Requires PHP: 7.4
 License: GPLv2 or later
 …
 == Changelog ==
+= 1.2.8 =
+**Critical Hotfix - Login Issue Resolved**
+**CRITICAL FIX:**
+• Fixed "Suspicious session detected" blocking legitimate logins
+• Session token now uses consistent secret (not time-based)
+• Users can now successfully complete login with OTP
+**Improvements:**
+• Enhanced OTP lock mechanism to prevent duplicate generation
+• Existing valid OTP reused if login attempted multiple times
+• Better handling of page refreshes during OTP verification
+• Reduced false positive security alerts
 = 1.2.7 =

basecloud-shield/trunk/CHANGELOG.md

-                      r3452601
+                      r3452630
 All notable changes to BaseCloud Shield will be documented in this file.
+## [1.2.8] - 2026-02-03
+### 🔥 Critical Hotfix
+- **FIXED**: "Suspicious session detected" error blocking legitimate logins
+- **FIXED**: Session token validation now works correctly
+- Session token generation now uses consistent secret instead of time-based
+- Users can successfully complete login flow without false security alerts
+### ✨ Improvements
+- Enhanced OTP lock mechanism to prevent unnecessary duplicate OTP generation
+- Existing valid OTP is reused if user attempts login multiple times
+- Better handling of page refreshes during OTP verification process
+- Reduced false positive security alerts for legitimate users
+### 🐛 Bug Fixes
+- Session token mismatch that was flagging all logins as suspicious
+- OTP lock mechanism now properly redirects to verification page
 ## [1.2.7] - 2026-02-03

basecloud-shield/trunk/basecloud-shield.php

-                      r3452601
+                      r3452630
  * Plugin Name:       BaseCloud Shield
  * Description:       Enterprise-grade 2FA security. Supports Central Manager Notifications, WP Email, SendGrid, WhatsApp, SMS, and Webhooks.
  * Version:           1.2.7
+ * Version:           1.2.8
  * Author:            BaseCloud Team
  * Author URI:        https://www.basecloudglobal.com/
 …
 if (!defined('ABSPATH')) { exit; }
 define('BCSHIELD_VERSION', '1.2.7');
+define('BCSHIELD_VERSION', '1.2.8');
 define('BCSHIELD_MAX_ATTEMPTS', 5);
 define('BCSHIELD_LOCKOUT_DURATION', 900);
 …
         // Prevent duplicate OTP generation (lock mechanism)
         $lock_key = 'bcshield_otp_lock_' . $user->ID;
+        if (get_transient($lock_key)) {
+            // OTP already generated recently, skip duplicate
+            return $user;
+        $existing_otp = get_transient('bcshield_otp_' . $user->ID);
+        // If OTP already exists and is valid, redirect to verification page without generating new OTP
+        if ($existing_otp && get_transient($lock_key)) {
+            $session_token = $this->generate_session_token($user->ID, $client_ip, $user_agent);
+            setcookie('bcshield_pending_user', $user->ID, time() + ($opts['otp_validity'] ?? 10) * 60, '/', '', true, true);
+            setcookie('bcshield_session', $session_token, time() + ($opts['otp_validity'] ?? 10) * 60, '/', '', true, true);
+            $base_url = site_url();
+            $redirect = add_query_arg('bcshield_action', 'verify_otp', $base_url);
+            wp_redirect($redirect);
+            exit;
+        }
 …
     private function generate_session_token($user_id, $ip, $user_agent) {
+        $secret = wp_salt('nonce') . time();
+        // Use a consistent secret (not time-based) so token remains valid during OTP entry
+        $secret = wp_salt('nonce') . BCSHIELD_VERSION;
         return hash_hmac('sha256', $user_id . $ip . $user_agent, $secret);
+    }

basecloud-shield/trunk/package.json

r3452601	r3452630
1	1	{
2	2	"name": "basecloud-shield",
3		"version": "1.2.7",
	3	"version": "1.2.8",
4	4	"description": "WordPress 2FA Security Plugin - Build and deployment scripts",
5	5	"scripts": {

basecloud-shield/trunk/readme.txt

-                      r3452601
+                      r3452630
 Requires at least: 5.0
 Tested up to: 6.9
 Stable tag: 1.2.7
+Stable tag: 1.2.8
 Requires PHP: 7.4
 License: GPLv2 or later
 …
 == Changelog ==
+= 1.2.8 =
+**Critical Hotfix - Login Issue Resolved**
+**CRITICAL FIX:**
+• Fixed "Suspicious session detected" blocking legitimate logins
+• Session token now uses consistent secret (not time-based)
+• Users can now successfully complete login with OTP
+**Improvements:**
+• Enhanced OTP lock mechanism to prevent duplicate generation
+• Existing valid OTP reused if login attempted multiple times
+• Better handling of page refreshes during OTP verification
+• Reduced false positive security alerts
 = 1.2.7 =

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Plugin Directory