Project upgraded from v2024 t0 v2025.
Forced 2FA is disabled and not using it.
No code in these functions:
function User_CustomValidate
function User_Validated
Getting “Incorrect username or password” all the time.
Project upgraded from v2024 t0 v2025.
Forced 2FA is disabled and not using it.
No code in these functions:
function User_CustomValidate
function User_Validated
Getting “Incorrect username or password” all the time.
UPDATE: if I disable 2FA altogether, i can now login.
There seems to be a problem in the super user logging in, if 2FA is enabled.
I’ve also experienced problems when activating 2FA for Super Admin.
But for regular users 2FA works (“Forced 2FA” disabled).
You may try delete cookies from your browser and try again.
I deleted the cookies, got same result. Also tried private browsing; no change.
You may enable Debug and check the log file. If you cannot find anything wrong from the log, post the log for discussion.
Thanks for your help, arbei. Here is the log:
[2025-01-31T14:14:29.085308+00:00] log.DEBUG: CORS analysis for request started. [] []
[2025-01-31T14:14:29.087903+00:00] log.INFO: Request is not CORS (request origin is empty). [] []
[2025-01-31T14:14:29.089442+00:00] log.DEBUG: CORS analysis for request completed. [] []
[2025-01-31T14:14:29.316993+00:00] log.DEBUG: Checking for authenticator support. {"firewall_name":"main","authenticators":3} []
[2025-01-31T14:14:29.317073+00:00] log.DEBUG: Checking support on authenticator. {"firewall_name":"main","authenticator":"PHPMaker2025\\MY_APPLICATION\\FormLogin1faAuthenticator"} []
[2025-01-31T14:14:29.317106+00:00] log.DEBUG: Authenticator does not support the request. {"firewall_name":"main","authenticator":"PHPMaker2025\\MY_APPLICATION\\FormLogin1faAuthenticator"} []
[2025-01-31T14:14:29.318767+00:00] log.DEBUG: Checking support on authenticator. {"firewall_name":"main","authenticator":"PHPMaker2025\\MY_APPLICATION\\FormLogin2faAuthenticator"} []
[2025-01-31T14:14:29.318834+00:00] log.DEBUG: Authenticator does not support the request. {"firewall_name":"main","authenticator":"PHPMaker2025\\MY_APPLICATION\\FormLogin2faAuthenticator"} []
[2025-01-31T14:14:29.318860+00:00] log.DEBUG: Checking support on authenticator. {"firewall_name":"main","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\FormLoginAuthenticator"} []
[2025-01-31T14:14:29.318884+00:00] log.DEBUG: Authenticator does not support the request. {"firewall_name":"main","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\FormLoginAuthenticator"} []
[2025-01-31T14:14:29.488001+00:00] log.DEBUG: CORS analysis for request started. [] []
[2025-01-31T14:14:29.489848+00:00] log.INFO: Request is not CORS (request origin is empty). [] []
[2025-01-31T14:14:29.490386+00:00] log.DEBUG: CORS analysis for request completed. [] []
[2025-01-31T14:14:29.638360+00:00] log.DEBUG: Checking for authenticator support. {"firewall_name":"main","authenticators":3} []
[2025-01-31T14:14:29.638496+00:00] log.DEBUG: Checking support on authenticator. {"firewall_name":"main","authenticator":"PHPMaker2025\\MY_APPLICATION\\FormLogin1faAuthenticator"} []
[2025-01-31T14:14:29.638592+00:00] log.DEBUG: Authenticator does not support the request. {"firewall_name":"main","authenticator":"PHPMaker2025\\MY_APPLICATION\\FormLogin1faAuthenticator"} []
[2025-01-31T14:14:29.638666+00:00] log.DEBUG: Checking support on authenticator. {"firewall_name":"main","authenticator":"PHPMaker2025\\MY_APPLICATION\\FormLogin2faAuthenticator"} []
[2025-01-31T14:14:29.638755+00:00] log.DEBUG: Authenticator does not support the request. {"firewall_name":"main","authenticator":"PHPMaker2025\\MY_APPLICATION\\FormLogin2faAuthenticator"} []
[2025-01-31T14:14:29.638833+00:00] log.DEBUG: Checking support on authenticator. {"firewall_name":"main","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\FormLoginAuthenticator"} []
[2025-01-31T14:14:29.638897+00:00] log.DEBUG: Authenticator does not support the request. {"firewall_name":"main","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\FormLoginAuthenticator"} []
[2025-01-31T14:14:34.115672+00:00] log.DEBUG: CORS analysis for request started. [] []
[2025-01-31T14:14:34.116789+00:00] log.DEBUG: Request is identified as an actual CORS request. [] []
[2025-01-31T14:14:34.117274+00:00] log.DEBUG: CORS analysis for request completed. [] []
[2025-01-31T14:14:34.210047+00:00] log.DEBUG: Checking for authenticator support. {"firewall_name":"main","authenticators":3} []
[2025-01-31T14:14:34.210113+00:00] log.DEBUG: Checking support on authenticator. {"firewall_name":"main","authenticator":"PHPMaker2025\\MY_APPLICATION\\FormLogin1faAuthenticator"} []
[2025-01-31T14:14:34.210176+00:00] log.DEBUG: Checking support on authenticator. {"firewall_name":"main","authenticator":"PHPMaker2025\\MY_APPLICATION\\FormLogin2faAuthenticator"} []
[2025-01-31T14:14:34.210214+00:00] log.DEBUG: Authenticator does not support the request. {"firewall_name":"main","authenticator":"PHPMaker2025\\MY_APPLICATION\\FormLogin2faAuthenticator"} []
[2025-01-31T14:14:34.210237+00:00] log.DEBUG: Checking support on authenticator. {"firewall_name":"main","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\FormLoginAuthenticator"} []
[2025-01-31T14:14:34.210293+00:00] log.DEBUG: Authenticator does not support the request. {"firewall_name":"main","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\FormLoginAuthenticator"} []
[2025-01-31T14:14:36.075954+00:00] log.INFO: Authenticator successful! {"token":{"Symfony\\Component\\Security\\Core\\Authentication\\Token\\UsernamePasswordToken":"UsernamePasswordToken(user=\"admin_user\", roles=\"ROLE_SUPER_ADMIN\")"},"authenticator":"PHPMaker2025\\MY_APPLICATION\\FormLogin1faAuthenticator"} []
[2025-01-31T14:14:36.080479+00:00] log.DEBUG: The "{authenticator}" authenticator set the response. Any later authenticator will not be called {"authenticator":"PHPMaker2025\\MY_APPLICATION\\FormLogin1faAuthenticator"} []
[2025-01-31T14:14:36.080632+00:00] log.DEBUG: Stored the security token in the session. {"key":"_security_main"} []
[2025-01-31T14:14:36.250899+00:00] log.DEBUG: CORS analysis for request started. [] []
[2025-01-31T14:14:36.252052+00:00] log.INFO: Request is not CORS (request origin is empty). [] []
[2025-01-31T14:14:36.252370+00:00] log.DEBUG: CORS analysis for request completed. [] []
[2025-01-31T14:14:36.395869+00:00] log.DEBUG: Read existing security token from the session. {"key":"_security_main","token_class":"Symfony\\Component\\Security\\Core\\Authentication\\Token\\UsernamePasswordToken"} []
[2025-01-31T14:14:36.397124+00:00] log.DEBUG: User was reloaded from a user provider. {"provider":"Symfony\\Component\\Security\\Core\\User\\InMemoryUserProvider","username":"admin_user"} []
[2025-01-31T14:14:36.400641+00:00] log.DEBUG: Checking for authenticator support. {"firewall_name":"main","authenticators":3} []
[2025-01-31T14:14:36.400717+00:00] log.DEBUG: Checking support on authenticator. {"firewall_name":"main","authenticator":"PHPMaker2025\\MY_APPLICATION\\FormLogin1faAuthenticator"} []
[2025-01-31T14:14:36.400775+00:00] log.DEBUG: Authenticator does not support the request. {"firewall_name":"main","authenticator":"PHPMaker2025\\MY_APPLICATION\\FormLogin1faAuthenticator"} []
[2025-01-31T14:14:36.400823+00:00] log.DEBUG: Checking support on authenticator. {"firewall_name":"main","authenticator":"PHPMaker2025\\MY_APPLICATION\\FormLogin2faAuthenticator"} []
[2025-01-31T14:14:36.400871+00:00] log.DEBUG: Authenticator does not support the request. {"firewall_name":"main","authenticator":"PHPMaker2025\\MY_APPLICATION\\FormLogin2faAuthenticator"} []
[2025-01-31T14:14:36.400915+00:00] log.DEBUG: Checking support on authenticator. {"firewall_name":"main","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\FormLoginAuthenticator"} []
[2025-01-31T14:14:36.400962+00:00] log.DEBUG: Authenticator does not support the request. {"firewall_name":"main","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\FormLoginAuthenticator"} []
Click Tools → Update Template and try again.
Problem solved! I can now log the super user in with 2FA on, either forced or not.
Thanks a lot!
Did the template change again? The problem is back when forced 2fa is not enabled.
The debug output I’m getting:
[2025-02-04T12:25:53.050368+00:00] log.DEBUG: CORS analysis for request started. [] []
[2025-02-04T12:25:53.053470+00:00] log.INFO: Request is not CORS (request origin is empty). [] []
[2025-02-04T12:25:53.054038+00:00] log.DEBUG: CORS analysis for request completed. [] []
[2025-02-04T12:25:53.198550+00:00] log.DEBUG: Checking for authenticator support. {"firewall_name":"main","authenticators":4} []
[2025-02-04T12:25:53.198627+00:00] log.DEBUG: Checking support on authenticator. {"firewall_name":"main","authenticator":"PHPMaker2025\\MY_APPLICATION\\FormLogin1faAuthenticator"} []
[2025-02-04T12:25:53.198660+00:00] log.DEBUG: Authenticator does not support the request. {"firewall_name":"main","authenticator":"PHPMaker2025\\MY_APPLICATION\\FormLogin1faAuthenticator"} []
[2025-02-04T12:25:53.200183+00:00] log.DEBUG: Checking support on authenticator. {"firewall_name":"main","authenticator":"PHPMaker2025\\MY_APPLICATION\\FormLogin2faAuthenticator"} []
[2025-02-04T12:25:53.200273+00:00] log.DEBUG: Authenticator does not support the request. {"firewall_name":"main","authenticator":"PHPMaker2025\\MY_APPLICATION\\FormLogin2faAuthenticator"} []
[2025-02-04T12:25:53.200293+00:00] log.DEBUG: Checking support on authenticator. {"firewall_name":"main","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\FormLoginAuthenticator"} []
[2025-02-04T12:25:53.200313+00:00] log.DEBUG: Authenticator does not support the request. {"firewall_name":"main","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\FormLoginAuthenticator"} []
[2025-02-04T12:25:53.200330+00:00] log.DEBUG: Checking support on authenticator. {"firewall_name":"main","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\RememberMeAuthenticator"} []
[2025-02-04T12:25:53.200352+00:00] log.DEBUG: Authenticator does not support the request. {"firewall_name":"main","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\RememberMeAuthenticator"} []
[2025-02-04T12:25:53.301858+00:00] log.DEBUG: CORS analysis for request started. [] []
[2025-02-04T12:25:53.302882+00:00] log.INFO: Request is not CORS (request origin is empty). [] []
[2025-02-04T12:25:53.303149+00:00] log.DEBUG: CORS analysis for request completed. [] []
[2025-02-04T12:25:53.436358+00:00] log.DEBUG: Checking for authenticator support. {"firewall_name":"main","authenticators":4} []
[2025-02-04T12:25:53.436455+00:00] log.DEBUG: Checking support on authenticator. {"firewall_name":"main","authenticator":"PHPMaker2025\\MY_APPLICATION\\FormLogin1faAuthenticator"} []
[2025-02-04T12:25:53.436515+00:00] log.DEBUG: Authenticator does not support the request. {"firewall_name":"main","authenticator":"PHPMaker2025\\MY_APPLICATION\\FormLogin1faAuthenticator"} []
[2025-02-04T12:25:53.436564+00:00] log.DEBUG: Checking support on authenticator. {"firewall_name":"main","authenticator":"PHPMaker2025\\MY_APPLICATION\\FormLogin2faAuthenticator"} []
[2025-02-04T12:25:53.436612+00:00] log.DEBUG: Authenticator does not support the request. {"firewall_name":"main","authenticator":"PHPMaker2025\\MY_APPLICATION\\FormLogin2faAuthenticator"} []
[2025-02-04T12:25:53.436656+00:00] log.DEBUG: Checking support on authenticator. {"firewall_name":"main","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\FormLoginAuthenticator"} []
[2025-02-04T12:25:53.436702+00:00] log.DEBUG: Authenticator does not support the request. {"firewall_name":"main","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\FormLoginAuthenticator"} []
[2025-02-04T12:25:53.436746+00:00] log.DEBUG: Checking support on authenticator. {"firewall_name":"main","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\RememberMeAuthenticator"} []
[2025-02-04T12:25:53.436792+00:00] log.DEBUG: Authenticator does not support the request. {"firewall_name":"main","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\RememberMeAuthenticator"} []
[2025-02-04T12:25:56.043962+00:00] log.DEBUG: CORS analysis for request started. [] []
[2025-02-04T12:25:56.047055+00:00] log.DEBUG: Request is identified as an actual CORS request. [] []
[2025-02-04T12:25:56.048824+00:00] log.DEBUG: CORS analysis for request completed. [] []
[2025-02-04T12:25:56.165023+00:00] log.DEBUG: Checking for authenticator support. {"firewall_name":"main","authenticators":4} []
[2025-02-04T12:25:56.165090+00:00] log.DEBUG: Checking support on authenticator. {"firewall_name":"main","authenticator":"PHPMaker2025\\MY_APPLICATION\\FormLogin1faAuthenticator"} []
[2025-02-04T12:25:56.165154+00:00] log.DEBUG: Checking support on authenticator. {"firewall_name":"main","authenticator":"PHPMaker2025\\MY_APPLICATION\\FormLogin2faAuthenticator"} []
[2025-02-04T12:25:56.165191+00:00] log.DEBUG: Authenticator does not support the request. {"firewall_name":"main","authenticator":"PHPMaker2025\\MY_APPLICATION\\FormLogin2faAuthenticator"} []
[2025-02-04T12:25:56.165213+00:00] log.DEBUG: Checking support on authenticator. {"firewall_name":"main","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\FormLoginAuthenticator"} []
[2025-02-04T12:25:56.165235+00:00] log.DEBUG: Authenticator does not support the request. {"firewall_name":"main","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\FormLoginAuthenticator"} []
[2025-02-04T12:25:56.165255+00:00] log.DEBUG: Checking support on authenticator. {"firewall_name":"main","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\RememberMeAuthenticator"} []
[2025-02-04T12:25:56.165277+00:00] log.DEBUG: Authenticator does not support the request. {"firewall_name":"main","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\RememberMeAuthenticator"} []
[2025-02-04T12:25:58.090688+00:00] log.INFO: Authenticator successful! {"token":{"Symfony\\Component\\Security\\Core\\Authentication\\Token\\UsernamePasswordToken":"UsernamePasswordToken(user=\"admin_user\", roles=\"ROLE_SUPER_ADMIN\")"},"authenticator":"PHPMaker2025\\MY_APPLICATION\\FormLogin1faAuthenticator"} []
[2025-02-04T12:25:58.096023+00:00] log.DEBUG: Remember me disabled; request does not contain remember me parameter ("{parameter}"). {"parameter":"_remember_me"} []
[2025-02-04T12:25:58.096149+00:00] log.DEBUG: Clearing remember-me cookie. {"name":"REMEMBERME"} []
[2025-02-04T12:25:58.096222+00:00] log.DEBUG: Remember me skipped: the RememberMeBadge is not enabled. [] []
[2025-02-04T12:25:58.096273+00:00] log.DEBUG: The "{authenticator}" authenticator set the response. Any later authenticator will not be called {"authenticator":"PHPMaker2025\\MY_APPLICATION\\FormLogin1faAuthenticator"} []
[2025-02-04T12:25:58.096464+00:00] log.DEBUG: Stored the security token in the session. {"key":"_security_main"} []
[2025-02-04T12:25:58.286757+00:00] log.DEBUG: CORS analysis for request started. [] []
[2025-02-04T12:25:58.288743+00:00] log.INFO: Request is not CORS (request origin is empty). [] []
[2025-02-04T12:25:58.289330+00:00] log.DEBUG: CORS analysis for request completed. [] []
[2025-02-04T12:25:58.436032+00:00] log.DEBUG: Read existing security token from the session. {"key":"_security_main","token_class":"Symfony\\Component\\Security\\Core\\Authentication\\Token\\UsernamePasswordToken"} []
[2025-02-04T12:25:58.437282+00:00] log.DEBUG: User was reloaded from a user provider. {"provider":"Symfony\\Component\\Security\\Core\\User\\InMemoryUserProvider","username":"admin_user"} []
[2025-02-04T12:25:58.448743+00:00] log.DEBUG: Checking for authenticator support. {"firewall_name":"main","authenticators":4} []
[2025-02-04T12:25:58.448846+00:00] log.DEBUG: Checking support on authenticator. {"firewall_name":"main","authenticator":"PHPMaker2025\\MY_APPLICATION\\FormLogin1faAuthenticator"} []
[2025-02-04T12:25:58.448918+00:00] log.DEBUG: Authenticator does not support the request. {"firewall_name":"main","authenticator":"PHPMaker2025\\MY_APPLICATION\\FormLogin1faAuthenticator"} []
[2025-02-04T12:25:58.448984+00:00] log.DEBUG: Checking support on authenticator. {"firewall_name":"main","authenticator":"PHPMaker2025\\MY_APPLICATION\\FormLogin2faAuthenticator"} []
[2025-02-04T12:25:58.449043+00:00] log.DEBUG: Authenticator does not support the request. {"firewall_name":"main","authenticator":"PHPMaker2025\\MY_APPLICATION\\FormLogin2faAuthenticator"} []
[2025-02-04T12:25:58.449151+00:00] log.DEBUG: Checking support on authenticator. {"firewall_name":"main","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\FormLoginAuthenticator"} []
[2025-02-04T12:25:58.449206+00:00] log.DEBUG: Authenticator does not support the request. {"firewall_name":"main","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\FormLoginAuthenticator"} []
[2025-02-04T12:25:58.449251+00:00] log.DEBUG: Checking support on authenticator. {"firewall_name":"main","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\RememberMeAuthenticator"} []
[2025-02-04T12:25:58.449296+00:00] log.DEBUG: Authenticator does not support the request. {"firewall_name":"main","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\RememberMeAuthenticator"} []
If you have User_LoggingIn server event, review your code.
Actually, I reported the issue wrong; sorry about that.
This is what happens: if 2fa enabled but not forced 2fa, it does log the super user in (I can see all the menus), but loads the login form back again and shows the login cancelled message.
It happens only when I return false in the User_LoggingIn server event and for every user (not just super admin).
Another detail that may be helpful: I also see that the $userName var in function User_LoggingIn is always an empty string, regardless of trying to login with the super admin or a regular user.
Click Tools → Update Template to update your template, this will provide the current user name for the User_LoggingIn server event. However, note that:
if ($userName && $password)
before doing things and returning true/false
.false
, it does mean cancelling the login. If the user is valid as judged by your code, you should return true
. Default is true
.The template update fixed it, thanks a lot!