Secured content not working for any paid user

This issue is quite urgent, as people are paying for content and then not able to access it :(

I don’t understand it, but when I log in as myself, or as any other “admin” level user I can access all content fine, on any browser. But when I log in as any paid user (e.g. s2member level 3) then access to the same files are restricted! I have no idea why this has spontaneously happened, but it’s only been for the last 2 days and I’m getting a lot of disgruntled customers because of it.

I have both direct download files, and embedded videos and various errors indicate that they don’t have security clearance to access the file. If I force a user to admin then the problem is solved. But that’s hardly a solution.

There is no special code around the files that should make it only available to admins and not particular levels of s2admin users. The page itself can only be showed to members, and members can indeed see it. But the content is restricted. I simply have code like

<a href="http://mysite.com/?s2member_file_download=FILENAME&s2member_skip_confirmation" target="_blank">Direct download link for MP4</a>

All files are hosted on Amazon S3. If that were the problem, I shouldn’t be able to access them as an admin, so the issue has to be within s2member.

Help appreciated! Let me know what details you would like. I’ve updated to the latest version (pro), and this issue happens in all browsers and has been confirmed by several users.

• This topic was modified 4 years, 7 months ago by  Benny Lewis.

Now I have a FURTHER problem to add to the mix! In updating all plugins (including S2member) today, something has crashed Exec-PHP so the code I add to display the video (via another support ticket, the only way I could get it to work with my site was by using PHP) isn’t working any more!

I’ve had to put up a message in place of the secured download to apologise that my site is down, instead of welcoming them with the files they paid for :(

This is unrelated to the original problem of the secure access not working. That has been the case for 2 days: this PHP problem came about from updating all plugins on my site today.

• This reply was modified 4 years, 7 months ago by  Benny Lewis.

Hi Benny.

Did you make a backup of the site before all the updates, that you could go back to? Does your webhost create regular backups for you? If you’re not sure about the webhost one, it’d be good to ask them.

There are other PHP execution plugins, you can try them and maybe find one that will work. If not, start deactivating other plugins one by one and refresh the page with the video again after each, maybe it’s a plugin conflict.

About s2Member not serving the file to users below Admin, if you try the URL to the file alone, outside the video player, what do you get?

You can send me the dashboard login to take a look if you want: s2Member® » Private Contact Form

Thanks for the reply! The side issue of the PHP problem has been fixed, but it took me a while to figure out what caused it (unrelated to s2member), and using the backups helped.

Now, the only problem is file access. Unfortunately, I can’t reproduce the results consistently enough to know what’s going on :( From my computer, admins and any level members (ignore what I said above about me being able to reproduce the error, as that was actually related to the PHP problem) can access all files when logged in.

But several paid users confirm that for them, it MIGHT work some times, but most of the time they get security errors. I’ve tried it in several browsers, and so have they, so it’s confusing why it works for one of us but not the other. One user was kind enough to clear his browser cookies in all browsers for me to see if that made any difference and it didn’t, and he sent me screenshots, which I attached to the dashboard login message.

I hope you can reproduce the results in some way, since I can’t. But several emails are telling me that something fishy is definitely going on with paid users not being able to access secured content.

One thing that may help, which I CAN reproduce: if I simply left click a link, then I do see an Access Denied page. But if I right click to save as, THEN it works. This is the only problem I have my side. For users, videos and even right clicking doesn’t work (they save a file less than 1kb, whereas I can save the whole file).

I’m glad you solved part of the problem.

About the downloads problem, could you show me or quote the error message?

Did you read this article and try the things mentioned there? Knowledge Base » Resolving Problems with File Downloads

I sent a screenshot through the log in details interface, which was taken by the user himself, of the problems he is having with file access. Pretty much no file is working for him (and for others).

When I left click a link (and only left click), the error I get is:
AccessDeniedAccess Denied
(two different fonts, one after the other)

But if and when I see this is incredibly inconsistent. I’ve just updated s2member to the latest version again, and since I don’t have the PHP issue I clicked around and files that were previously giving me problems now aren’t. But there are STILL other problematic files! For example if you are logged in and try to download the English version of the product, it doesn’t work, but the video downloads via left click are now working for me, even though before they were only working via right click save as. As it happens right click-save-as DOES work for the current problematic files.

I went through that link you gave to investigate some of its tweaks, but the results for that English version of the file (or audio book etc.) are the same for me, even though other files download fine. My AWS settings have not been changed in any way over the last months, and this problem has only been occurring for a week or so.

I’m guessing that not all users are having the same issue, because I’m getting less emails than I should if it was down for everyone, but still enough to know that it’s not isolated to just one person.

Your thoughts appreciated. Try and log in to download those files I said and see if you get the same issue as me.

Thanks Benny.

I’m guessing that the email got caught in the spam filters and it didn’t even get to my account, so I’ll have to wait for Jason to check the spam and get it out of there.

In the meantime you could do a little testing. Since it’s a very recent issue, I believe it could be related to another plugin causing the trouble, maybe. Did you update/install any recently? You can try deactivating other plugins one by one and try reproducing the problem after each.

Let me know how it goes.

This isn’t actually a recent issue. Every once in a while someone would email me (once every second week for example) that they couldn’t download via the site and I’d have to send them a public dropbox link to download the files, or switching browsers would solve the problem for them. The only difference is that for whatever reason now it’s happening to much more people, and switching browsers won’t solve the problem.

I don’t know what could have inspired this because I didn’t update any plugins on the site for a few months; perhaps a WordPress update did it.

What I just did was to go through updating all the plugins (last time I tried it, the separate PHP issue rendered most of the site unusable so I had to backtrack), and at first I couldn’t produce any errors my side… and then I logged out and back in again as a paid users, and then the errors were back.

I tried disabling all plugins except s2member and it was working again, but then when I enabled them one at a time randomly it would suddenly stop working and I would think “great! I’ve found the plugin causing the problem”, but disabling that plugin going back to where I was a minute before wouldn’t help and certain files would still be inaccessible. This happened with various plugins, where it would randomly work or not after logging in and out after disabling or enabling, so I feel there is something else causing the problem, which is making it appear pretty randomly.

I see.

So when you just had s2Member the problem went away? Then just add to that the most required plugins you have to have in addition, as few as possible, and test it like that for a while, until you either get the problem or went long enough without the problem to feel that those plugins aren’t causing it. Then add another batch and keep testing.

Also, while trying to reproduce it, keep the web console open in Firefox, so you can see if a JavaScript error is shown when you get the download problem. I don’t know if it could be related to what’s happening, but it’s worth checking.

If I think of another thing you could check, I’ll let you know.

See if you can find something in common between the users reporting the problem, too, it may help narrow down what’s causing it.

Just so it’s clear, when I activate just a few plugins (doesn’t matter which ones) then the problem suddenly appears. These aren’t bells and whistles plugins, 90% of them are absolutely necessary, such as for displaying the paid video content, so I can’t leave them off.

The results of me disabling certain plugins is not consistent enough to suggest that the plugins are the problem, because immediately after performing the upgrade **with all plugins activated** everything worked! After I logged out and back in it suddenly wasn’t working again. There is something else causing the problems.

And I can’t tell you anything the other users have in problem. There’s no point because I am indeed getting problems myself too when logged in as a paid user, just inconsistently.

If I stand on one leg and jump, it starts working again. It’s too random. I’d really appreciate it if you could just have a look for yourself.

I understand.

Feel free to sent the login info using the contact form. I’ll take a look, but can’t promise I’ll know what’s wrong from that. s2Member® » Private Contact Form

A thing you could do is install a copy of your site in a sub-dir, and test there removing plugins and all that. Start with a clean installation of WP, then add s2Member, configure the level access, configure the download protection, create a test user and start testing.

If from just that you have trouble, then try all that again from another server, if possible, just to rule out something from the server causing the problem. But if you didn’t have trouble, then add one of those other plugins and start testing again.

We need to determine where the problem starts, and doing it in a sequence like that, will help take the randomness out of it and help narrow it down to something that can then be fixed.

I’ve already sent the login information. As you said above, please investigate the spam filters. Or do you want me to send it again?

Creating an entirely new installation sounds incredibly consuming and I’m not sure what that will prove, because if it does work it doesn’t provide any useful information of where the problem is since I can’t exactly port each part of the current system over precisely considering database complexities and the intricacies of plugin settings.

I’d really like you to see for yourself on the current one as I’m sure it’s a very simple and obvious problem.

Yeah, I know you had sent it before, but I didn’t have access to the spam filter, had to wait for Jason. He digged it out today and am taking a look now.

About installing another WP, it’s not that hard, but it’s true that it can take some work to copy every setting. You could just make a copy of the database and files and clone the site, so you have a copy you can test with without affecting the live one and its users.

Anyway, I’m going to look at your site now. :)

OK, I tried to reproduce the problem and wasn’t successful at that. All the video files loaded properly.

Then I tried loading the video file from another browser while logged out and I got redirected to /price-options/ which gave me a 404. So I went to check your setting for the Membership Options Page and you haven’t set one yet. Or maybe you had but later you deleted the page. This is important for access restrictions to work. [hilite path]Dashboard -› s2Member® -› General Options -› Membership Options Page[/hilite]

I don’t know if it could be causing the download problem, but it’d be good that you fix that. After that, try asking your customer to open the video file again, the one that gave him the problem, and see if he can still reproduce it.

Let me know how it goes!

I imagined it wouldn’t be the culprit, but I added in the membership options page, and it didn’t change anything.
I don’t know why you aren’t seeing what I’m seeing – are you clicking the file link UNDER the embedded video? (Left not right click) Are you trying to download the English version of the product / audio book etc.?

I suggest you create a user with s2member level 3 access and try to log in as that, and you may see the problems I’m talking about. Everything working for admins is obviously not useful. I don’t need to contact any customers because I can see the problems myself when logged in as an s2member user and not as an admin.

I did try every download link, Benny. I had used the admin account for the first tests, so I went and created a Level 3 account now and tried every single download link in the Members area, with Firefox and Internet Explorer. I didn’t get a single error, all the downloads started properly. It seems to be working without a problem, I can’t reproduce it yet. :/

Then why am I getting the errors, and why are so many other people getting it too? Browser settings? IP address? There must be something.

It does indeed work fine for some people (why not every single person ends up emailing me), but there is a clear problem happening for others. Is there some way to analyse why I’m not being authenticated when clicking the link?

As the system currently is, it’s a lot of work for me because I have to manually email Dropbox links to people and write an apology that they didn’t get instant access to the files as advertised. I’m lucky they aren’t asking for refunds because that’s false advertising on my part.

Yes, I understand. I’m not saying you or your users aren’t experiencing this, it’s just that I haven’t been able to reproduce it, so I don’t know what’s wrong yet. I’ll email Jason now so he takes a look, since he may be able to reproduce it, or at least make an educated guess about the source of the problem.

No word back…?

Thanks for the heads up on this request for support.

~ I’m reviewing this thread now, and I’ll be with you shortly.

Details received. Running diagnostics on this installation.

Hi Benny. Thanks for your patience.

I’ve just finished a preliminary review of your installation. I was unable to run all diagnostics, because the FTP access that we have on file from your last form submission is now outdated it appears.

While I ‘ve been unable to reproduce the issues depicted in your screenshots thus far, I was able to reproduce a strang issue on your installation, whereby direct download links are failing, and simply leading me to an “about:blank” page.

Given the seemingly random behavior you’ve described, and our inability to reproduce the full set of issues thus far, I have a suspicion that your hosting provider is running the mod_security extension, which might be triggering 403/503 errors randomly, which can produce a different set of problems, for each specific user, based on heuristic rule sets that look at things like cookie values, IP addresses, query strings, (and other data that changes from one user to another).

You can learn more about this possible issue here (including some possible solutions):
http://www.s2member.com/kb/mod-security-random-503-403-errors/

However, before we say “it’s gotta be mod_security”, let me first run full diagnostics on your installation. Please submit up-to-date FTP login credentials privately for me. See: s2Member® » Private Contact Form

Also, please add a comment when you submit the form, telling me who your hosting company is.

Sorry the FTP details I sent weren’t working, perhaps I typed the password wrong. I’ve tried again so you should see it now. Thanks for running that full diagnostic!

My hosting company is dreamhost. Thanks for investigating!!

Thanks for the follow-up.

Details received. I just finished a full set of diagnostics.

I’m not seeing anything wrong with your server and/or s2Member configuration. I’m also less convinced that the issues that are being reported by your customers, have anything to do with mod_security, though I wouldn’t rule that out just yet. I would still contact your hosting provider, and at least ask them about this; maybe ask them if their logs indicate any problems with mod_security, or the firewall in general for that matter.

I will check in again tomorrow, in case the issue occurs during peak hours only, just as a follow-up for you.

In the mean time, here are some additional suggestions that you might consider.

1. The “direct download” links that you have, are designed to open in a new window. I would suggest that you remove the target=”_blank” from these links. Earlier today, when I tested your site; I thought I ran into a bug where I got an about:blank page, until I realized the direct download link actually spawned a new window, thus: about:blank, because it’s actually a file download link.

Direct downloads of an audio/video file are handled differently, by different browsers, and by different devices. For instance, some browsers will be capable of playing the video right in the browser, while other browsers might default to a download prompt, where the video must be downloaded, and then played locally. No matter the case, opening a new window for a file download can have negative side effects in some cases, which leads to a potentially confusing scenario. On some devices, it may prevent the download from occurring at all.

2. The instructions you have posted about right-clicking are good, but perhaps not necessary. Clicking the link, should be all that’s required, and the browser should handle the rest, based on configuration. Right clicking may actually prevent playback within a browser, when it’s actually possible for the browser to do so. Nothing wrong with what you have though.

3. I would suggest that you enable logging for your Amazon® Cloudfront Distributions, just in case the logs can help identify outages on the Cloudfront side of things, or other issues that might occur for your customers. It can’t hurt at this point, to collect as much data as possible.

Log into your AWS management console, and click the Cloudfront Tab. Edit each of your Cloudfront distributions, and enable logging for them. You may also want to read over these FAQs, just in case there is something that we’re all missing, but might jump out at you. See: http://aws.amazon.com/cloudfront/faqs/

Also, just out of curiosity, how often do you update your videos? Have there been times when you uploaded/deleted several files all at once, or repeatedly throughout the day? Anything that might cause some files to go missing for short periods of time, from one Cloudfront edge location to another?

I would also start asking for the geographic location of customers reporting problems. It’s possible that a specific edge location is failing in some way, on the Cloudfront side of things. If you can narrow down the problems to a specific region, that might help in some way.

Thanks for the detailed reply! Appreciate your time with this :)
* I edited one post to remove the target=_blank in the link, and when logged in as a paid user and left clicking, I was once again sent to the AccesDenied AccessDenied page. So unfortunately, whether it’s opened in a new page or not makes no difference.
* I’ve enabled logging as you suggested.
* I contacted my hosting provider and they got back to me with a list of possible ways I could increase security. I’m going through their suggestions slowly but surely. They said they didn’t find anything huge that needed immediate attention, but gave me some possible avenues to improve just to be on the safe side. It will take me several days to implement all of them if that’s what’s causing the problem.
* I very rarely update my videos. I haven’t updated any of the video files for months, and have only update one of the other files (for the ebook).

The good news is that I haven’t gotten a single email in the last week complaining about file download issues! (Apart from those who had the issues previously confirming it’s still down for them)

It’s terribly confusing: I can reproduce the errors myself and STILL can’t download anything at all when logged in as a paid user OR admin in Chrome or Firefox, although the streaming videos DO work.

So now it’s working for everyone but me!! The problem is, I know that in its current state, in a few days someone will email me again. Further help appreciated, as I continue to be terribly confused. At least the probability randomness has swung in the direction of not hitting so many users this week.