Bug on Key SecurityTokenHasExpiredSoActionHasBeenCanceledPleaseRetry

[choybe]

Bug

[Short description]
After new installation of 13.0 and after update 12.4 → 13.0
certain operations (eg enable modules) are refused with the message:"Security token has expired, so action has been canceled. Please try again." This message seems to be linked to the v13 new key: SecurityTokenHasExpiredSoActionHasBeenCanceledPleaseRetry
and the coherent changes made on token (see changelog)
In the result the v13 is unusable on my webserver for there is no way and no hint to find how to refresh this security token
as v12 were running so far without any problem on my webserver I have to conclude that there is a bug in v13

Environment

Version: Dolibarr 13.0.0
OS:  Linux SMP Debian 4.19.160-2 x86_64
Web server: Apache
Database: MySQL or MariaDB 5.5.5-10.3.27
URL(s): Any URL

Expected and actual behavior

To overcome this nasty message I tried the configuration
$dolibarr_nocsrfcheck ⁼ 1 in conf/conf.php
MAIN_SECURITY_CSRF_WITH_TOKEN = 0 in Setup -> Other
But it changed nothing the error message "Security token has expired, so action has been canceled. Please try again." continue

variablesModuleEnable.txt

[eldy]

What is value of the MAIN_FEATURES_LEVEL variable ?
Can you provide a screenshot of the page that show the error message (full page with url visible) ?

[hregis]

@eldy @choybe
I think everyone who has this problem has the Multicompany module in V12. I will look to correct and release the V13 quickly.

[choybe]

It makes no difference which MAIN_FEATURES_LEVEL is set.
usually I set it on 2, but even when it is set on 0 there is still the same
No it is not the multicompany module. I try currently two versions:
one updated and a new installation. - In the new one the multicompany is uploaded but not enabled.
However I have here the same bug with the security token on the new install

[choybe]

PS Only on the updated I can check for bugs with the debug tools module for it was installed before-
On the new installation I cannot enable and run any additional module except the default user&groups

[hregis]

@choybe what is you browser and version ?

[choybe]

no i don't sink it has something to do with the browser:
I use 2 browsers on Ubuntu 20.04 Firefox 84.02 and Chromium 88.0.4
on both browser I have the same error message
I think the solution must be anywhere a way to refresh the security token - But where?
Which security token is meant by? Where is this security token stored? In the code or in the database?

An other stange behaviour with v13 is: When I try to install from the scratch with the option on step1 to add a SuperUser
I get the error message:

mysqlnd cannot connect to MySQL 4.1+ using the old insecure authentication. Please use an administration tool to reset your password with the command SET PASSWORD = PASSWORD('your_existing_password'). This will store a new, and more secure, hash value in mysql.user. If this user is used in other scripts executed by PHP 5.2 or earlier you might need to remove the old-passwords flag from your my.cnf file

When I install v13 without this option, I can add at the next step a SuperUser as usual, without any error message
So maybe the error is anyway in my mysql configuration? But my mysql version is 5.5. and php is 7.4. so all uo to date.

[choybe]

As I see I am not alone with this bug - in some dolibarr forum . people struggle as well with the security token expired message.
a possibility of this bug can be eventually a webserver configuration which runs with fast-cgi(ssl) (as it is my case)
The fast-cgi configuration is eg not compatible with the dav-module. Can this be the case here for the security token?

[choybe]

I think I have found the solution!
I reinstalled v13 from the scratch (creating superuser only at step2)
I didn't enabled any additional module, just the orginal modules needed at MAIN_FEATURES_LEVEL = 0
The I enabled MAIN_FEATURES_LEVEL = 2 for development modules - worked as well
and only then it can be tried little by little to enable additional modules. In my first test I had still the dropdown module enabled. Probably this was the mistake. But not sure. Important in each case seems that all additional modules have to stay inactive.

In former dolibarr versions an update with additional modules where never a problem even if they were no more compatible (they were just no more usable) In the DB v13 version it seems it provokes this security token expired message.
Probably this information should be added to the v13 update information!

[JESSTOFUNK]

I have the same issue, but, I have 2 different installations on my server for different purposes.

They basically have the same configuration but I use one for training purposes where all data is false.

I installed V13 yesterday and since that, I am getting this message in the production installation, and this is happening on the activation/deactivation of modules and permission modifications for an user.

Yesterday it was working fine on both applications but now I cannot modify any user permission or modules in the production site

.

[JESSTOFUNK]

Now I tryed removing MAIN_FEATURES_LEVEL from 2 to 0, and I get the same message on this part too. So My production dolibarr has come unussable since I cannot configure nothing.

You have any New ideas on how to solve it?