-
-
Notifications
You must be signed in to change notification settings - Fork 222
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Invalid Security Token #958
Comments
Well, I am not mastered in PHP scripting and this stuff, but I have tried to reproduce it by creating localhost subdomain and route subdirectory to subdomain.localhost, not exactly the same result as on web provider hosting, but it looks like wrong routing happening somewhere... Screen here Btw: default home page working properly. |
Can you try installing a Grav instance in a subfolder on your main domain, to check if it's a problem related to the subdomain configuration, or a general server config issue? |
Hi everybody, same problem here. Fresh install gives me this error:
The response is: {"status":"error","message":"Token di sicurezza non valido"} |
Sorry for the late response... yes, that works good, but still not sure if its related to the web host redirecting configuration. However I noticed that error is produced on line 148 in adminbasecontroller.php. I have also found something about using $_SERVER["REQUEST_URI"] instead of $_SERVER["PHP_SELF"] and $_SERVER["SCRIPT_NAME"] on web host wiki, because it points to the current path of subdomain directory instead of redirected path of subdomain... but it can be unrelated. Anyways thank you for looking further on this possible issue. |
Ok guys, I just managed to configure it properly, it seems the issue is cookie path... After I set Try something like that @ilCoso as a workaround. |
Thanks @Noah1911 that's definitely something that can cause of the problem, if PHP cannot correctly access the temp folder to store the session. @ilCoso can you check if your problem is the same? |
I am facing the same problem, but there does not seem to be a working solution for me. |
Hi, anybody managed to resolve the problem? I'm still at a loss here; I can log in to the admin panel when I use my internal IP address, but when I do that using my domain name, it gives me the |
Hey :-) is there already a solution available for this problem? |
sry clicked on Comment to early *providers. On the first one it works all fine and logging in is no problem. But on the second one i can only login with Chrome. On iPhone, Firefox or Edge it is not working there is alwasy the message "Invalid Security Token" Thanks for any help. Regards Sandro |
I also have this screen, i thought i fixed it with using 304 as rewrites but it failed on me later. When checking the 'form data' post i see that it uses this:
So i presume this is also a reason why things fail, if i play around with settings that would be the redirect of my domain. For some reason it cannot properly detect the uri.route which is used to create the redirect url (as far as i can tell from themes/grav/templates/partials/login.html.twig) p.s. i am using a reverse proxy in front of grav, using a full domain xxx.domain.com, so no /subs/ |
Same thing here. I use HAProxy in front of the webserver. I am not a PHP developrt but I was able to pin the problem . In So after I changed the |
Where exactly? |
I observed that the domain part in the cookie was set wrong ( <?php
...
public function init()
{
/** @var Uri $uri */
$uri = $this->grav['uri']; // value is: https://unknown:80/
// value of $_SERVER[HTTP_HOST] is: grav_twenty.dev.local
$config = $this->grav['config'];
$is_admin = false;
$base_url = $uri->rootUrl(false);
...
?> The host part of the $domain = $uri->host();
...
setcookie(session_name(), session_id(), $session_timeout ? time() + $session_timeout : 0, $session_path, $domain, $secure, $httponly); This way Grav complains with Invalid Security Token. I don't know about the worklfow, I mean when the session is created and what comes before so I can't trace it back further. |
Ok, my fault. The issue was an invalid hostname. Apparently an underscore is not allowed in hostnames and therfore Grav will set the hostname to |
might odd and not really related but obviously in prod I have a valid ssl so to fix this I change to setting in my
I hope that help someone and/or give a least some hint like this post did to me. |
Hi, I upgrade to Grav 1.77 and This problem all back again. For my localhost in my system.yaml
If I set path to 'tmp' I will got Invalid security token notice. if the path is 'null' then ERR_CONNECTION_RESET my localhost's apache error.log show a lot :
:( to solve the problem is by deleting my account .yaml everytime. So, i decide to do clean install of grav 1.77 on localhost that run with ssl, and the problem solved. Someone had to tell that grav 1.77 auth session only run in https |
No matter what I tried, I had to just uninstall php7.4-fpm and get php8.0-fpm to get past this error. (nginx over caddy proxy Ubuntu 20.04) |
Both ERR_CONNECTION_RESET and changing PHP version sounds like there may be a PHP bug, which caused this. |
@mahagr My thoughts as well. I'd be mildly curious if anyone else was seeing this on 7.4 fpm |
Hi I tried to remove all cookies from chrome to fix this problem I need to remove the account file and recreat it to get the login or use the comand is it possible to fix this problem? bye |
It's not a bug but a security feature. Security tokens are used to prevent session hijacking and they expire after a day. |
Hello devs,
I just setup site on my web provider hosting (subdomain) and registered to admin page, but the main page was trapped in loop, so I configured custom base url to correspond with my subdomain... and it worked.
But after I reloaded the admin page and logged in, the page only says
Invalid Security Token
. Screen hereSome possibly relevant Info:
manually
by copying via FTP1.1.15
and1.2.10
)subdom
folder as folders and then rewritten by.htaccess
to act as subdomain.Thank you very much and I hope to receive your reply and possible solution soon.
The text was updated successfully, but these errors were encountered: