Front End Login Issue

[eggzamummy]

Using Joomla 3.8.5 The system seems to log in/out successfully once or twice but then loses the ability to login getting "Security Breach" error messages.

[jimhill10]

I just tried to login into my back end and got this error message:
"The most recent request was denied because it contained an invalid security token. Please refresh the page and try again." The site uses Akeeba Admin Tools Pro. Deleted all the cache files in the lscache folder (where Rochen's server puts them) and I got in. The page header does not show a cache hit in the admin side. Akeeba Admin Tools does not show any breach from the event. I don't show any errors on the cPanel side.

[eggzamummy]

I don't cache the backend "/administrator" area of the site.
I added this line to my LSCache section in .htaccess to restrict caching of the backend:

RewriteCond %{ORG_REQ_URI} !/administrator

[jimhill10]

Adding that and will try it over the next few days. I did not see a cache hit on the admin side even before the rule was added.

[WuhuaChen]

Thanks for reporting. I think Back End login should not have this problem because currently LSCache plugin will not cache Back End pages. But Front End login page will be cached with some hidden token field may already expired.

Currently the best way of solving it is to set the Front End login page as exclude page. login to back end administrator, in Components->LiteSpeedCache, press "Options" button, then in "Exclude Rules" TAB, in "Exclude Menus" find the Front End login page, set it as exclude page, then save.

in Components->LiteSpeedCache, press "Purge All LiteSpeed Cache" button to clear current cache files.

please give me your Front End login URL, we'll try to make next version exclude Front End login page automatically, thanks for your help.

[eggzamummy]

I'm using a module called "BT Login" which is a javascript login that is on every page of the site. Also, we use the front end to make changes to content, etc as super user...using the Front End Editor built in to Joomla. Is there a way to only cache if you are a guest/public and not serve cached pages for logged in users?

[WuhuaChen]

You can try set the "BT Login" module as ESI module. in current version, ESI module will not be cached (next version can choose to be cached or not ). in Components->LiteSpeedCache , find the "BT Login" module, then press the button "Render as ESI", and also need click the "Purge All LiteSpeed Cache" button to clear current cache files.
Current version we only cache guest/public, and will not cache for logged in users, no matter Back End or Front End.
In next version we may put "BT Login" module as ESI no cache module by default, so thanks for your testing and reporting.

[eggzamummy]

Thanks for the response. Unfortunately I can't seem to get the front end login to work consistently. I have selected Render as ESI for all login modules on the site. It will allow the login, but once you start viewing the protected content it fails. Also, the modules sometimes show the user logged in, other times not. When trying to log in/out it is unpredictable...

I also tried excluding the menu items with protected content and does not work either. I can give you access to this dev site if you would like to try anything.

[WuhuaChen]

We appreciate your cooperation. You can send me your site access to wchen@litespeedtech.com, Thanks.

[gundestrup]

Have this not been fixed in newest 1.20 version of the plugin?

[WuhuaChen]

Yes I tested in this user's develop site it's fixed and also no problem with newest 1.2.0 version.

[uglyeoin]

Just FYI the invalid token issue is Joomla! and there is a fix coming out in the next version I believe.