Cannot login due to Invalid token! (CSRF check failed)

[marcelsolvarea]

I have migrated Postfixadmin to latest version.

When running setup.php all seems to be okay, database update is performed and no outstanding issues left.

Opening login.php is succesful, but when logging in Invalid token! (CSRF check failed) shows up.

I checked php session working, and all is fine (tested it with scripting).

When debugging, i discover $_POST['token'] is set, but $_SESSION['PFA_token'] differs.
PHP session is saved, and equals $_POST['PFA_token'].
$_SESSION['token'] differs from php session and $_POST['PFA_token']

How can this issue be resolved?

Thanks for the reply in advance

[DavidGoodwin]

Can you try running a really simple script like this - and see what happens when you refresh the page.
I expect you'll see "init ... refresh please" all the time.

<?php
session_start();
if(false == isset($_SESSION['test'])) {
     var_dump("init ... refresh please");
    $_SESSION['test'] = uniqid();
}

var_dump('Session contains', $_SESSION);

[marcelsolvarea]

Hi David,

I placed the script in public. and run it.

First time i see 'refresh please' message
string(23) "init ... refresh please" string(16) "Session contains" array(1) { ["test"]=> string(13) "62b4b0becabc3" }

on refresh i only see
string(16) "Session contains" array(1) { ["test"]=> string(13) "62b4b0becabc3" }

Test string is always the same.

Marcel

[DavidGoodwin]

Unexpected!

Before when we've seen similar bug reports, it's just been your session support is/was broken, and the $_SESSION variable not matching up with what's rendered in a form.

Is it possible the page(s) are being cached (when they shouldn't be?)

[marcelsolvarea]

I have nginx running, and explicitly disabled caching for postfixadmin (is a separate site).
Checked, but no caching is present at /var/cache.
Also, in chrome disabled cache in Network Tools so local cache is not used.

no chance to login, message still appears.

[Scobiform]

Adding

$CONF['theme_favicon'] = 'images/favicon.ico';

to config.inc.php fixed the issue for me. Logfiles showed that is the problem.

Maybe your config.inc.php is not up to date?

[marcelsolvarea]

Hi Scobiform,

Thanks for the suggestion. I added to config.local.php and config.inc.php. but that unfortunatelis is not the solution.

When i comment out the
if (safepost('token') != $_SESSION['PFA_token']) {
die('Invalid token! (CSRF check failed)');
}
in login.php i can login, but further processing of domains, aliases etc. still returns to login form.

So it is an issue in ligning up the PFA_token and safepost('token') somehow.

[DavidGoodwin]

Adding

$CONF['theme_favicon'] = 'images/favicon.ico';

to config.inc.php fixed the issue for me. Logfiles showed that is the problem.

Maybe your config.inc.php is not up to date?

Hm, that's interesting.

For that to be the problem it would imply that somehow you have a 404 handler that is (for example) loading the index.php page.

If cookies/php sessions are working correctly, having something that's executing PHP twice in what should be one request, would explain things.

[marcelsolvarea]

Hi David, scobiform,

Turns out my nginx config was affecting this problem. Somehow my server config was combined for 80 and 443.

Thanks to the quick help to resolve this issue.

With regards
Marcel

[marcelsolvarea]

Investigated both folder permissions as nginx config. Turns out to be an issue in my server config.

[DavidGoodwin]

@marcelsolvarea thanks for closing the bug and giving an explanation of what the problem is/was. I'm not sure why a "server config ... conmbined for 80 and 443" would cause the problem, but I have little experience with nginx !