Invalid security token

[zerbbi]

Hello, i just made a clean install of latest grav, 1.1.9, everything is up date, it is running on windows10 with wamp server. I created first user account, logged in, turned on debug bar and after saving, i got Invalid security token error and then i was logged out. No other error is shown, log folder is empty. Any help please? Thanks

[rhukster]

Was it a one time issue? Can you log back in at all?

[zerbbi]

i can log in back, it happens quite frequently, but in random intervals. for example, i wrote my first test page, pressed save button, red error on the right side popped for a second and then i was instantly logged out. after next login, i saved paged correctly, went to configuration, red message on top showed saying invalid security token, after pressing save, i was logged out again. all logs are empty.

[rhukster]

Is there any chance to test with another WAMP solution? How about Uniform Server (http://www.uniformserver.com/) as it doesn't invade your programs folder?

[flaviocopes]

Or MAMP?

[rhukster]

Yes MAMP is even better because I just tested that, and it "Just Works" with grav. No messing about with configuration options.

[zerbbi]

MAMP is not relevant, the security token issue also happens on my production environment (webhosting). I am not able to write modular page, it keep logging me off. It is annoying.

[flaviocopes]

On a webserver it's strange - can you try accessing the page in incognito/private mode, or clearing the cookies / cache, to make sure there is no conflict with your local environment?

[tenken]

I get this on every form in the g5_hydrogren appearance forms:

403 Forbidden

Oops, Invalid security token; please reload the page and try again..

On other system forms, or when creating a blog page and more "normal" admin forms I dont see this error. It appears to happen when ?nonce is in the admin url (for me).

root@ahumaro-grav-php:/usr/share/nginx/html# bin/grav -V
Grav CLI Application version 1.1.12

If there is some other better diagnostics I can provide please let me know.

[flaviocopes]

@tenken can you PM me your user/ folder at https://gitter.im/flaviocopes to recreate this quickly?

[flaviocopes]

Checked @tenken issue but no token issue came up..

[tenken]

Switching to this docker image using Apache seems to work fine:
https://github.com/SocialEngine/docker-php-apache

Nginx based docker images in the wild seem to break the Hydrogen theme saving.

[JordanMajd]

Am having same issue as @tenken using Nginx.

[flaviocopes]

@JordanMajd you're using a Gantry theme?

[mahagr]

Nginx users: please update nginx.conf:

    location / {
        try_files $uri $uri/ /index.php?_url=$uri&$query_string;
    }

[mahagr]

Alright, original issue from the first post is different, re-opening the issue.

[flaviocopes]

@tenken your issue should be solved by @mahagr fix

[itsociaal]

I am having the same problem , but I am using lighttpd. I am assuming I should add an lighttpd equivalent rule as the one mahagr posted? What should that rule be?

[Cinemacloud]

For me shift-refreshing wouldn't make it go away but going to another admin section and back home caused it to disappear. Nginx.

[zachzurn]

Having the same issue with Apache. The issue seems somewhat random.

[itsociaal]

shift-refresh doesn't help, nor does clearing cookies. The issue is consistent, I can't save any gantry settings at all :(

[Sogl]

Have the same issue randomly with Apache and WAMP

[rhukster]

Are you all using a Gantry based theme???

[Sogl]

Grav issue in my case

[rhukster]

We need to find some common thread because we can't replicate this issue.

[OleVik]

Other than popping up in the Admin interface, is the error logged by PHP? Where does it emanate from, and what calls it?

[zachzurn]

For me, the admin just logs out randomly. I am not using a Gantry based theme. Setting the 'secure' option under 'Configuration->session' seems to have fixed it (Still testing) although I am not using https, so it seems odd. Update: that did not fix the issue, just ran into it again.

[itsociaal]

@rhukster: In my case, it is a gantry based issue yes.
It does not leave any errors in my error.log :(

[mahagr]

@itsociaal are you sure that query parameters are being passed to grav?

[itsociaal]

I can get it to work if I comment out lines 74-76 in gantry's router.php :

        // Protect against CSRF Attacks.
        if (!in_array($method, ['GET', 'HEAD'], true) && !$this->checkSecurityToken()) {
           throw new \RuntimeException('Invalid security token; please reload the page and try again.', 403);
        }

Gantry still doesn't behave 100% perfect then, but it's 99% usable if I comment out those 3 lines :)
I guess this is more a gantry issue then a grav one tho, although I suspect a vhost config line in my grav install might help solve this issue.

[mahagr]

Yup, and by doing that you will basically allow CSRF attacks against your site.

From this, your issue really looks identical to the issues above: your server does not pass query string to PHP. I don't know the fix for lighttpd, maybe some googling helps?

[itsociaal]

Thanks for the tip, I managed to solve the issue for lighttpd hosts:
I had to change the line:

url.rewrite-if-not-file = (
   "^(.*)$" => "index.php"
)

to

url.rewrite-if-not-file = (
   "^(.*)$" => "index.php$1"
)

So it passes the query string correctly. It also solved some other small problems gantry seemed to be having.
Perhaps it's a good idea to update the recommended lighttpd config with this change?

[mahagr]

@flaviocopes PING! ^

[flaviocopes]

@itsociaal can you test this PR? getgrav/grav#1393

[itsociaal]

@flaviocopes , that is indeed the exact change I had made to my config, except I have grav not installed in a folder, so I removed the '/grav_path/' path from it. It seems to work just fine now, I haven't encountered any weird issues so far :)

I still need to comment lines 74-76 in gantry's router.php to get gantry to play nice, but I assume that's purely a gantry issue.

[flaviocopes]

Uhm.. if you still need that change in Gantry, it's not fixed then. The webserver config change should have resolved the issue.

[itsociaal]

You are 100% correct. I did indeed revert the changes in router.php.

I did a clean install in the default location (/grav_path/), and somehow it seems to prevent me from going to /admin now. I am getting a 404 not found error. The frontend works fine with the change tho.

If I change the config so that grav is installed in the root (without /grav_path/ in the url), it works fine with the change.

[Piraty]

I am getting a 404 not found error.

This is what i get too.
grav 1.2 on lighttpd 1.1.45 php 7.1.2 , grav installed in a subfolder.
so the $1-fix isn't completely suitable yet.

[itsociaal]

The probleem seems to be the router in grav, it will get confused if the path includes a complete url including querystring, it will try to load the wrong url/route.
I think I managed to fix it in my local development enviroment, I changed the line in the vhost.conf by adding a '/' to it, so it now reads:

"^/grav_path/(.*)$" => "/grav_path/index.php/$1"

This seems to work so far for me on both installs of grav, 1 in the root and 1 in a subfolder.
I will do some further testing, perhaps @Piraty could also test this change to see if it solves the problem for him as well?

[Sogl]

Saw this error twice in the first login to Admin panel. Second login works fine.

Grav 1.2.2
Admin 1.3.3

[mahagr]

@Sogl That is the purpose of the error, really. It blocks access if you have too old security token or if the token doesn't belong to you. This prevents other users from doing random tasks as you in the admin.

[uldics]

@ghost Where could I find the vhost.conf on an Apache shared hosting without ssh access? There seems to not be such file.

[Sogl]

I use ngrok service for creating tunnels to my localhost site from internet, but can't login to admin from url like http://a70261927.ngrok.io/admin because invalid security token error every time.
How to fix?

[drewisdorner]

I'm using traefik as my reverse proxy server. When connecting it to my grav "backend" I'm getting the invalid security token when trying to login to my https://example.com/admin.
I searched a lot on both sides: traefik and grav.

Finally I found the error: in my traefik config I need to configure the passHostHeader to true in the frontend configuration.
If anybody has questions regarding this don't hesitate to @ me.

[pablomalo]

@drewisdorner Thanks for the tip, works great with Traefik.