Valid CSRF Token Required OsTicket 1.10

[DarthSlider]

Hi, any help for this problem?
OsTicket 1.10
Win 2012 R2
Apache 2.4
Php 7.1
Installed everything, get this problem. Read a lot, found solution to change "session.auto_start" to 1 and it worked for me. I logged in, but after a while still get same problem.

[ntozier]

My guess would be that its because you are running PHP 7.1.0 (released a few days ago). It's my understanding that osticket 1.10 still isn't fully compatible with 7.0 yet. You might want to down grade to 5.6 and see if that helps.

[DarthSlider]

Thanks! I`ll try to reinstall it tomorrow.
All this php stuff is new to me, so i just downloaded up to date version of everything. I think there should be some kind of notification what php 7+ is not officially supported yet.

[PeopleInside]

I have the same issue on PHP 7.1 I will downgrade to PHP 5.6 all works fine with oldest PHP.
Seems to be different issue with OsTicket and PHP 7 #3033

[jorgeassuncao]

I had that problem with OSticket 1.10, Apache and PHP 7.1. After downgrading PHP to 7.0.14 the error disappeared. Hope this helps anyone.

[GingerAdonis]

Is this being worked on? PHP 7.1 is released by now and osTicket support for it would be great.

[dpollard]

I hope this is being worked on

[kaorukobo]

I have the same issue on PHP 7.1 + osticket 1.10.
Some information on my digging:

• When I visit scp/login.php
  • Valid Set-Cookie was sent from osticket: "OSTSESSID=nntpjei4195nd6ru6h759mtk1d; expires=Tue, 28-Mar-2017 12:46:50 GMT; Max-Age=86400; path=%PATH%"
  • But corresponding ost_session record to this key (nntpje...) was not created.
• Then when I submit username&password:
  • DoesNotExist exception in upload/include/class.ostsession.php(184): QuerySet->one() (of course, this is rescued. )
• When I set session backend to memcache
  • The same error was shown.

[kaorukobo]

Will anyone try above patch 424bfc9 ? It solved my issue.
I'll decide making a pull request based on feedbacks.

[jtremper1]

@kaorukobo your patch worked for me, using the latest version of osticket & the latest php 7.1 from remi. Thanks!

[MorysDrecht]

@kaorukobo

Can confirm that fix worked for me as well. Centos 7, PHP 7.1.3 from Remi OSTicket 1.10

[kaorukobo]

The corresponding pull request was approved:
#3773

[leifnel]

I just installed the latest osTicket, I'm on PHP Version 7.1.5 on Windows 7 Professional Edition Service Pack 1 i586, and I got the Valid CSRF Token Required on first login to admin

[bitnom]

This is terrible. Same issue as #304 ? I wish I'd have known before upgrading. I can't go back on this server because PHP7 is needed for some of my scripts. This should be priority 1.

[PeopleInside]

Dear @TomAshley303 seems this issue with PHP 7 will be not fixed soon, as keep PHP and other software updated is very important for security I have upgraded to PHP 7
Here is the fix who works: 424bfc9

[ilanh]

FYI all, I had the same problem and it was incorrect time on my machine.

[Richardvi]

Just found out that login on my OSticket is possible when on PHP5.6. As soons as I set my server to PHP7.1, I can no longer login to OSTicket and get the Valid CSRF Token Required message.

[ntozier]

@Richardvi osTicket supports php7 not php7.1. So thats likely your issue.

[Richardvi]

OK, thanks!

[compuzones]

Thank you brother it really help.

[rdiezsj]

Thanks!!! Works fine :)

[noxidsoft]

New to osTicket today, deal breaker for me if it doesn't support php7.1.x, until it does.

[bartman0023]

Works for me only need add a new line on one file 👍
424bfc9

[jayvines]

Does anyone know if this was fixed in the latest release 1.10.4 (yesterday)?

[PeopleInside]

Hi @ I think this issue is not fixed, never tested the last release as has been released recently.
You can read on the release note what the update include: 035fd0a

[JediKev]

@PeopleInside

It's somewhat addressed in v1.11.0rc-1 with this. Instead of giving you a blank window with an error message it gives you the login page with the error "Valid CSRF Token".

Cheers.

[binunice]

Windows + Apache + PHP Version 7.2.7

session.auto_start=1 worked for me

[jpkh]

Ubuntu 18.04 x64 + Apache2 + PHP 7.2-10 + osT 1.10.4

/etc/php/7.2/apache2/php.ini session.auto_start=1 worked for me too.

[PeopleInside]

/etc/php/7.2/apache2/php.ini session.auto_start=1 worked for me too.

Hi @jpkh thank you very much for share where session.auto_start=1 should be placed. This is an edit of the php (ini) configuration, i am asking what OsTicket should change for resolve this issue. Usually i prefer made fix in the software and not on the PHP. Great to know there are a solution for work with PHP 7.2 but maybe i will wait to understand if the issue can be solved on OsTicket side.

[tobilobaajibola]

The latest version is compatible with Php 7.0, so you can downgrade from 7.1 to 7.0. Easy fix

[auroraeosrose]

In PHP 7.1 and higher you are required to return a string from a session read handler or you will get an error - the documentation has always said that it should return a string but PHP has only now started to enforce that. Look in php logs to see if you have PHP Warning: session_start(): Failed to read session data: user

adding the following line JUST before the return in the read method in class.ostsession.php

if(!is_string($this->data->session_data)) {
    $this->data->session_data = strval($this->data->session_data);
}

This makes sure that no matter WHAT you put in session data, you always return a string as you should

Downgrading your PHP version is never a good idea for security reasons. Doubly bad because PHP 7.0 is already out of regular support and is out of security support in one month :(

http://php.net/supported-versions.php

[davidtessier]

@auroraeosrose there are two read functions in class.ostsession.php could you specify the line that this snippet needs to be inserted on? the read function on line 270? or the one on 183? PS thank you for this solution... When I used session.auto_start=1 it broke one of the other apps (TestLink) that I run on the same server so I appreciate a solution that only involves changes to OST and not the php.ini

[JediKev]

@davidtessier

The one in class DbSessionBackend, put it right above the return.

P.S.
This is addressed in 1.11 with:
#3955
#4344

Cheers.

[davidtessier]

Thanks! That worked.

[amsut]

In PHP 7.1 and higher you are required to return a string from a session read handler or you will get an error - the documentation has always said that it should return a string but PHP has only now started to enforce that. Look in php logs to see if you have PHP Warning: session_start(): Failed to read session data: user

adding the following line JUST before the return in the read method in class.ostsession.php

if(!is_string($this->data->session_data)) {
    $this->data->session_data = strval($this->data->session_data);
}

This makes sure that no matter WHAT you put in session data, you always return a string as you should

Downgrading your PHP version is never a good idea for security reasons. Doubly bad because PHP 7.0 is already out of regular support and is out of security support in one month :(

http://php.net/supported-versions.php

Thank you, this works for me.

[SubjectXXX]

Solution from @auroraeosrose also worked for me on PHP7.2.15 and osticket 1.10.5

[mjmunger]

@auroraeosrose 's solution works on:

Distributor ID: Debian
Description: Debian GNU/Linux 9.8 (stretch)
Release: 9.8
Codename: stretch
Apache 2.4
PHP version 7.2.16