Jump to content
  • 0

"the Form Token Is Invalid"


twhiting9275

Question

20 answers to this question

Recommended Posts

  • 0

So, once again, trying this install/demo thing.

Can't seem to get past the install bit though. Every time, install errors with

 

 

What could be causing this?

This shows up on the license form, everything else appears to be good

 

If you view-source the page do you see a hidden field with a hash?

 

Every form should have:

 

<input type="hidden" name="_csrf_token" value="85d56560f20e209d265beecf0584bcbda568f89da36c339b2b42029e83" />

Something like that with your own token. Also your installing a trial version, not a demo really. And is there anything missing on your server like mbstring PHP function?

Link to comment
Share on other sites

  • 0

If you view-source the page do you see a hidden field with a hash?

Yup, even changes when I refresh the page

<input type="hidden" name="_csrf_token" value="3dc80a4e0b291adad068eb53b87fb714fddd59416fa96b1f9c329be7a929b933" />
<input type="hidden" name="_csrf_token" value="4ae83c6b18ba97fe819f2f0a5daf9026c477e27be66cecdbd9b06aa709912de4" />
<input type="hidden" name="_csrf_token" value="ceb4ffc4b7580334681c177680f893d9d546dcb5a4870abb786611e6131fa442" />
Link to comment
Share on other sites

  • 0

Yup, even changes when I refresh the page

 

<input type="hidden" name="_csrf_token" value="3dc80a4e0b291adad068eb53b87fb714fddd59416fa96b1f9c329be7a929b933" />
<input type="hidden" name="_csrf_token" value="4ae83c6b18ba97fe819f2f0a5daf9026c477e27be66cecdbd9b06aa709912de4" />
<input type="hidden" name="_csrf_token" value="ceb4ffc4b7580334681c177680f893d9d546dcb5a4870abb786611e6131fa442" />

 

Yes ok good :) are you installing this on a domain on your webserver or your pc (localhost)?

Link to comment
Share on other sites

  • 0

I know how to install software, and follow instructions just fine, thank you.

The problem is not me, or the instructions. The problem is that the software does not install properly.

I can get it installed via CLI

----------------------------------------
Blesta CLI Installer
----------------------------------------
Please acknowledge your agreement to the terms and conditions as explained at
http://www.blesta.com/license/
 
Do you agree? (Y/N): y
Performing system requirements check...
You will now be asked to enter your database credentials.
Database host (default localhost): 
Database name: <redacted>
Database user: <redacted>
Database password: <redacted>
Attempting to verify database credentials... OK
Checking InnoDB support... OK
Installing database...
96/96 [========================================] 100%
Completed.
Configuring database...
23/23 [========================================] 100%
Completed.
Upgrading database...
4/4 [========================================] 100%
0/0 [========================================] 100%
2/2 [========================================] 100%
0/0 [========================================] 100%
2/2 [========================================] 100%
1/1 [========================================] 100%
1/1 [========================================] 100%
1/1 [========================================] 100%
1/1 [========================================] 100%
1/1 [========================================] 100%
2/2 [========================================] 100%
2/2 [========================================] 100%
Completed.
 
Attempting to write config... Success.
Generating encryption keys. This may take a minute or two... Done.
Installing default plugins... Done.
 
Finished. To complete setup visit /admin/login/ in your browser, 
or if you do not have mod_rewrite, /index.php/admin/login/.
Link to comment
Share on other sites

  • 0

I was just making sure it wasn't the web installer alone. See the second post. Somehow that got cut out of the last one , using latest available source

It's not just Chrome, every single browser is doing the same exact thing when it comes to setting up the admin while using 'free trial'

Chrome, IE, Firefox, all the same exact token error.

Link to comment
Share on other sites

  • 0

I was just making sure it wasn't the web installer alone. See the second post. Somehow that got cut out of the last one , using latest available source

It's not just Chrome, every single browser is doing the same exact thing when it comes to setting up the admin while using 'free trial'

Chrome, IE, Firefox, all the same exact token error.

 

Mine works: http://screencast.com/t/o9gjBaqfcmhZ

 

Fresh installation of 3.0.5 on CloudLinux OS, PHP 5.4 and using a trial key.

 

I'm using the Chrome browser by the way.

Link to comment
Share on other sites

  • 0

Blaming 'the server' for a simple form problem is ridiculous.

I don't think you understand, this isn't a simple form issue. Let's take a look at how the token is generated.

 

	public function getCsrfToken($key) {
		$session_id = session_id();
		
		// Prefer computing CSRF using HMAC
		if (function_exists("hash_hmac"))
			return hash_hmac("sha256", $session_id, $key);
		// Sha256 hash is the next best thing
		if (function_exists("hash"))
			return hash("sha256", $key . $session_id);
		// Regretably, fallback to md5
		return md5($key . $session_id);

 

Verifying is simple

 

	public function verifyCsrfToken($key = null, $csrf_token = null) {
		
		if ($key == null)
			$key = $this->csrf_token_key;
		
		if ($csrf_token === null && isset($_POST[$this->csrf_token_name]))
			$csrf_token = $_POST[$this->csrf_token_name];
			
		return $this->getCsrfToken($key) == $csrf_token;
	}
	

 

The installer shouldn't have anything to do with it. What do your error logs say? PHP should be throwing some sort of error if you are missing something

 

So what are you running? OS, PHP version, openssl, etc..

Link to comment
Share on other sites

  • 0

Solved my own problem.

You left no alternatives when you incorrectly made assumptions and ignored help. Did you bother to look through your logs as suggested? Suhosin does what it is configured to do, it doesn't know what's valid or not. I would ask for you to post your rules to help future customers who use Suhosin.

Link to comment
Share on other sites

  • 0

Solved my own problem. Suhosin was stopping this, though that shouldn't ever be stopping a valid script from installing or submitting data

 

Glad you were able to isolate it to Suhosin. If you were able to narrow it down to a particular rule or reason we'd love to know so we can try to work around it in the future.

 

We set up a server with suhosin on it specifically for identifying these kinds of issues, but we admittedly haven't done very extensive testing with suhosin. I'll see if we can replicate this in that environment.

 

Thanks!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...