Jump to content
  • 0

The form token is invalid. Client login page only.


dimsum

Question

Hi!

I'm having trouble with the client login page. For some reason, no matter what I input in the client page, it only returns "The form token is invalid.". The admin page is working fine tho.

Things I've tried

  • Reinstalled 3.6.2 and 3.6.1
  • Configure::errorReporting(-1); - No idea where to see the logs
  • Configure::set("System.debug", true); - No idea where to see the logs
  • Configure::set("Blesta.verify_csrf_token", false); - Works, but I rather have CSRF enabled

Current settings are cPanel using Softaculous to install Blesta.

 

Has anyone encountered this error? Or can anyone kindly tell me how can I find out what's causing this?

 

 

Screen Shot 2016-08-15 at 22.14.28.png

Link to comment
Share on other sites

12 answers to this question

Recommended Posts

  • 1

Thanks for everyone's help! This has finally been solved. I hope this thread will help someone in the future.

The problem was the cache server didn't have my domain as an exception. I'm not sure if it's because the cache didn't work, causing the session not to work, resulting in the CSRF token being generated on each refresh.

But the fix was to add the domain to the cache server exception list and everything works normally.

So no need to disable any services or add the following to .htaccess.

Quote

Header set Cache-Control "max-age=0, private, no-cache, no-store, must-revalidate"

 

Link to comment
Share on other sites

  • 0

Anyway for me to confirm or fix this? I've just tried opcache_reset(), but the result appears the same.

Also my session of phpinfo() shows that the session.cache_expire is set to 180.  Also this problem has been going on for a couple of days, as I've been trying to fix it.

Link to comment
Share on other sites

  • 0

I'm using the default theme.  It's a fresh install with one staff account that was required to be created in the installation page, other than that everything is default.

The _csrf_token changes every time I refresh the page.

I add the following code into the Blesta folder .htaccess, it should stop all caching.

Quote

Header set Cache-Control "max-age=0, private, no-cache, no-store, must-revalidate"

Sadly, this still doesn't solve the issue. Now I'm trying to see if I can temporarily disable the caching, so that I can at least confirm if it is or is not the root of the issue.

 

Regards.

Link to comment
Share on other sites

  • 0

I'm able to disable the Zend OPcache. But it still doesn't resolve the issue.

Zend OPcache

Opcode Caching  Disabled 
Optimization  Disabled 

 

There are any logs from Blesta that I can follow up on? I'm sure it's due to the settings/configurations on the web server, I just need to know where Blesta gets the return error, so I can see what service is causing this.

Regards.

Link to comment
Share on other sites

  • 0

Refreshing the page in the same browser should not generate a new CSRF token, as the token is based on your session. So, NajaHost is correct when he says "Sessions ... !!!"

It seems like something is going on with sessions. You should get a new CSRF token if you open a new browser, or incognito window, but not when refreshing the same page.

mod_security or anything else interferring with session cookies?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...