Invalid form token on login (Android + IOS)

PAlgoed · February 10, 2023, 9:36am

Google Chrome (on Android, not on MacOS) AND Safari (on IOS) yield an error when trying to log in. Tor (on Android) does the job perfectly. The error is “Invalid form token. Please reload this form and submit again” + “Welcome back! You are already logged in.”. All mobile users are confronted with this error. Putting some logging in the validate function in Concrete>src>Validation>CSRF>Token.php shows that the login action is executed twice:

Date,Level,Channel,User,Message
“Feb 10, 2023, 10:00:13 AM”,INFO,Application,Guest,“login_concrete 10:00:13”
“Feb 10, 2023, 10:00:13 AM”,INFO,Application,Guest,“10:00:11 3f0a7806f865e0807f32e580763186d8”
“Feb 10, 2023, 10:00:13 AM”,INFO,Application,admin,name of user logged in
“Feb 10, 2023, 10:00:16 AM”,INFO,Application,admin,“login_concrete 10:00:16”
“Feb 10, 2023, 10:00:16 AM”,INFO,Application,admin,“10:00:11 3f0a7806f865e0807f32e580763186d8”
“Feb 10, 2023, 10:18:49 AM”,INFO,Application,admin,“do_logout 10:18:49”
“Feb 10, 2023, 10:18:49 AM”,INFO,Application,admin,“10:01:45 d31ad6cb04bc957d224b64d8cc7e406b”
“Feb 10, 2023, 10:18:54 AM”,INFO,Application,Guest,“login_concrete 10:18:54”
“Feb 10, 2023, 10:18:54 AM”,INFO,Application,Guest,“10:18:52 ddba656924d804da2a1bbe355c31fda4”
“Feb 10, 2023, 10:18:55 AM”,INFO,Application,admin,name of user logged in
“Feb 10, 2023, 10:18:57 AM”,INFO,Application,admin,“login_concrete 10:18:57”
“Feb 10, 2023, 10:18:57 AM”,INFO,Application,admin,“10:18:52 ddba656924d804da2a1bbe355c31fda4”

EvanCooper · February 16, 2023, 11:45pm

Hi @PAlgoed - can you let me know the environment info of your site? Concrete version, PHP version, all that? Thanks.

PAlgoed · February 17, 2023, 6:49am

Hi Evan,

I also tested Epic on Android: fine! Why this intermittent guest login with Chrome + Safari?
Env info:

Concrete Version

Core Version - 9.1.3
Version Installed - 9.1.3
Database Version - 20220908074900

Hostname

web0136.zxcs.nl

Environment

production

Database Information

Version: 10.4.27-MariaDB-cll-lve
SQL Mode: NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION

Concrete Packages

Rescan All Files (0.1.5)

Concrete Overrides

… too many to et posted)

Concrete Cache Settings

Block Cache - On
Overrides Cache - On
Full Page Caching - On - In all cases.
Full Page Cache Lifetime - Every 6 hours (default setting).

Server Software

Apache/2

Server API

litespeed

PHP Version

8.0.27

PHP Extensions

bcmath, bz2, calendar, Core, ctype, curl, date, dom, exif, fileinfo, filter, ftp, gd, gettext, gmp, hash, iconv, imagick, intl, json, libxml, litespeed, mbstring, mysqli, mysqlnd, openssl, pcntl, pcre, PDO, pdo_mysql, pdo_sqlite, Phar, posix, readline, Reflection, session, shmop, SimpleXML, soap, sockets, SPL, sqlite3, standard, tokenizer, xml, xmlreader, xmlwriter, xsl, zip, zlib

PHP Settings

max_execution_time - 600
log_errors_max_len - 1024
max_file_uploads - 20
max_input_nesting_level - 64
max_input_time - 60
max_input_vars - 1000
memory_limit - 2048M
post_max_size - 2048M
upload_max_filesize - 1G
zend.exception_string_param_max_len - 15
mbstring.regex_retry_limit - 1000000
mbstring.regex_stack_limit - 100000
mysqli.max_links - Unlimited
mysqli.max_persistent - Unlimited
pcre.backtrack_limit - 1000000
pcre.recursion_limit - 100000
session.cache_limiter - no value
session.gc_maxlifetime - 7200
soap.wsdl_cache_limit - 5
unserialize_max_depth - 4096 - 5
unserialize_max_depth - 4096