Bug #69763

Re-login after expired backend session throws exception

Added by Loek Hilgersom about 6 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Must have
Assignee:
Category:
Backend User Interface
Start date:
2015-09-13
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
7
PHP Version:
5.5
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

After BE session expires you get a lightbox popup ('Refresh Login to TYPO3') which allows you to enter your password and login again.

When doing this, the backend sometimes throws an exception: #1425389455: Invalid request for route "/main"

This appears to happen when you had an editing form open when the session expired. As a workaround you can remove the token from the url and login again with the normal login box.

Strangely, testing this with a really low value for [BE][sessionTimeout] did not reproduce this error. Could it be that the token has its own time-out value?

You can reproduce the exception by manually modifying the token in the url (but that is correct of course).


Related issues

Related to TYPO3 Core - Bug #69277: Invalid request for route "/logout"Closed2015-08-24

Actions
Related to TYPO3 Core - Bug #66242: CSRF problem after reloginClosed2015-04-02

Actions
Related to TYPO3 Core - Bug #78739: Internal user data is not updated when session id is regeneratedClosed2016-11-18

Actions
Related to TYPO3 Core - Bug #82118: User interface does not react / 500 internal server error dummyTokenNew2017-08-17

Actions
Related to TYPO3 Core - Bug #85844: Invalid request for route "/ajax/system-information/render" after session timed outUnder Review2018-08-14

Actions
Has duplicate TYPO3 Core - Bug #73168: Exception on re-loginClosed2016-02-07

Actions
#1

Updated by Nicole Cordes about 6 years ago

  • Assignee set to Nicole Cordes
#2

Updated by Anja Leichsenring about 6 years ago

  • Sprint Focus changed from On Location Sprint to Stabilization Sprint
#3

Updated by Markus Klein about 6 years ago

I have similar issues with the normal BE login from time to time. I need to clear the GET parameters then and then the BE works like normal.

#4

Updated by Benni Mack about 6 years ago

  • Target version changed from 7.5 to 7 LTS
  • Sprint Focus deleted (Stabilization Sprint)
#5

Updated by Wolfgang Klinger about 6 years ago

I can confirm that bug.

URL: http://dev.demo-7.local/typo3/index.php?route=%2Fmain&token=32517423454ea0a4e9388fa736b4b2f92806a07e

Uncaught TYPO3 Exception
#1425389455: Invalid request for route "/main" (More information)

TYPO3\CMS\Backend\Routing\Exception\RouteNotFoundException thrown in file
/var/www/dev.demo-7/typo3_src/typo3/sysext/backend/Classes/Http/RouteDispatcher.php in line 47.

7 TYPO3\CMS\Backend\Http\RouteDispatcher::dispatch(TYPO3\CMS\Core\Http\ServerRequest, TYPO3\CMS\Core\Http\Response)

/var/www/dev.demo-7/typo3_src/typo3/sysext/backend/Classes/Http/RequestHandler.php:
00153:   /** @var RouteDispatcher $dispatcher */
00154:   $dispatcher = GeneralUtility::makeInstance(RouteDispatcher::class);
00155:   return $dispatcher->dispatch($request, $response);
00156:  }
00157: }

6 TYPO3\CMS\Backend\Http\RequestHandler::dispatch(TYPO3\CMS\Core\Http\ServerRequest)

/var/www/dev.demo-7/typo3_src/typo3/sysext/backend/Classes/Http/RequestHandler.php:
00090:   // Check if the router has the available route and dispatch.
00091:   if ($routingEnabled) {
00092:    return $this->dispatch($request);
00093:   }
00094: 

5 TYPO3\CMS\Backend\Http\RequestHandler::handleRequest(TYPO3\CMS\Core\Http\ServerRequest)

/var/www/dev.demo-7/typo3_src/typo3/sysext/core/Classes/Core/Bootstrap.php:
00286: 
00287:   // Execute the command which returns a Response object or NULL
00288:   $this->response = $requestHandler->handleRequest($request);
00289:   return $this;
00290:  }

4 TYPO3\CMS\Core\Core\Bootstrap::handleRequest(TYPO3\CMS\Core\Http\ServerRequest)

/var/www/dev.demo-7/typo3_src/typo3/sysext/backend/Classes/Http/Application.php:
00090:   */
00091:  public function run(callable $execute = NULL) {
00092:   $this->bootstrap->handleRequest($this->request);
00093: 
00094:   if ($execute !== NULL) {

3 TYPO3\CMS\Backend\Http\Application::run()

/var/www/dev.demo-7/typo3_src/typo3/index.php:
00018: call_user_func(function() {
00019:  $classLoader = require __DIR__ . '/../vendor/autoload.php';
00020:  (new \TYPO3\CMS\Backend\Http\Application($classLoader))->run();
00021: });

2 {closure}()
1 call_user_func(Closure)

/var/www/dev.demo-7/typo3_src/typo3/index.php:
00019:  $classLoader = require __DIR__ . '/../vendor/autoload.php';
00020:  (new \TYPO3\CMS\Backend\Http\Application($classLoader))->run();
00021: });

#6

Updated by Riccardo De Contardi almost 6 years ago

  • Target version changed from 7 LTS to Candidate for patchlevel
#7

Updated by Josef Glatz almost 6 years ago

  • Priority changed from Should have to Must have

I can also confirm this bug. Same es Wolfgang's exception (except line 49 instead of 47 -> I'm using 7.6.2)

#8

Updated by Josef Glatz almost 6 years ago

I reproduce at fix it everyday:

  1. Work in the backend
  2. Shutdown the VM (in which TYPO3 is running) but leaving browser tab with backend open
  3. Sleep until next day ;-)
  4. Startup the VM
  5. Reload the browser tab with the backend
  6. BE Login appears
  7. Login to backend
  8. Exception is thrown
  9. Remove the route parameter in url + Enter
  10. Backend is now reloading and shows 2 Validating the security token of this form has failed. Please reload the form and submit it again. error messages
  11. After reloading backend with browser's reload button, everything is back to normal

I don't know if it is important, but I've set ['BE']['sessionTimout'] to 3600*24*7

#9

Updated by Peter Kraume almost 6 years ago

I can confirm this problem as well.

The problem exists when you leave the backend open and switch the network, e.g work/home/VPN. When you then click any other link in the BE, you're logged out. Upon next login the above mentioned error message appears. Removing the GET parameters solves the problem.

#10

Updated by Christian Toffolo over 5 years ago

I confirm the bug too.

#11

Updated by Charles Coleman over 5 years ago

I am also having this same issue but it's not because I'm changing network/IP stuff as one person reported was their cause.

  1. I log into the backend using TYPO3 7.6.4 and PHP 5.6 I get the Uncaught TYPO3 Exception below...
  2. I remove all get parameters and hit enter which at first appears I've completed login but there's TYPO3 backend error message, "Validating the security token of this form has failed. Please reload the form and submit it again."
  3. I refresh the backend page and it takes me to the main BE login page again
  4. I enter credentials and login succeeds
  5. BUT Within 5 minutes I get the relogin modal that pops up informing me that my login expired even though I have it set to 36000 seconds. (I have not changed the IP of my computer or the website during this time.)
Uncaught TYPO3 Exception
#1425389455: Invalid request for route "/main" (More information)

TYPO3\CMS\Backend\Routing\Exception\RouteNotFoundException thrown in file
/home/example/public_html/vendor/typo3/cms/typo3/sysext/backend/Classes/Http/RouteDispatcher.php in line 49.

7 TYPO3\CMS\Backend\Http\RouteDispatcher::dispatch(TYPO3\CMS\Core\Http\ServerRequest, TYPO3\CMS\Core\Http\Response)

/home/example/public_html/vendor/typo3/cms/typo3/sysext/backend/Classes/Http/RequestHandler.php:
00159:         /** @var RouteDispatcher $dispatcher */
00160:         $dispatcher = GeneralUtility::makeInstance(RouteDispatcher::class);
00161:         return $dispatcher->dispatch($request, $response);
00162:     }
00163: }

6 TYPO3\CMS\Backend\Http\RequestHandler::dispatch(TYPO3\CMS\Core\Http\ServerRequest)

/home/example/public_html/vendor/typo3/cms/typo3/sysext/backend/Classes/Http/RequestHandler.php:
00092:         // Check if the router has the available route and dispatch.
00093:         if ($routingEnabled) {
00094:             return $this->dispatch($request);
00095:         }
00096: 

5 TYPO3\CMS\Backend\Http\RequestHandler::handleRequest(TYPO3\CMS\Core\Http\ServerRequest)

/home/example/public_html/vendor/typo3/cms/typo3/sysext/core/Classes/Core/Bootstrap.php:
00300: 
00301:         // Execute the command which returns a Response object or NULL
00302:         $this->response = $requestHandler->handleRequest($request);
00303:         return $this;
00304:     }

4 TYPO3\CMS\Core\Core\Bootstrap::handleRequest(TYPO3\CMS\Core\Http\ServerRequest)

/home/example/public_html/vendor/typo3/cms/typo3/sysext/backend/Classes/Http/Application.php:
00092:         }
00093: 
00094:         $this->bootstrap->handleRequest($this->request);
00095: 
00096:         if ($execute !== null) {

3 TYPO3\CMS\Backend\Http\Application::run()

/home/example/public_html/vendor/typo3/cms/typo3/index.php:
00018: call_user_func(function () {
00019:     $classLoader = require __DIR__ . '/../vendor/autoload.php';
00020:     (new \TYPO3\CMS\Backend\Http\Application($classLoader))->run();
00021: });

2 {closure}()
1 call_user_func(Closure)

/home/example/public_html/vendor/typo3/cms/typo3/index.php:
00019:     $classLoader = require __DIR__ . '/../vendor/autoload.php';
00020:     (new \TYPO3\CMS\Backend\Http\Application($classLoader))->run();
00021: });
#12

Updated by Jens Jacobsen over 5 years ago

Confirmed and still there in TYPO3 7.6.4

Core: Exception handler (WEB): Uncaught TYPO3 Exception: #1425389455: Invalid request for route "/main" | TYPO3\CMS\Backend\Routing\Exception\RouteNotFoundException thrown in file /var/www/typo3/typo3_src-7.6.4/typo3/sysext/backend/Classes/Http/RouteDispatcher.php in line 49. 
#13

Updated by Philipp Winterle over 5 years ago

Same for me. TYPO3 7.6.4
But this behaviour only happens to one of our backend users. This one user is in a special private network with different network policies. If this user is connecting through a WIFI and a direct internet connection to our servers the user is able to connect properly.

#14

Updated by Sascha Ebner over 5 years ago

I have the same problem, TYPO3 CMS 7.6.4, PHP 7.0.5

#15

Updated by ondro no-lastname-given over 5 years ago

Same problem here
Typo3 v 7.6.6
php v 5.6.20

#16

Updated by Michiel Roos over 5 years ago

Maybe the login timeout AJAX call can redirect the main page to a sane url?

/typo3/index.php?ajaxID=%2Fajax%2Flogin%2Ftimedout&skipSessionUpdate=1

#17

Updated by Michiel Roos over 5 years ago

This seems to work too:

$GLOBALS['TYPO3_CONF_VARS']['BE']['lockIP'] = 3;

This will only check the three most significant parts of the IP address of the remote host IP (you).

May break when using IPv6 ?

And you may need to adjust according to your network setup. If you have different subnets for wired and wifi network you may need to lower the 3 to 2.

More info in typo3/sysext/core/Configuration/DefaultConfiguration.php

#18

Updated by Josef Glatz about 5 years ago

Bug is still present in TYPO3 8.5.0-dev

#19

Updated by Nicole Cordes about 5 years ago

@Josef Do you have any steps to reproduce? Otherwise it is really hard to investigate here.

#20

Updated by Christian Toffolo about 5 years ago

To reproduce this (at least in TYPO3 7.6):
  1. Log in the BE
  2. Change IP address (ex: disconnect and reconnect to internet), no need to wait for session timeout
  3. Click a link in the BE (ex: a page in the page tree)
  4. Re-log in the BE.

Now you got the error:

Core: Exception handler (WEB): Uncaught TYPO3 Exception: #1425389455: Invalid request for route "/main" | TYPO3\CMS\Backend\Routing\Exception\RouteNotFoundException thrown in file /typo3/sysext/backend/Classes/Http/RouteDispatcher.php in line 49

#21

Updated by Frans Saris about 5 years ago

The issue is a token mismatch. Think a check needs to be added that catches the exception and re-routes to login when the token check fails.

You can easily reproduce the behavior with the chrome browser devtools and switch from user-agent/device.

#22

Updated by Gerrit Code Review about 5 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/50660

#23

Updated by Gerrit Code Review about 5 years ago

Patch set 1 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/50687

#24

Updated by Frans Saris about 5 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
#25

Updated by Gerrit Code Review about 5 years ago

  • Status changed from Resolved to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/50688

#26

Updated by Gerrit Code Review about 5 years ago

Patch set 1 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/50689

#27

Updated by Gerrit Code Review about 5 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/50688

#28

Updated by Gerrit Code Review about 5 years ago

Patch set 2 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/50689

#29

Updated by Markus Klein about 5 years ago

  • Status changed from Under Review to Resolved
#30

Updated by Christian Weiske over 4 years ago

  • Related to Bug #82118: User interface does not react / 500 internal server error dummyToken added
#31

Updated by Benni Mack about 3 years ago

  • Status changed from Resolved to Closed
#32

Updated by Christian Eßl over 1 year ago

  • Related to Bug #85844: Invalid request for route "/ajax/system-information/render" after session timed out added

Also available in: Atom PDF