Bug #71582

TYPO3 7.6 LTS returns security token validation error almost everytime

Added by Nico Wellner over 3 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
Backend User Interface
Target version:
-
Start date:
2015-11-15
Due date:
% Done:

0%

TYPO3 Version:
7
PHP Version:
5.6
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

Hey there!

I'm not sure, but I think I found a bug in the latest 7.6 LTS with my server configuration, so my fresh installations (without any extensions) are unable to interact in the backend. Almost everytime I try to submit a backend form, I get an error because of security token. I tried to fix it with following methods but it takes no affect:
- Reinstall that instance
- (Re-)Login and out
Fix "max_input_vars" in php to "5000"
- Clear all caches

I will be able to give root access to that, so someone could get direct view if desired. See picture for details of that error.

Interesting notices: No PHP or access errors are logged - same in ../typo3temp/logs. Not any kind of feedback neither in the ui nor in the typo3 logs. No errors in the install tool.Is there anybody from CoreDev who can help me?

Server configurations:
Webserver Apache/2.4.10 (Debian)
PHP Version 5.6.14-0+deb8u1
Database 5.5.46-0+deb8u1
Application Context Production
Operating System Linux 3.16.0-4-amd64

Nico

error-validation.PNG View (49 KB) Nico Wellner, 2015-11-15 17:01

History

#1 Updated by Tom Warwick over 3 years ago

Getting exactly the same problem 7.5 > 7.6

No third party extensions installed.

Server configurations:
Webserver Apache/2.4.16 (FreeBSD)
PHP Version 5.6.14
Database 5.5.26
Application Context Production
Operating System FreeBSD 10.2-RELEASE

#2 Updated by Nico Wellner over 3 years ago

We found out, that we are also having problems with File-Uploads.
Again, after hours of checking Apache2, PHP, etc., we decided to delete Apache2 and work with nginx.

Now, this error doesn't appear anymore - also File-Uploads are working!
We don't know why, but our apache2 have had malfunction.

BUT - Besides the fact that it finally works with nginx, I maintain that it couldn't be the solution NOT to use Apache2.
What do you all mean?

Kind regards,
Nico

#3 Updated by Helmut Hummel over 3 years ago

  • Status changed from New to Needs Feedback

You're saying that you have no issues with TYPO3 7.5 on the same server ?

I investigated a server recently and on that box $_POST requests were randomly discarded (plain PHP script without any TYPO3 involved). In such an environment TYPO3 of course cannot function properly.

Question is, if you face similar issues here or not.

#4 Updated by Helmut Hummel over 3 years ago

Here is an example curl request you can test:

curl 'http://your-server.tld/test.php?M=user_setup&moduleToken=1b9047ae59a852bd3158019ed38d612c342bda67' -H 'Cookie: be_lastLoginProvider=1433416747; PHPSESSID=pamp04afm2d46m6k57agm309k1; be_typo_user=559ddca68304a1a26ee948870461bf19; Typo3InstallTool=ni98ca552e62ajkeergvo11q16' -H 'Origin: http://t6-001.ternum-dev.de' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36' -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6OOg3F3POrOky32q' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Cache-Control: max-age=0' -H 'Referer: http://t6-001.ternum-dev.de/typo3/index.php?M=user_setup&moduleToken=1b9047ae59a852bd3158019ed38d612c342bda67' -H 'Connection: keep-alive' --data-binary $'------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[save]"\r\n\r\n1\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[be_users][realName]"\r\n\r\n\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[be_users][email]"\r\n\r\n\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[be_users][avatar]"\r\n\r\n0\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[lang]"\r\n\r\n\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[be_users][passwordCurrent]"\r\n\r\n\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[be_users][password]"\r\n\r\n\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[be_users][password2]"\r\n\r\n\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[startModule]"\r\n\r\nhelp_AboutmodulesAboutmodules\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[thumbnailsByDefault]"\r\n\r\non\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[titleLen]"\r\n\r\n50\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[edit_RTE]"\r\n\r\non\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[edit_docModuleUpload]"\r\n\r\non\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[resizeTextareas_MaxHeight]"\r\n\r\n500\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[copyLevels]"\r\n\r\n\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[rteWidth]"\r\n\r\n\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[rteHeight]"\r\n\r\n\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[rteMaxHeight]"\r\n\r\n\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[rteCleanPasteBehaviour]"\r\n\r\nplainText\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="simUser"\r\n\r\n0\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="formToken"\r\n\r\n1adcee0bc7fcb29b291a9037887c6fb16e027174\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[save]"\r\n\r\n1\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[setValuesToDefault]"\r\n\r\n0\r\n------WebKitFormBoundary6OOg3F3POrOky32q--\r\n' --compressed

Please note to adapt the path to

http://your-server.tld/test.php

The contents of this file just is:

<?php

var_dump($_POST);

The server I tested for Nico, discarded parts of the $_POST vars, which is the severe error condition I mentioned above.
I have no idea what can cause such errors, maybe a devops or ops person can help out here, but in this case we cannot do anything in TYPO3 to fix such broken setup.

#5 Updated by Riccardo De Contardi about 3 years ago

  • Status changed from Needs Feedback to Closed

No feedback within the last 90 days => closing this issue.

If you think that this is the wrong decision or experience this issue again, then please write to the mailing list typo3.teams.bugs with issue number and an explanation or open a new ticket and add a relation to this ticket number.
You could also join the #typo3-cms channel in Slack if you still need support.
Thank you

#6 Updated by Alexander Opitz about 3 years ago

  • Target version deleted (7 LTS)

#7 Updated by Tom Warwick almost 3 years ago

I eventually found a fix for this.

In my case, I completely emptied /typo3temp and the problem was resolved straight away.

Hope this is of use.

Also available in: Atom PDF