Joomla! Forum - community, help and support

My site also suffers from the Invalid Token - I think it started after Vmart 1.1.4
On admin login and on default poll mod

I had this issue but it was because I was using JomSocial. Sometimes it was caused by the server proxy and other times by JomSocial itself. To fix it I edited the Joomla user file where the Invalid Token error exists to instead redirect to a URL rather than showing the error. I made that URL the account page since even though it gave Invalid Token the user was logged in. You can also get this intermittently with JomSocial if you don't assign the JomSocial frontpage component as "public" somewhere on your menu.

We found a solution: If a user loads the page with the login form or registration form, then let's it sit there for several minutes (or take too long to fill-in the form), the randomly generated token used for authentication expires. Tokens are set to expire after 180 seconds - a more reasonable time limit might be 1800 seconds (half-hour) especially for registration forms - particularly if you have installed a customised user reg process, e.g. Jom_social.

The time limit is established in the file:
/components/com_community/models/register.php
search for "INTERVAL 180 SECOND" and replace with 1800

$query .= " WHERE `created` >= DATE_SUB('".$curDateMysql."', INTERVAL 1800 SECOND)";

@vjrm

any chance you could give us a bit more guidence/modify your post regards this issue.

Just wondering if you could tell me which files you changed here?

You said "To fix it I edited the Joomla user file where the Invalid Token error exists to instead redirect to a URL rather than showing the error. I made that URL the account page since even though it gave Invalid Token"

I have searched my entire site for 'Invalid Token' and cannot find it anywhere!

@bitterblackale I cannot find the file you are talking about either...

In the end what I did to resolve this as a temporary fix was to make a bit of javascript that pulled the token from the yoologin module and passed it to thge registration form that was also being displayed in a module.

Its still not 100% though and I have just got another 'Invalid Token'

I think this one happenned because I had left the page open for a while without loggin in.

However they KEY thing here is to have Joomla do something more user friendly than just show a blank white page with Invalid Token on it as this totally destrys the suer experience.

Why can't Joomla send the person back to the page they were on with an error message just like what happens when you enter the wrong password, with a message saying 'Invalid Token. Please try logging in again'

You don't want to make it not check the tokens since they are there for security reasons. The token checks prevent one kind of attack that can implemented by submitting malicious code via a form.

I didn't realize you were not using the core login. Have you asked the developers for help?

Hi yeah, I have spoken to both developers for help but of course all of the developers blame each other/me for their stuff not working and so don't think its their problem

i.e. we are using Mighty Extensions to manage users, we are using Yootheme to show the login box and we are using an extension that puts a component in a module to show the registration form on the same page.

Unfortunalety this cannot really work any differently. What we need is for Joomla itself to have a registration Module but it doesn't.

So what happens is that the login form gets the right token. Then the registration form creates another one that is wrong. So I use javascript to replace the token the registration form creates with the one the login form creates and this generally works.

So I think it is still checking tokens. What I'd really, really, really like is that if the tokens are wrong that you do not simply get sent to that awful useless customer relations destroying 'Invalid Token' page. I want you sent back to the previous page with 'Invalid Token' as an error. Why can't this happen? Why doesn't this happen anyway?

Cmon people, all over the web there is this invalid token issue. I know its irregular and I know there are alot of factors involved in the causes.

I appreciate that it is a good security feature but why can't Joomla simply redirect to the previous page with 'Invalid Token' as the error, like it does you have a session expired error? This would take this issue from absolutely totally critical to relatively minor.

Currently the 'Invalid Token' screen makes it look like the site is not working AT ALL and the chances of a user trying again by clicking the back button are to my mind very slim. If the Invalid Token error simply returned you to the previous page with a message 'Invalid Token: Please try logging in again' users would probably do it.

Why is it that it doesn't work this way and please can someone who knows abit more about the Joomla core let me know how I can make it work this way if there is no downside to doing so?

Tthe thing is, in this case it's not Joomla! that's doing it, it is the extension you are using. Without seeing the code for that extension it's not possible to know how it is handling the problem.

Hi there,

Yeah I am hoping the maker of the extension will be able to do something to fix it.

However in the mean time it would make the world of difference if Joomla did not send people to the blank 'invalid token' screen ever. If it could instead redirect to the previous page with an error that would be SOOO much better.

D

Joomla! does not do that. I get invalid token messages all the time and don't get blank screens. j
The developer needs to fix the behavior on finding invalid token.

Well I'll have a look at the code then but from what I have seen invalid token always seems to be followed by exit() wherever you look in the joomla code...

If you could point me to an example of where it doesn't I can easily copy and paste what it does do into the relevant place in the login and register modules I am using...

I understand this is a common problem, but there is no fix for this? I'm not using any special mods or plug-ins and i get quite often this error.

Hello

I get "Invalid Token" when trying to login to admin in Firefox 3.6.13, try again later and it works.

Another one frequently occuring is I have to login multiple times, I only get in on second
attempt although username/password was correct.

Using Joomla 1.5.22 with PHP 5.2.14.

Cheers Ken

I tried to clear browser history and login to front end of site:

1. First login fails, no message output
2. Second login gives "Invalid Token"
3. Third login gets me into the web site
4. If I clear browser history it all starts from (1) again

This is using Joomla 1.5.22 and PHP 5.2.14 running on a shared server with LiteSpeed.
Firefox 3.6.13. Site is offline at the moment so only admins can login.

We also get thrown out of back end frequently, and have to login again (even though we clearly
have been active within the last 15 mins...).

Any ideas?

Cheers Ken

what is your server`s OS ? linux or windows?
if it is windows , i think its from your php setting
you can run it in your localhost and test it

Thanks for reply.

Server is running Linux (Ubuntu).

Cheers Ken

I agree with davidosullivan, it could be very useful to have a plugin or fix to avoid that nasty 'INVALID TOKEN' white page. There is not any way to fix this easily?? Going back to previous screen and showing a message with more information for the user could be great; something like: please empty your browser cache and/or delete cookies and try again. Also may be that making a simple javascript that deletes all site session cookies could be amazing...

In my experience, this issue happens 90% of times when using Firefox, cause using Chrome or Safari it doesn't seems to happen anymore...

What you think?

Have had several LOGOUT problems with invalid token error.

Fixed it (for joomla 1.6.1) by adding the following code to the proper place in my templates mod_login directory file default.php

The code block is below to make it easier to find, the only change/addition is the last line (which I bolded and italicized).

<input type="hidden" name="option" value="com_users" />
<input type="hidden" name="task" value="user.logout" />
<input type="hidden" name="return" value="<?php echo $return; ?>" />
<?php echo JHtml::_('form.token'); ?>

It my/our case is was the login procedure that was not getting the (1.6.1 added the token) token info.

spend ages trying to resolve this try this i posted in another forum:

http://forum.joomla.org/viewtopic.php?p ... 1#p2500641

danielbprobert wrote:spend ages trying to resolve this try this i posted in another forum:

http://forum.joomla.org/viewtopic.php?p ... 1#p2500641

You can make your hack even better if you use $mainframe->redirect('index.php','Alert message','alert'); and substitute 'Alert message' with your favourite message requesting the user to empty the browser cache or deleting domain cookies...

regards,

true but i don't want my clients to even know there was an error doing it that way tells people there was problem...

although that does work just as well

I got this from another thread here... it worked for a lot of people:

Open this file: components/com_user/controller.php - take a copy as a backup in case it causes any issues on your site.

Find this code:
Replace it with this:
Obviously, change yourdominaname with your actual domain.

adizlaja wrote:I got this from another thread here... it worked for a lot of people:

Open this file: components/com_user/controller.php - take a copy as a backup in case it causes any issues on your site.

Find this code:

Code: Select all

function login()
   {
      // Check for request forgeries
                JRequest::checkToken() or jexit( 'Invalid Token' );

Replace it with this:

Code: Select all

function login()
   {
      // Check for request forgeries
                JRequest::checkToken() or header('Location: http://www.yourdomainname.com/');

Obviously, change yourdominaname with your actual domain.

Can someone please indicate what the correct file to modify is in Joomla 1.7? I checked the controller.php in the directory listed above, and there is no such code to modify!

Thanks!

For me this only ever happens if I enter the username and password and then hit the 'enter' key, if I click the 'login' button then it's fine.

This topic is more advanced in this thread (with Joomla 1.7 solution)

http://forum.joomla.org/viewtopic.php?f ... &start=150

Had problems with login module and user component:
- invalid token
- sometime no change was reflecting when trying to login
- no redirect etc.
Finally figured out that the user component was acting funny because of the .htaccess configuration.
Solution was to remove the "action" parameter of the forms.

For me disabling the Google Authentication plugin fixed this problem.

it is a known problem with a known solution.


http://forum.joomla.org/index.php/topic,251273.0.html