Hi all,
For one of our clients we recently activated the Joomla! page caching plugin ("System - Cache") for the purpose of speed optimization on their website.
Consequence of this was that users who want to login frequently received the error message "Invalid token". The cause of this problem was logical: because the (HTML) output of every page is saved/cached and at each subsequent visit is being used, there was never a new "token" (hidden inputfield in the loginform) generated, which is used during login. Therefor there where many login session with the same token, which causes the error "Invalid token".
We solved this by made a custom page caching plugin (derived from the default Joomla! caching plugin) in which code we entrapped store caching from the page "/login". Therefor that page is generated each page visit again whereby there is always an unique token for the login session.
Is this problem known by other Joomla! developers? And do you maybe have other (better) solutions for solving this problem? I think it's just strange that two parts of the Joomla! core conflicts like this and it is nog being entrapped.
"Invalid token" because of Joomla! page caching plugin
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
-
- Joomla! Fledgling
- Posts: 3
- Joined: Fri Mar 27, 2015 8:34 am
-
- Joomla! Virtuoso
- Posts: 4025
- Joined: Mon Nov 25, 2013 4:35 pm
- Location: Montreal, Canada
- Contact:
Re: "Invalid token" because of Joomla! page caching plugin
Yes - it is a known problem.
One clean solution to this problem is the following:
- Install a 3rd party cache plugin such as JotCache
- Create a login page and only allow your users to login from that page (and not from a module)
- Instruct JotCache not to index that particular page
It might be that JotCache handles this problem at the module level without you doing anything, so just try to install it first and see what happens.
Another solution would be to modify the core to get rid of the token issue - I know that many would be against this, but here's a link on how to do it:http://www.itoctopus.com/how-to-complet ... -on-joomla
Keep in mind that once you modify the core, your website becomes instantly harder to maintain, and, in this particular situation, it may pose some security threats.
Hope this helps.
One clean solution to this problem is the following:
- Install a 3rd party cache plugin such as JotCache
- Create a login page and only allow your users to login from that page (and not from a module)
- Instruct JotCache not to index that particular page
It might be that JotCache handles this problem at the module level without you doing anything, so just try to install it first and see what happens.
Another solution would be to modify the core to get rid of the token issue - I know that many would be against this, but here's a link on how to do it:http://www.itoctopus.com/how-to-complet ... -on-joomla
Keep in mind that once you modify the core, your website becomes instantly harder to maintain, and, in this particular situation, it may pose some security threats.
Hope this helps.
http://www.itoctopus.com - Joomla consulting at its finest
https://twitter.com/itoctopus - Follow us on Twitter
https://twitter.com/itoctopus - Follow us on Twitter
-
- Joomla! Fledgling
- Posts: 3
- Joined: Fri Mar 27, 2015 8:34 am
Re: "Invalid token" because of Joomla! page caching plugin
Thank you for your comment.
Your first solution (excluding the page /login from page caching) seems to be the same solution as we applied, but therefor we're using a custom plugin instead of JotCache. I'll try if JotCache excludes the login module as well. :-)
Get rid of the token protection is not a solution for us. We don't want to affect the security of the website and don't want to edit the core as well.
Your first solution (excluding the page /login from page caching) seems to be the same solution as we applied, but therefor we're using a custom plugin instead of JotCache. I'll try if JotCache excludes the login module as well. :-)
Get rid of the token protection is not a solution for us. We don't want to affect the security of the website and don't want to edit the core as well.
-
- Joomla! Fledgling
- Posts: 3
- Joined: Fri Mar 27, 2015 8:34 am
Re: "Invalid token" because of Joomla! page caching plugin
A little bit late maybe, but some weeks ago we found out that Joomla! HAS a function which replaces the token automatically. However, on the website I was talking about we also use the plugin System - JCH Optimize Pro (http://extensions.joomla.org/extension/jch-optimize) for pagespeed optimization. This plugin merges CSS and Javascript, minify HTML, etc. If we disable the option 'Minify HTML' in het backend settings, the token is replaced automatically and the mentioned problem isn't happen again. So not Joomla!, but this plugin was causing the problem.
Recently we've implemented Varnish Cache on the mentioned website. With the plugin (http://extensions.joomla.org/extensions ... for-joomla) we're using therefor - which is developed by our webhoster Byte - it's easy to exclude specific pages or components from caching, say 'Login'. Seperate parts from other pages we want to exclude from caching we're currently replacing using Ajax.
Recently we've implemented Varnish Cache on the mentioned website. With the plugin (http://extensions.joomla.org/extensions ... for-joomla) we're using therefor - which is developed by our webhoster Byte - it's easy to exclude specific pages or components from caching, say 'Login'. Seperate parts from other pages we want to exclude from caching we're currently replacing using Ajax.
- brian
- Joomla! Master
- Posts: 12785
- Joined: Fri Aug 12, 2005 7:19 am
- Location: Leeds, UK
- Contact:
Re: "Invalid token" because of Joomla! page caching plugin
Please report this bug in JCH Optimize Pro to the developers and leave a review on the JED listing so that other users know
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/