The Joomla! Forum ™



Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.



Post new topic Reply to topic  [ 203 posts ]  Go to page Previous  1 ... 3, 4, 5, 6, 7  Next
Author Message
PostPosted: Mon Aug 29, 2011 10:07 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Thu Mar 10, 2011 4:05 am
Posts: 1
danielbprobert wrote:
this may not work for all but just spent days trying to resolve this and the best i can come up with is dirty hack that seems to resolve the problem or well it did for me..

open this file: components/com_user/controller.php - take a copy as a backup in case it causes any issues on your site

find this code:
Code:
function login()
   {
      // Check for request forgeries
                JRequest::checkToken() or jexit( 'Invalid Token' );


replace it with this:
Code:
function login()
   {
      // Check for request forgeries
                JRequest::checkToken() or header('Location: http://www.yourdomainname.com/');


amend the yourdomainname to match your domain then save and upload.

i've been unable to get a invalid token since i made this change hopefully no adverse affects but it works.

Hi there, thanks for this, it has worked for me too, I no longer get the invalid token message


Top
 Profile  
 
PostPosted: Wed Aug 31, 2011 2:11 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Tue Aug 30, 2011 8:52 am
Posts: 4
Check for request forgeries

me too..


Top
 Profile  
 
PostPosted: Wed Aug 31, 2011 5:22 pm 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Aug 31, 2011 5:19 pm
Posts: 6
Location: Dallas, TX
Thank you so much for that solution! It did the trick for me. Someone should sticky this topic so others are aware of it. There are tons of topics on this issue, with 90% of them not having a solution.

Again... thanks for the little trick with the code. :)

_________________
Please read forum rules regarding signatures: viewtopic.php?t=65


Top
 Profile  
 
PostPosted: Wed Sep 07, 2011 4:46 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Wed Sep 07, 2011 4:40 am
Posts: 1
I have had this same problem for a while now and relised that double clicking the login button will produce the "Invalid Token" error.


Top
 Profile  
 
PostPosted: Thu Sep 08, 2011 6:15 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Aug 22, 2005 8:38 am
Posts: 15
I've been having this issue for some time but only when logging in to the backend.
My work around until a valid solution is found is simply to delete the index.php from the url leaving:
http://www.mysite.com/administrator/

Been working for me for a few months. Sorry if this has already been posted, I haven't had time to go through 6 pages of posts.


Top
 Profile  
 
PostPosted: Fri Sep 09, 2011 4:52 pm 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Wed Feb 20, 2008 6:50 am
Posts: 600
Location: Canada, Montreal
Same problem here

_________________
God help us!
Marketing, SEO, Web development - Powered by Joomla!
http://www.grafcomm.ca/


Top
 Profile  
 
PostPosted: Fri Sep 09, 2011 10:22 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Sun Jun 06, 2010 7:37 pm
Posts: 3
My backend issue started today. And the only thing I could think of is that Google Chrome released an update today. I could still log in using Internet Explorer.

This will probably not many others' problems, but if you are using Chrome, try clearing that cache and reloading your admin panel. Just worked for me a few moments ago.


Top
 Profile  
 
PostPosted: Thu Sep 15, 2011 3:35 pm 
Joomla! Intern
Joomla! Intern

Joined: Sat Dec 02, 2006 4:54 pm
Posts: 78
What totally baffles me is why after all this time Joomla has not been modified so that if the token is invalid it just goes back to the home page with an ERROR 'Invalid Security Token' rather than exiting to this awful blank screen with the words 'Invalid Token'?

I think we know roughly why this happens now (session time outs, caching etc), but if Joomla simply went to the home page with an error, users would try again and it would probably work. As it is the 'Invalid Token' exit and blank screen makes it look to the user like the whole site has crashed and does not work, so they leave, maybe never to return.

For some types of sites, this error makes it impossible to even consider using Joomla. Imagine if Facebook had this ridiculous way of dealing with invalid tokens? The web would be a very different place and Facebook would have never gotten off the ground.

I think its bonkers that this has not been fixed.


Top
 Profile  
 
PostPosted: Thu Sep 15, 2011 4:42 pm 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Wed Feb 20, 2008 6:50 am
Posts: 600
Location: Canada, Montreal
I’m completly in agreement with davidosullivan

Everything shoud be stop to work on that MAJOR problem...

A CMS whithout the ability to login is completly useless.

Stop few minute the dev of 1.7 and assure that your solid base of user is satisfied with the product.

I see this as a mounting trend for Joomla and component makers to direct all their efforts on the new platforme.

This is ok, until you keep the vast majority of user (Joomla 1.5) are not forgotten in the process.

The analogy here is:

Wen the new model of a car manufacturer come in the new year your discover that the car that you bought last year cannot be repair or primordial parts are no longer available.

You will probably never buy a car from that manufacturer for the rest of your life.

Please, don’t do this!

I like Joomla but if this platforme become unstable I will search elsewhere and look around you will see numerous old and new systems that I can choose from...

I’m not mad, just worry!

_________________
God help us!
Marketing, SEO, Web development - Powered by Joomla!
http://www.grafcomm.ca/


Top
 Profile  
 
PostPosted: Thu Sep 15, 2011 5:10 pm 
User avatar
Joomla! Champion
Joomla! Champion

Joined: Fri Aug 19, 2005 10:46 am
Posts: 5634
Location: Roma
@Chacapamac
your are not buying a "car" that new car is free

i want just remember that 1.6 and 1.7 are STS ie something like a concept car
despite 1.5 is a LTS something like a production car

the dev guys are working hard to fix as many issues they can and in the same time introduce
new features (the new ACL for example)

so don't worry but help discovering issues ...
8)

_________________
Nicola Galgano
my knowledge is know to not know
www.alikonweb.it


Top
 Profile  
 
PostPosted: Thu Sep 15, 2011 8:10 pm 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Wed Feb 20, 2008 6:50 am
Posts: 600
Location: Canada, Montreal
You can be sure that I will try to help on this one

Just See that the problem creep up in 1.6, 1.7

See —> http://techjoomla.com/joomla-development/invalid-token-errors-in-joomla-15x-a-16x.html

_________________
God help us!
Marketing, SEO, Web development - Powered by Joomla!
http://www.grafcomm.ca/


Top
 Profile  
 
PostPosted: Fri Sep 16, 2011 7:55 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Aug 29, 2011 12:55 pm
Posts: 20
Chacapamac wrote:
You can be sure that I will try to help on this one

Just See that the problem creep up in 1.6, 1.7

See —> http://techjoomla.com/joomla-development/invalid-token-errors-in-joomla-15x-a-16x.html

thanks man its vey usefull

_________________
http://www.dr-shadabi.ir
http://www.zarvansaffron.ir


Top
 Profile  
 
PostPosted: Mon Sep 19, 2011 1:48 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Dec 23, 2009 9:57 pm
Posts: 8
Hi all

1. Brand new sites, using Joomla 1.7, plus JomSocial latest, etc.

2. Invalid Token errors.

3. Looked in vain for the file that has the "Invalid Token" redirect. It is NOT (no longer?) in components/com_user/controller.php, so in spite of success reported above I can't deploy this workaround, yet. Does anyone know where these lines are located now?

Code:
function login()
{
// Check for request forgeries
JRequest::checkToken() or jexit( 'Invalid Token' );

replace it with this:
Code:
function login()
{
// Check for request forgeries
JRequest::checkToken() or header('Location: http://www.yourdomainname.com/');

I have lots of angry users clamoring for a return to J 1.5

I sure hope someone has an answer


Top
 Profile  
 
PostPosted: Wed Sep 21, 2011 2:29 pm 
Joomla! Intern
Joomla! Intern

Joined: Sat Dec 02, 2006 4:54 pm
Posts: 78
I will happily spend a couple of days working on a solution for what I believe is an absolutely crtitical flaw with Joomla. It simply needs to return to the previous page rather than exit and do so with an error message telling the user that their 'security token has expired, please try again'. Users absolutely hate this white screen, they just think they have broken the website. Most often this happens when users open their browser with the J! login page already open, since this is cached they get the error. You can explain they need to refresh etc but they don't understand it or like it because they don't have to do this on Facebook or other sites where logins work differently- and even if they do, they are not presented with a white screen with 'invalid token' on it!

It is a catastrophic usability nightmare, that really cannot be stressed strongly enough. All our other efforts and work are totally demolished by this error. You can have the most fancy sophisticated ACL in the world but what use is it if users are afraid to log in?

As I say I will happily spend some time fixing this IF someone from Joomla Dev will guarantee that the fix will be incorporated into the next release. I have been going on about this now for over a year. If someone would offer to do something Joomlas end, I'll be over the moon to try and do something our end. It just needs to be part of the core that if there is an invalid token it returns to the previous page with an error. Job done. It would be nice if the whole login could work differently so that things like 'keep me logged in' were available like they are just about everywhere else, but that can be done later. Just no white screen, return to previous page with error message, thats all we need. But we need the change to be permanent.


Top
 Profile  
 
PostPosted: Thu Sep 22, 2011 6:46 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Dec 23, 2009 9:57 pm
Posts: 8
We have solved our problem -- we used the flawed J2XML importer/exporter tools for migrating an older site, and he data as imported was not normalized for the new DateTimeZone format, and so the Invalid Token white screen problem cascaded from that for some users -- BUT

david I must support and applaud your offer. it should not have been possible for the Invalid Token problem to present on a white screen, Flat-out, full stop no good. We suffered terribly form the bad experiences of a dozen Users who soured our splendid launch for untold dozens who were scared off by the few login probs by a few (loud) others. If your kind of solution were in play or at least available as a patch then this would have been FAR less serious for us.

I love Joomla beyond all time and space and appreciate the limitations and difficulties that Joomla dev face. But david is simply right: someone needs to understand that the entire CMS is useless if we scare off New Users, for something that can be easily remedied.


Top
 Profile  
 
PostPosted: Thu Sep 22, 2011 9:57 pm 
Joomla! Intern
Joomla! Intern

Joined: Sat Dec 02, 2006 4:54 pm
Posts: 78
Hey there all,

I have had a look into this in Joomla 1.7 and it looks like the new thinking is to call a 'jexit' function rather than just exit. This is quite a good idea as it means that we can just change that function and all the jexits are modified where as in J1.5 every component had its own exit command in it and so making changes was a real pain.

So that jexit function is in libraries/loader.php
Code:
function jexit($message = 0)
{
    exit($message);
}

After some playing around I found that we can do this
Code:
function jexit($message = 0)
{
   //We need to get rid of the awful 'invalid token' screen
   if ($message == JText::_('JINVALID_TOKEN'))
      {
      //find out where the user came from and send them back there with an error message
      JFactory::getApplication()->redirect(base64_decode($_POST['return']), JText::_('JINVALID_TOKEN_MSG'));
      }
    exit($message);
}

Its pretty self explanatory, it checks for the Invalid Token message (so that other exits still work) if it is there then it gets the application and redirects it to the submitted return value with a message. My message says 'Security Token Expired. Please try again.' and you add this to your language file in language/en-GB/en-GB-ini (for example). Look for 'JINVALID_TOKEN="Invalid Token"' and make it
Code:
JINVALID_TOKEN="Invalid Token"
JINVALID_TOKEN_MSG="Security Token Expired. Please try again."


Be warned I am not sure of the security ramifications of doing this. The whole point of the token is to check for request forgeries (http://en.wikipedia.org/wiki/Cross-site_request_forgery) and this will redirect a forged request back to a page with a valid token on it. But then if it was the kind of exploit that could do anything with that information it would be able to do it by going to the login page in the first place...

Anyway, I'll be really interested to hear the reasons why J! cannot just handle invalid tokens on logins like this...


Top
 Profile  
 
PostPosted: Sat Sep 24, 2011 5:42 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun May 29, 2011 8:56 am
Posts: 8
danielbprobert wrote:
components/com_user/controller.php


Can someone please indicate what the correct file to modify is in Joomla 1.7? I checked the controller.php in the directory listed above, and there is no such code to modify!


Top
 Profile  
 
PostPosted: Sat Sep 24, 2011 11:10 pm 
Joomla! Intern
Joomla! Intern

Joined: Sat Dec 02, 2006 4:54 pm
Posts: 78
Hey mhbetter my solution above your post is what you are looking for ;)
Don't be put off by what I say about security as the previous solution for J1.5 would have caused the same issue- my version for J1.7 does the same thing basically, its just that J1.7 uses jexit instead of just the simple php exit (which is a bit like 'die'). jexit is a function, so what I modify here is the function, but only when the function exits with an 'Invalid Token' error- all other exits are unaffected.


Top
 Profile  
 
PostPosted: Sun Sep 25, 2011 12:39 pm 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Wed Feb 20, 2008 6:50 am
Posts: 600
Location: Canada, Montreal
thanks davidosullivan

Do you see a way that I can implement your change in 1.5?

_________________
God help us!
Marketing, SEO, Web development - Powered by Joomla!
http://www.grafcomm.ca/


Top
 Profile  
 
PostPosted: Fri Oct 14, 2011 10:05 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Aug 04, 2010 6:22 am
Posts: 7
I deleted the cookies for the site and restarted my browsers(Firefox & Chrome) and that resolved the problem for me on both browsers. Before I deleted the cookies, I was receiving "Invalid Token" on both browsers.


Top
 Profile  
 
PostPosted: Tue Nov 08, 2011 5:50 am 
User avatar
Joomla! Fledgling
Joomla! Fledgling

Joined: Tue May 19, 2009 8:10 am
Posts: 2
I experienced this problem last year, and I decided to turn off "System - Cache" plugin. It worked like magic; the error went away. However, I noticed that my website www.mybln.com started to load 1.99 second later than before. It was a astronomical trade off to get rid of that error "Invalid Token".

I decided that I would solve it. I searched and tried most solutions posted on multiple websites, including joomla.org, some solutions work for others, while those solutions did not work for me.

I wanted to get the 1.99 second that I lost. I went back to "System - Cache" and under Plugin Parameters, I select NO for browser caching. Cache Lifetime: 10 minutes.

It worked. I reduced my page load speed, and the error was gone as well. I am not an expert. This error have a lot to do caching.

This may work for some of you, and it may not. It's is another solution.

Marc


Top
 Profile  
 
PostPosted: Sun Nov 13, 2011 2:19 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Sun Nov 13, 2011 2:10 pm
Posts: 1
Mi solucion estaba en el plugin cache. desabilitarlo cuando no no se utilice el cache del sistema..
Google Translation:
My solution was in the plugin cache. disable it when not using the system cache ..


Top
 Profile  
 
PostPosted: Tue Nov 15, 2011 1:34 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed May 20, 2009 5:44 am
Posts: 15
I had the problem using J 1.5.23 and registered users logging in to our online store (Virtuemart 1.1.4)
I discovered that users using the url 'mydomain.com' always got the Invalid Token message while users logging in from 'www.mydomain.com' did not.

I made sure the 'Live Site' on my configuration.php file was "http://www.mydomain.com" and that within VM-->Configuration-->Security, that the Site URL and Secure URL were both "http://www.mydomain.com/". I then added a 301 re-write to the .htaccess file - directly following the RewriteEngine On line:

RewriteCond %{HTTP_HOST} ^mydomain.com [NC]
RewriteRule ^(.*)$ http://www.mydomain.com/$1 [L,R=301]

Problem resolved, doesn't matter if user now doesn't type in the www. They are auto redirected to www where the login will work correctly.
I think this would work whether or not you're using VM.


Top
 Profile  
 
PostPosted: Wed Nov 23, 2011 9:19 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Wed Dec 22, 2010 12:00 pm
Posts: 158
replace Request::checkToken('request') or jexit( 'Invalid Token' );

it works

many thanks


Top
 Profile  
 
PostPosted: Thu Nov 24, 2011 7:15 am 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Wed Dec 22, 2010 12:00 pm
Posts: 158
instead of JRequest::checkToken() or header('Location: http://www.yourdomainname.com/');

how can you get the $live_site from configuration.php ?

thank you


Top
 Profile  
 
PostPosted: Mon Nov 28, 2011 4:22 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed May 20, 2009 5:44 am
Posts: 15
You need to edit the 'configuration.php' file which is in the root directory of the website. I found it necessary to firstly change the permission of the php file in order to save the changes. I did via ftp using Filezilla - you can change permissions of a file - with file selected - right click of the mouse brings up the required menu option. Then I opened the file, updated the 'live site' setting (on my file it was empty ie ' ' and I typed in the domain url into the space.) Then saved the file, then reverted the file permission to it's original setting. Done.


Top
 Profile  
 
PostPosted: Sat Dec 31, 2011 8:36 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Nov 18, 2011 12:54 am
Posts: 22
My problem is very clearly browser cache related.

When someone logs in, closes the browser or leaves the site without logging off, and then returns to it, they get the "invalid token" bit when they try to log in. Every now and again a weirdo textbox pops up instead (?!?!?!?) but whatev.

The point is, hitting refresh on the browser before logging back in works, but that's not a great way to run your site.

My site is for a large school district, with the average uninterrupted session running 60 minutes and 2-4 students accessing the site on each computer over the course of a school day.

Bandwidth is a huge concern for these people. I used to have the browser cache set to 10 minutes, so that as students navigate around the image-heavy pages they don't run into lag or other issues. Now, I've had to cut it down to 2 minutes to avoid most of the "invalid token" events....working with 11 year olds, anything that can go wrong will.

Is there any way to preserve my ability to use browser cache without running into the invalid token issue? I tried the "JRequest::checkToken() or header('Location:..." approach, and it didn't help (I don't know if it's because I'm using a redirection login so that different user groups get sent to different places, or what, but I found three different files with the checkToken "Invalid Token" message!)....I'm sure my problem is the cache settings.


Top
 Profile  
 
PostPosted: Sun Feb 05, 2012 6:56 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Sun Feb 05, 2012 5:19 pm
Posts: 1
It's absolutely insane that this issue is so widespread and no real solution.

I'm new to joomla but have been building php based web sites for 10 years.

I start fooling with joomla and start getting the hang of things and am liking. Last night I walk away from my recent site build using joomla. This morning I can't log in as a user. Just admin.

INSANITY!!!! Two hours of my day so far and no fix.


Top
 Profile  
 
PostPosted: Tue Feb 14, 2012 4:37 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Tue Feb 14, 2012 4:34 pm
Posts: 2
For me disabling the Google Authentication plugin fixed this problem.


Top
 Profile  
 
PostPosted: Mon Feb 20, 2012 7:14 am 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Sat Dec 17, 2011 7:45 pm
Posts: 112
Davidosullivan, does that fix still work for you? Does this fix you mention cause a security issue or anything else bad?


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 203 posts ]  Go to page Previous  1 ... 3, 4, 5, 6, 7  Next



Who is online

Users browsing this forum: No registered users and 20 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group