Page 1 of 1

Beta 2, frontend login error: security token did not match

Posted: Wed Jul 01, 2020 9:36 am
by andoo
Started a project on Joomla and gone straight with 4.0 beta 1. Trying to log-in on the frontend worked sometimes, sometimes didn't and I got the error: The security token did not match. The request was aborted to prevent any security breach. Please try again.

Since the update to beta 2 I can't log in at all. Everytime I try I get:

Warning
Your session has expired. Please log in again.
The security token did not match. The request was aborted to prevent any security breach. Please try again.


Tried to change session hadler from APC User Cache, Database and Filesystem and still nothing.

I'm not that familiar with Joomla but searching the forums I found that kind of issue dating back to the beginnings of it. Thank you for any help. I'm puzzled.

Re: Beta 2, frontend login error: security token did not match

Posted: Wed Jul 01, 2020 9:53 am
by toivo
Welcome to the forum!

The issue you reported is definitely not common, based on experiences in daily testing of different versions of Joomla 4 from Alpha to the current Beta 2 in the last couple of months.

Suggest that you clear the cache and cookies from the back end of your test and development site. Clear the temporary web files from your browser, too. Use the latest version of a different browser.

Re: Beta 2, frontend login error: security token did not match

Posted: Wed Jul 01, 2020 10:02 am
by ceford
Reload the Login page and try again. It is not obvious but the login form contains a token that will expire if your session expires. Leave the session Handler set to Database unless you have some very good reason to change it.

Re: Beta 2, frontend login error: security token did not match

Posted: Wed Jul 01, 2020 10:56 am
by gws
Well quite strangely I get the same message when I log out of J4 beta1. Otherwise all is working fine.
@ceford you state "Leave the session Handler set to Database unless you have some very good reason to change it." I am under the impression that changing this is better? Have you read something that I have missed?

Re: Beta 2, frontend login error: security token did not match

Posted: Wed Jul 01, 2020 11:08 am
by andoo
toivo wrote:
Wed Jul 01, 2020 9:53 am
Welcome to the forum!

The issue you reported is definitely not common, based on experiences in daily testing of different versions of Joomla 4 from Alpha to the current Beta 2 in the last couple of months.

Suggest that you clear the cache and cookies from the back end of your test and development site. Clear the temporary web files from your browser, too. Use the latest version of a different browser.
Just made a reply that lost what I have written. I guess I have another problem with phpBB besides Joomla :-\ Tried with another browser and the problem wasn't present there. I guess the problem had to do with my default browser. Maybe disabling browser cache for dev purposes.

Re: Beta 2, frontend login error: security token did not match

Posted: Wed Jul 01, 2020 11:15 am
by andoo
ceford wrote:
Wed Jul 01, 2020 10:02 am
Reload the Login page and try again. It is not obvious but the login form contains a token that will expire if your session expires. Leave the session Handler set to Database unless you have some very good reason to change it.
Tried a dozen of reloads. After Toivoi reply narrowed down the issue to my default browser. Maybe disabling browser caching from Developer Tools had something to do with that.

Just sorted out Cassiopeia menu dropdowns exactly how I wanted and I was in the "nothing can stop me now" modd, and didn't thought to check that too. :o

Re: Beta 2, frontend login error: security token did not match

Posted: Wed Jul 01, 2020 11:20 am
by ceford
gws wrote:
Wed Jul 01, 2020 10:56 am
Well quite strangely I get the same message when I log out of J4 beta1. Otherwise all is working fine.
@ceford you state "Leave the session Handler set to Database unless you have some very good reason to change it." I am under the impression that changing this is better? Have you read something that I have missed?
No - just that a newcomer does not really need to change defaults to get started. Having said that, I see the default is File System so I must have changed it myself. And I don't remember why!

Re: Beta 2, frontend login error: security token did not match

Posted: Thu Jul 02, 2020 2:22 pm
by deleted user
ceford wrote:
Wed Jul 01, 2020 10:02 am
Leave the session Handler set to Database unless you have some very good reason to change it.
Just for the record, the database session handler is the default handler mainly because it's the one that's guaranteed to work out of the box 100% of the time every time, as it's the only one Joomla can fully configure and control on its own.

The filesystem handler, which generally I recommend as it will be slightly more performant than using the database, requires PHP to be configured properly otherwise it will crash and Joomla will be totally unusable. To use it, PHP has to have a filesystem path configured for use and it have the appropriate permissions as PHP will need to be able to read files from it, write files to it, and if session garbage collection is enabled to delete files from it. Joomla 4 does add a config parameter to let you define your own filesystem path and not rely on the PHP session.save_path INI configuration, as well as having a fallback to the system temporary directory (as defined by the sys_get_temp_dir() PHP function) if neither of those paths are configured, so the CMS does try a bit harder to make the filesystem handler work but if the permissions are wrong then it's game over.

The other session handlers (APCu, Memcached, Redis, and WinCache) all rely on optional PHP extensions so couldn't even be considered as defaults if anyone wanted to. Personally, I wouldn't use APCu or WinCache as a session store but the option is there (IMO those aren't any better than the "plain" filesystem option), and the Memcached and Redis handlers I feel are overkill if you're deploying Joomla in the typical shared hosting environment (where those types of handlers succeed are if you're deploying in a load balanced environment where multiple servers are involved and you need the session data for the application to be available across all servers, I don't have any Joomla sites like this but I do have a Symfony application where we have 5 or 6 active web servers on a slow day that are behind a load balancer so a user's session needs to be available regardless of which server is chosen to handle a particular request).

All that to say, the database handler isn't necessarily the best option, but it is the most platform portable and the most sane default Joomla can provide.

Re: Beta 2, frontend login error: security token did not match

Posted: Thu Jul 02, 2020 3:37 pm
by gws
@mbabker Thanks, that's the best explanation I have seen.

Re: Beta 2, frontend login error: security token did not match

Posted: Thu Jul 02, 2020 5:09 pm
by ceford
Currently, in Beta-3 Dev, the Session Handler only offers Database and Filesystem. I have abridged mbabker's excellent explanation and included it in the Help screen for the Global Configuration page. This is what it says:
Session Handler: (File System/Database). The mechanism by which Joomla! identifies a User once they are connected to the website using non-persistent cookies.

The database session handler is the default handler because it is the only one that Joomla can fully configure and control on its own.
The filesystem handler will be slightly more performant than the database handler, but it requires PHP to be configured properly otherwise it will crash and Joomla will be totally unusable. To use it, select Filesystem and then enter a full filesystem path in the Session Save Path field that appears. Ensure the path has appropriate permissions for PHP to read and write files, and if session garbage collection is enabled to delete files from it. If this path is not set, Joomla will rely on the PHP session.save_path INI configuration or fallback to the system temporary directory (as defined by the sys_get_temp_dir() PHP function). If neither of those paths are configured or the permissions are wrong then it's game over. To recover, edit the configuration.php file and set $session_handler = 'database'.
The layout is better in the Help Screen and it will be a day or so before it becomes current.

Re: Beta 2, frontend login error: security token did not match

Posted: Thu Jul 02, 2020 5:48 pm
by sozzled
@mbabker: as always, thank you. +1

Re: Beta 2, frontend login error: security token did not match

Posted: Fri Jul 03, 2020 12:29 am
by deleted user
ceford wrote:
Thu Jul 02, 2020 5:09 pm
Currently, in Beta-3 Dev, the Session Handler only offers Database and Filesystem.
Because that is all your system supports. The cache handler, session handler, and database driver fields in the global config are environment aware and only show compatible options. Don't have ext/pdo installed and enabled in PHP? You won't see the PDO database drivers. Don't have ext/redis installed and enabled in PHP? You won't see the Redis option for cache or session. Though maybe the UI could present disabled options instead of not showing them at all to improve discoverability, otherwise it's a useful mechanism to keep folks from setting a configuration that will crash a site.

Re: Beta 2, frontend login error: security token did not match

Posted: Fri Jul 03, 2020 9:33 am
by ceford
Thank you again for that clarification. I have added this to the Global Configuration Help page:
Other handlers (APCu, Memcached, Redis, and WinCache) all rely on optional PHP extensions and may be available if your system supports them. APCu or WinCache may be no better than the "plain" filesystem option. The Memcached and Redis handlers are overkill for Joomla in a typical shared hosting environment. Those types of handlers succeed if you are deploying Joomla in a load balanced environment where multiple servers are involved and you need the session data for the application to be available across all servers.
Gems of information to anyone wondering what these terms mean, including me!