Can't Login to Piwik: Form security failed


#1

[You can view the German thread here: 301 Moved Permanently]

Hi,

When I try to login i get the following error message (every time on every os with every browser):

In the German forum some members complained about the same problem while using the Provider “Strato” ( like me ). It appears to be that Strato has the Support for HTTP_REFERER disabled by default. So I made this snippet:


echo ini_get('session.referer_check');

if (!ini_get('session.referer_check')) {
    ini_set('session.referer_check', 1);
}

echo ini_get('session.referer_check');

Now I can read out the Referer-URL but Piwik keeps saying that the Form Security Key is invalid.

But why? Can I turn on some kind of debug to check the Referer-URL internally? Can anybody help me out with that problem?


(Matthieu Aubry) #2

The check happens in this file, you can print out the value of referrer this way:

maybe it is empty in your case?


Index: core/Nonce.php
===================================================================
--- core/Nonce.php	(revision 4475)
+++ core/Nonce.php	(working copy)
@@ -71,6 +71,7 @@
 
 		// validate referer
 		$referer = Piwik_Url::getReferer();
+		var_dump($referer);exit;
 		if(!empty($referer) && (Piwik_Url::getLocalReferer() === false))
 		{
 			return false;


(vipsoft) #3

I’ve already responded in the other forum.


(Matthieu Aubry) #4

which one?


(vipsoft) #5

The topic is linked in the first post above.


#6

I Have the same Problem after udating to 1.3.

For me


ini_set('session.referer_check', '');

does not work…

some ideas?

thanks


(vipsoft) #7

mastaa: where are putting that code? also, if you’re behind a proxy, then you also need to set proxy_client_headers and proxy_host_headers.


#8

I put it on session.php.

yes I’am behind a Microsoft ISA Firewall.
and i have tested the following:
[General]
; CloudFlare proxy
; proxy_client_headers[] = HTTP_CF_CONNECTING_IP
; ISP proxy (Client-IP)
;proxy_client_headers[] = HTTP_CLIENT_IP
; standard proxy
;proxy_client_headers[] = HTTP_X_FORWARDED_FOR

but i dont now which one i should use, so i tested all. but no one works for me…

I restored my system from a backup to the old version.


#9

can you say , where is the right position for the


ini_set('session.referer_check', '');

or can you give me the corected file ?


(vipsoft) #10

In config/config.ini.php, add:


[General]
proxy_client_headers[] = HTTP_CLIENT_IP
proxy_client_headers[] = HTTP_X_FORWARDED_FOR

The (proposed) patch to core/Session.php is:


Index: Session.php
===================================================================
--- Session.php	(revision 4485)
+++ Session.php	(working copy)
@@ -44,6 +44,10 @@
 		$sessionName = defined('PIWIK_SESSION_NAME') ? PIWIK_SESSION_NAME : 'PIWIK_SESSID';
 		@ini_set('session.name', $sessionName);
 
+		// proxies may cause the referer check to fail and
+		// incorrectly invalidate the session
+		@ini_set('session.referer_check', '');
+
 		// we consider these to be misconfigurations, in that
 		//  - user - Piwik doesn't implement user-defined session handler functions
 		// -  mm - is not recommended, not supported, not available for Windows, and has a potential concurrency issue


#11

does not work.

now the config file loks like this:


[superuser]
login = "****"
password = "****"
email = "*****"
salt = "******"

[database]
host = "******"
username = "***"
password = "*****"
dbname = "****"
tables_prefix = "****"
adapter = "PDO_MYSQL"
port = 3306
charset = "utf8"

[General]
secure_protocol = 1
proxy_client_headers[] = HTTP_CLIENT_IP
proxy_client_headers[] = HTTP_X_FORWARDED_FOR



[PluginsInstalled]
PluginsInstalled[] = "Login"
PluginsInstalled[] = "CoreAdminHome"
PluginsInstalled[] = "UsersManager"
PluginsInstalled[] = "SitesManager"
PluginsInstalled[] = "Installation"
PluginsInstalled[] = "CorePluginsAdmin"
PluginsInstalled[] = "CoreHome"
PluginsInstalled[] = "Proxy"
PluginsInstalled[] = "API"
PluginsInstalled[] = "Widgetize"
PluginsInstalled[] = "LanguagesManager"
PluginsInstalled[] = "Actions"
PluginsInstalled[] = "Dashboard"
PluginsInstalled[] = "MultiSites"
PluginsInstalled[] = "Referers"
PluginsInstalled[] = "UserSettings"
PluginsInstalled[] = "Goals"
PluginsInstalled[] = "SEO"
PluginsInstalled[] = "UserCountry"
PluginsInstalled[] = "VisitsSummary"
PluginsInstalled[] = "VisitFrequency"
PluginsInstalled[] = "VisitTime"
PluginsInstalled[] = "VisitorInterest"
PluginsInstalled[] = "ExampleAPI"
PluginsInstalled[] = "ExamplePlugin"
PluginsInstalled[] = "ExampleRssWidget"
PluginsInstalled[] = "ExampleFeedburner"
PluginsInstalled[] = "Provider"
PluginsInstalled[] = "Feedback"
PluginsInstalled[] = "CoreUpdater"
PluginsInstalled[] = "PDFReports"
PluginsInstalled[] = "UserCountryMap"
PluginsInstalled[] = "Live"
PluginsInstalled[] = "CustomVariables"

and the /core/Session.php


<?php
/**
 * Piwik - Open source web analytics
 * 
 * @link http://piwik.org
 * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
 * @version $Id: Session.php 4297 2011-04-03 19:31:58Z vipsoft $
 * 
 * @category Piwik
 * @package Piwik
 */

/**
 * Session initialization.
 * 
 * @package Piwik
 * @subpackage Piwik_Session
 */

class Piwik_Session extends Zend_Session
{
	public static function start($options = false)
	{
		
		if(Piwik_Common::isPhpCliMode())
		{
			return;
		}
	ini_set('session.referer_check', '');
		// use cookies to store session id on the client side
		@ini_set('session.use_cookies', '1');

		// prevent attacks involving session ids passed in URLs
		@ini_set('session.use_only_cookies', '1');

		// advise browser that session cookie should only be sent over secure connection
		if(Piwik_Url::getCurrentScheme() === 'https')
		{
			@ini_set('session.cookie_secure', '1');
		}

		// advise browser that session cookie should only be accessible through the HTTP protocol (i.e., not JavaScript)
		@ini_set('session.cookie_httponly', '1');

		// don't use the default: PHPSESSID
		$sessionName = defined('PIWIK_SESSION_NAME') ? PIWIK_SESSION_NAME : 'PIWIK_SESSID';
 		@ini_set('session.name', $sessionName);
 
+		// proxies may cause the referer check to fail and
+		// incorrectly invalidate the session
+		@ini_set('session.referer_check', '');
+
 		// we consider these to be misconfigurations, in that
 		//  - user - Piwik doesn't implement user-defined session handler functions
 		// -  mm - is not recommended, not supported, not available for Windows, and has a potential concurrency issue
		$currentSaveHandler = ini_get('session.save_handler');
		if($currentSaveHandler == 'user'
			|| $currentSaveHandler == 'mm')
		{
			@ini_set('session.save_handler', 'files');
			@ini_set('session.save_path', '');
		}

		// for "files", we want a writeable folder;
		// for shared hosting, we assume the web server has been securely configured to prevent local session file hijacking
		if(ini_get('session.save_handler') == 'files')
		{
			$sessionPath = ini_get('session.save_path');
			if(preg_match('/^[0-9]+;(.*)/', $sessionPath, $matches))
			{
				$sessionPath = $matches[1];
			}
			if(ini_get('safe_mode') || ini_get('open_basedir') || empty($sessionPath) || !@is_readable($sessionPath) || !@is_writable($sessionPath))
			{
				$sessionPath = PIWIK_USER_PATH . '/tmp/sessions';
				$ok = true;

				if(!is_dir($sessionPath))
				{
					Piwik_Common::mkdir($sessionPath);
					if(!is_dir($sessionPath))
					{
						// Unable to mkdir $sessionPath
						$ok = false;
					}
				}
				else if(!@is_writable($sessionPath))
				{
					// $sessionPath is not writable
					$ok = false;
				}

				if($ok)
				{
					@ini_set('session.save_path', $sessionPath);

					// garbage collection may disabled by default (e.g., Debian)
					if(ini_get('session.gc_probability') == 0) {
						@ini_set('session.gc_probability', 1);
					}
				}
				// else rely on default setting (assuming it is configured to a writeable folder)
			}
		}

		try {
			Zend_Session::start();
		} catch(Exception $e) {
			// This message is not translateable because translations haven't been loaded yet.
			Piwik_ExitWithMessage('Unable to start session.  Check that session.save_path or tmp/sessions is writeable, and session.auto_start = 0.');
		}
	}
		
}


any ideas?


(vipsoft) #12

The ‘+’ symbols in the patch means a line was added. Don’t copy the ‘+’ symbols into core/Session.php.


#13

Thank you but also without the “+” in the Session.php the error is the same.


(vipsoft) #14

Please put a phpinfo.php file in your piwik folder, and PM me the results. Thanks.


<?php phpinfo();


#15

When I log in to Piwik with Opera it works! No error message. But when I use Firefox on Mac, Windows or Linux it doesn’t work. The same with Safari on Mac, Windows and iPod. Only Opera on every device (even the Opera for iPod/iPhone) lets me log in.


#16

I got same problem. I am using 1.4 than updated to 1.5.1… Everything was normal.Today changed the password… After I permanently have this problem. Cannot solve yet but using a work around…

Since original piwik 1.5.1 is actually working but cannot make user log on, I install piwik 1.4 to another directory and copied the config.ini.php into it.

So I could log in to 1.4 without problem. I don’t know if it’s make some corruption on db but since I don’t collect statistics with 1.4 I think it’s safe (or not? Tried 1.5 too with no luck…)

Edit: Tested with piwik mobile Android app and it works. Mobile piwik could show statistics. But it resists “android’s browser” too as it my Firefox (on linux). Tested with opera too, doesn’t work.


(Matthieu Aubry) #17

EUA, what error do you get exactly when trying to login in 1.5.1? please PM me the piwik URL + login + pwd with bug report and link to this post, thanks


#18

I just want to add to this and say that I received the same error. Turns out the password I generated for my database user had punctuation in it. “@” and “!” and I didn’t think about that when I created it.

That may not be the case for everyone, but it is a possibility.

I opened the config.ini.php file and discovered punctuation in the database password, removed the punctuation, changed the database user password to match and all is well.


#19

I have similar problem with 1.8.4.

Under config.ini.php, if I have proxy_host_headers[] = “HTTP_X_FORWARDED_FOR” then no one is able to log in. The same error msg as the OP is shown :

Form security failed. Please reload the form and check that your cookies are enabled. If you use a proxy server, you must configure Piwik to accept the proxy header that forwards the Host header. Also, check that your Referer header is sent correctly.

If proxy_host_headers[] = “HTTP_X_FORWARDED_HOST” then all log in is fine.

HTTP_X_FORWARDED_FOR must be used to collect the true client IP addresses, otherwise HTTP_X_FORWARDED_HOST will give the Internet facing server internal IP address.

Anyone has a solution?

** luckily, I can log in via Piwik Mobile and from the Intranet, and have access to all functions. **


#20

After installing the latest piwik distribution, I’m getting the same problem on my intial login.

“Sicherheitschecks fehlgeschlagen. Bitte laden Sie das Formular erneut und prüfen Sie, ob Ihr Browser Cookies zulässt.” I simply cannot log in. (Of course I’m using the correct credentials.)

I’ve tried it with Firefox (Mac & Windows), IE (Windows), Safari (Mac) and Opera (Mac). Always the same problem. Piwik Mobile lets me access the statistics.

Although I don’t have a proxy at all, I have already tried to put into config.ini.php the following lines (withou any effect at all):

secure_protocol = 1
proxy_client_headers[] = HTTP_CLIENT_IP
proxy_client_headers[] = HTTP_X_FORWARDED_FOR

I’m having the problem both if I enter the piwik-url directly (HTTP_REFERER not set) and if I get to the login page via a link (HTTP_REFERER set correctly).

Can anyone help, please?