When I try to login i get the following error message (every time on every os with every browser):
In the German forum some members complained about the same problem while using the Provider “Strato” ( like me ). It appears to be that Strato has the Support for HTTP_REFERER disabled by default. So I made this snippet:
echo ini_get('session.referer_check');
if (!ini_get('session.referer_check')) {
ini_set('session.referer_check', 1);
}
echo ini_get('session.referer_check');
Now I can read out the Referer-URL but Piwik keeps saying that the Form Security Key is invalid.
But why? Can I turn on some kind of debug to check the Referer-URL internally? Can anybody help me out with that problem?
yes I’am behind a Microsoft ISA Firewall.
and i have tested the following:
[General]
; CloudFlare proxy
; proxy_client_headers[] = HTTP_CF_CONNECTING_IP
; ISP proxy (Client-IP)
;proxy_client_headers[] = HTTP_CLIENT_IP
; standard proxy
;proxy_client_headers[] = HTTP_X_FORWARDED_FOR
but i dont now which one i should use, so i tested all. but no one works for me…
I restored my system from a backup to the old version.
Index: Session.php
===================================================================
--- Session.php (revision 4485)
+++ Session.php (working copy)
@@ -44,6 +44,10 @@
$sessionName = defined('PIWIK_SESSION_NAME') ? PIWIK_SESSION_NAME : 'PIWIK_SESSID';
@ini_set('session.name', $sessionName);
+ // proxies may cause the referer check to fail and
+ // incorrectly invalidate the session
+ @ini_set('session.referer_check', '');
+
// we consider these to be misconfigurations, in that
// - user - Piwik doesn't implement user-defined session handler functions
// - mm - is not recommended, not supported, not available for Windows, and has a potential concurrency issue
<?php
/**
* Piwik - Open source web analytics
*
* @link http://piwik.org
* @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
* @version $Id: Session.php 4297 2011-04-03 19:31:58Z vipsoft $
*
* @category Piwik
* @package Piwik
*/
/**
* Session initialization.
*
* @package Piwik
* @subpackage Piwik_Session
*/
class Piwik_Session extends Zend_Session
{
public static function start($options = false)
{
if(Piwik_Common::isPhpCliMode())
{
return;
}
ini_set('session.referer_check', '');
// use cookies to store session id on the client side
@ini_set('session.use_cookies', '1');
// prevent attacks involving session ids passed in URLs
@ini_set('session.use_only_cookies', '1');
// advise browser that session cookie should only be sent over secure connection
if(Piwik_Url::getCurrentScheme() === 'https')
{
@ini_set('session.cookie_secure', '1');
}
// advise browser that session cookie should only be accessible through the HTTP protocol (i.e., not JavaScript)
@ini_set('session.cookie_httponly', '1');
// don't use the default: PHPSESSID
$sessionName = defined('PIWIK_SESSION_NAME') ? PIWIK_SESSION_NAME : 'PIWIK_SESSID';
@ini_set('session.name', $sessionName);
+ // proxies may cause the referer check to fail and
+ // incorrectly invalidate the session
+ @ini_set('session.referer_check', '');
+
// we consider these to be misconfigurations, in that
// - user - Piwik doesn't implement user-defined session handler functions
// - mm - is not recommended, not supported, not available for Windows, and has a potential concurrency issue
$currentSaveHandler = ini_get('session.save_handler');
if($currentSaveHandler == 'user'
|| $currentSaveHandler == 'mm')
{
@ini_set('session.save_handler', 'files');
@ini_set('session.save_path', '');
}
// for "files", we want a writeable folder;
// for shared hosting, we assume the web server has been securely configured to prevent local session file hijacking
if(ini_get('session.save_handler') == 'files')
{
$sessionPath = ini_get('session.save_path');
if(preg_match('/^[0-9]+;(.*)/', $sessionPath, $matches))
{
$sessionPath = $matches[1];
}
if(ini_get('safe_mode') || ini_get('open_basedir') || empty($sessionPath) || !@is_readable($sessionPath) || !@is_writable($sessionPath))
{
$sessionPath = PIWIK_USER_PATH . '/tmp/sessions';
$ok = true;
if(!is_dir($sessionPath))
{
Piwik_Common::mkdir($sessionPath);
if(!is_dir($sessionPath))
{
// Unable to mkdir $sessionPath
$ok = false;
}
}
else if(!@is_writable($sessionPath))
{
// $sessionPath is not writable
$ok = false;
}
if($ok)
{
@ini_set('session.save_path', $sessionPath);
// garbage collection may disabled by default (e.g., Debian)
if(ini_get('session.gc_probability') == 0) {
@ini_set('session.gc_probability', 1);
}
}
// else rely on default setting (assuming it is configured to a writeable folder)
}
}
try {
Zend_Session::start();
} catch(Exception $e) {
// This message is not translateable because translations haven't been loaded yet.
Piwik_ExitWithMessage('Unable to start session. Check that session.save_path or tmp/sessions is writeable, and session.auto_start = 0.');
}
}
}
When I log in to Piwik with Opera it works! No error message. But when I use Firefox on Mac, Windows or Linux it doesn’t work. The same with Safari on Mac, Windows and iPod. Only Opera on every device (even the Opera for iPod/iPhone) lets me log in.
I got same problem. I am using 1.4 than updated to 1.5.1… Everything was normal.Today changed the password… After I permanently have this problem. Cannot solve yet but using a work around…
Since original piwik 1.5.1 is actually working but cannot make user log on, I install piwik 1.4 to another directory and copied the config.ini.php into it.
So I could log in to 1.4 without problem. I don’t know if it’s make some corruption on db but since I don’t collect statistics with 1.4 I think it’s safe (or not? Tried 1.5 too with no luck…)
Edit: Tested with piwik mobile Android app and it works. Mobile piwik could show statistics. But it resists “android’s browser” too as it my Firefox (on linux). Tested with opera too, doesn’t work.
EUA, what error do you get exactly when trying to login in 1.5.1? please PM me the piwik URL + login + pwd with bug report and link to this post, thanks
I just want to add to this and say that I received the same error. Turns out the password I generated for my database user had punctuation in it. “@” and “!” and I didn’t think about that when I created it.
That may not be the case for everyone, but it is a possibility.
I opened the config.ini.php file and discovered punctuation in the database password, removed the punctuation, changed the database user password to match and all is well.
Under config.ini.php, if I have proxy_host_headers[] = “HTTP_X_FORWARDED_FOR” then no one is able to log in. The same error msg as the OP is shown :
Form security failed. Please reload the form and check that your cookies are enabled. If you use a proxy server, you must configure Piwik to accept the proxy header that forwards the Host header. Also, check that your Referer header is sent correctly.
If proxy_host_headers[] = “HTTP_X_FORWARDED_HOST” then all log in is fine.
HTTP_X_FORWARDED_FOR must be used to collect the true client IP addresses, otherwise HTTP_X_FORWARDED_HOST will give the Internet facing server internal IP address.
Anyone has a solution?
** luckily, I can log in via Piwik Mobile and from the Intranet, and have access to all functions. **
After installing the latest piwik distribution, I’m getting the same problem on my intial login.
“Sicherheitschecks fehlgeschlagen. Bitte laden Sie das Formular erneut und prüfen Sie, ob Ihr Browser Cookies zulässt.” I simply cannot log in. (Of course I’m using the correct credentials.)
I’ve tried it with Firefox (Mac & Windows), IE (Windows), Safari (Mac) and Opera (Mac). Always the same problem. Piwik Mobile lets me access the statistics.
Although I don’t have a proxy at all, I have already tried to put into config.ini.php the following lines (withou any effect at all):
I’m having the problem both if I enter the piwik-url directly (HTTP_REFERER not set) and if I get to the login page via a link (HTTP_REFERER set correctly).