Can't Login to Piwik: Form security failed

Or is there anything wrong with the configuration of the web server?
Here is the current state of affairs:


I would really appreciate your help!

Can you try cleaning the cache? tmp/assets and tmp/template_c

Apache looks fine.

The tmp/assets directory was empty and stays empty.
Removing everything from tmp/template_c did not change
anything at all :frowning:

Any other ideas? I still cannot log in :frowning: Please help if you can.

Sorry not sure at this stage. Consider contacting: for professional help

phlipp, did you managed to work this thing out?

no :frowning: still unsolved.

I guess I have to live with the fact that I can only use the mobile app.

After completely setting up the whole system from start (including apache, php, mysql, …) and with the latest distribution, the problem has gone away. Whatever has caused the problem, it is gone :slight_smile:

Thanks for your support.

Sorry to resurrect this thread but I have the same issue. I have tried using different browsers (IE, FF, Chrome), and made the mods suggested by vipsoft, and I have enabled cookies, without any success. I reinstalled piwik and was then able to login however after restarting the browser I get the form security error again. Is there a known fix for this?

Here is the Headers info from Chrome dev tools, do you see anything amiss?

Request URL:
Request Method:POST
Status Code:200 OK
Request Headersview source
User-Agent:Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36
Form Dataview sourceview URL encoded
Response Headersview source
Cache-Control:no-store, must-revalidate, private, no-store, no-cache, must-revalidate, no-transform, max-age=0
Content-Type:text/html; charset=utf-8
Date:Tue, 30 Jul 2013 11:01:42 GMT
Server:- Web acceleration by
Set-Cookie:PIWIK_SESSID=71504ccc576010b36325ed1b9fa2cd; path=/;; HttpOnly
Via:1.1 varnish

I believe I found the problem - in my php.ini I had session.cookie_domain = “”.

I changed that to session.cookie_domain = “” and was able to login.

I had the same problem. In my case it worked again after I commmented
session_save_handler = "dbtable"
so it saves in filesystem (default) again. After that I could login again without problems.

After trying to find the error (I had to set session_save_handler = “dbtable” because otherwise Piwik is really slow), I found a workaround:
Comment the lines 109 - 112 of core/Session.php (Piwik 2.0.3):
/$saveHandler = new DbTable($config);
if ($saveHandler) {

Then the login works again. I think there is a bug in validation. Should be something for the bugtracker.

I had the very same error today.

After reading here and knowing that it may be caused by a problem with the referrer, I suddenly had an idea:

I opened piwik through https instead of http - and it worked.

Clearing the Chrome browser cache fixed it for me.

Yeah fixed it for me too, tq for share

sorry the last post was in 2015 but i have the same problem with piwik 3.0.2

I have test it with all actual different browsers. i have add these lines

proxy_client_headers[] = HTTP_CLIENT_IP
proxy_client_headers[] = HTTP_X_FORWARDED_FOR

to my config.ini.php clear all caches but it does work. I have installed piwik again and all piwik installation checks are green but it does work.

i use a letsencrypt ssl certificate and have try to add these line

force_ssl = 1

but it does work. I don’t have a idea. can anybody help me i try it for a lot of days :frowning:


sorry I forgot

i have delete too.

I try to login with Piwik android app and that is working now only with desktop browser is impossible i don’t know where is the problem

I have just migrated Matomo to Cloudways and am having the same problem.
It is now in a subdirectory of a domain with WordPress, if that matters…
Piwik worked for me flawlessly on 1&1 and Siteground…

I have tried Opera, Chrome, Edge, Firefox - all the same. Paused Cloudflare, but it didn’t help.
But I can log in on the Android app, for what it’s worth.

Any new ideas?

BTW, I just clicked on “Forgot password” and another screen shows up asking for username/email and below the new password and the new password again for confirmation. No email with a password-reset link. It looks like anybody who knows the URL and the username or email can reset the password. But I can’t, because I get the same error message as with a login attempt about cookies and proxies.

I have this problem too. Unfortunately, most of the discussion in this thread is too technical for me. I dont’ know what most of it means. Although I see some reference to the referrer header.

I used to use a Firefox plugin that blocks the referrer header. But I’ve switched to SeaMonkey, which as of yet, does not have such a plugin. But I still get the error anyway.

However, I did find a way around the problem (clearly by luck!).

When I see the login page, the URL in browser address field is twice longer than the field. Huge string of url and I have no idea what most of it means. But if I change the address to just the raw page address (such as h…ps:// then I’m allowed to log in.

Can someone explain in a simple way, how I can fix this? Even with the lucky workaround, it still would be nice to just log in.

Thanks :slight_smile:

Edit - note that I’m still using 2.15 - would upgrade fix it?