"Form security key" error message


I’ve installed the newest version (0.6.1) and since then I cannot login into Piwik…
When I try to login, i have this message :

Form security key is invalid or has expired. Please reload the form and check that your cookies are enabled.

I tried to delete all cookies, IE, Firefox, etc… Nothing works
The cookies are on.

Do you have any idea ?


Try: http://dev.piwik.org/trac/changeset/2195

Hi, I’m suffering the same problem as originally described. I’ve added the line to Url.php as shown in the link, but it doesn’t appear to have made any difference.

Is any further action required (eg. a restart of Apache).

You didn’t include any description or explanation with the suggested change, so I’m not sure exactly why it’s required or what it is fixing.

BTW: Thanks for a fantastic tool :slight_smile:

Just to be clear (since you wrote “add”), that patch replaces two lines with a single line.

The change uses the X-Forwarded-Host in the header (when present) instead of the web host name.

[quote=vipsoft @ May 26 2010, 05:31 PM]Just to be clear (since you wrote “add”), that patch replaces two lines with a single line.

The change uses the X-Forwarded-Host in the header (when present) instead of the web host name.[/quote]

Aha! That’s worked. Sorry, I should have paid closer attention to the highlighting in the patch.

Thank you for a quick response :slight_smile:

I get the same error during login with 0.6.2, and the lines Url.php is quite different now. Is there another patch I can apply for the current version?

I’m seeing the same problem right now, with the latest Piwik (1.0)…

After some debugging in verifyNonce(), this turned out to be because I was running piwik at https://localhost:4444, and getAcceptableOrigins() needs the “HTTPS” FCGI param to be set to ‘on’.

Thanks yang. I’ve made changes in trunk to better handle this:

I am having this error as well. I dont run my piwik under https though, so dont think yangs fix will help me any. I first had it with 0.6.3 but then I upgraded via console to see if that would help any, so now I run 1.0.

I needed to log in, so I worked around this authentication just now that I needed to log in.

Line 69 of core/Nonce.php was “return false;”, to work around this bug I changed it to “return true;”

Maybe this helps the developers debug?

Lines 68-69 is the verification of the hidden field on the login form. Your change means you now have no CSRF protection.

Can you PM your phpinfo? I’ll see if I can determine the cause.

I am aware of the security implications and therefor I restore the php-file to the original state after I have successfully logged in. I advice everyone else to do the same.

If you fix this one I’ll show you some love and buy you a beer. :slight_smile:

Hi all
Maybe you update browser and refresh page.
Best Regards.

It seem like this happened to me because I had my web server set up behind load balancing, high availability proxy and caching. (Varnish) And the setup I had did not relay the expected header to Piwik. This was not a bug in Piwik in my case. Just wanted to let people know that. :slight_smile:

Have a happy new year.

So, what is the solution to this problem? I have exactly the same with my new install, running on apache 2.4 behing a load balancer. Changing the nonce.php to always return true on the token validation allows me to login.

A permanent solution would be nice…

The solution is to fix your server configuration so that the headers/cookies are properly set.