Locked out of Matomo - Again

# First, deny access to all files in this directory
<Files "*">
<IfModule mod_version.c>
	<IfVersion < 2.4>
		Order Deny,Allow
		Deny from All
	<IfVersion >= 2.4>
		Require all denied
<IfModule !mod_version.c>
	<IfModule !mod_authz_core.c>
		Order Deny,Allow
		Deny from All
	<IfModule mod_authz_core.c>
		Require all denied

Found this in my .htaccess and everything works now that I removed it. Problem is that I don’t know how it ended up there in the first place. It happens every time I clear my browser cookies.

It’s happening to me too. Which .htaccess did you delete? From what folder?

What I mentioned earlier isn’t a solution because you’ll be locked out again if you clear your cookies. To answer your question, there is an .htaccess in the matmo/config directory that has deny all directives. Deleting that may get you into matomo for now, but you’ll be locked out again if you clear cookies from your browser.

We need a real detailed solution. The .htaccess file is generated by Matomo so I don’t know why there isn’t an option to turn off that kind of security. Not sure if this is a Matomo or Openlitespeed issue.

Also experiencing this issue after recent upgrade to 4.0.3 - Ubuntu/Nginx. Yet another crippling/show stopping regression.

@Lukas you mentioned Nginx as if this is a known issue. Could you please link any current workarounds?

I think its an ssl issue - potentially.
If I set up a matomo instance it will work all day until finally it locks me out if I clear my cache/cookies. I can only get in if I connect it to cloudflare and add
proxy_client_headers[] = HTTP_CF_CONNECTING_IP - after some time it will let me log in.

The problem is that my site has ssl and I don’t need cloudflare. I’m also not behind a proxy to my knowledge. I’m using openlitespeed with quic.cloud. Or maybe quic.cloud is a proxy but I have no idea what to put in my config in order to make it work.

The one nginx issue I am aware of is the one I described here:

Same issue using Apache. No luck after deleting the .htaccess file in matomo/config. I did also try the various proxy_client_headers settings. Locked out in all cases.
Any hint? Thanks in advance

I have a matomo.domain.com instance, so using cloudflare for that particular domain seems to work for me. Use proxy_client_headers[] = HTTP_CF_CONNECTING_IP in config.ini
Wont work immediately but if you check back in 30min to an hour it should let you in.

Ah. Didn’t think about waiting long enough. Thanks for the hint. I’ll try that.

Still no luck. Didn’t make a change.
I can see from other posts in the forum that this issue is shared by several other folks.
Could we get some feedback (and hopefully a fix) from the Matomo team? Thanks in advance.


A quick idea: Did you try deleting all cookies from the Matomo domain?

Yes, did that too.
I’ve just tried upgrading to 4.0.4. The whole process went smoothly (I even had the config.ini regenerated), but I still can’t login through the browser.
I’m using the very standard version of the product, no customisation, no addition, no nothing. The app runs on a shared host (ionos 1and1) which I do not control at all, if that is of importance.
My understanding though is that the issue doesn’t seem related to the database, and until now I’ve never bumped into questions related to the use of proxies, so I doubt it is the case here.
Any idea on the possible cause? Thanks

Having the same problem with all client websites at Ionos 1and1.

I have the same problem:

After updating to Matomo 4.0.4, I can no longer log in.

I get the error message:

Error: security checks failed. Please reload the form and check whether your browser allows cookies. If you use a proxy server, you have to set up Matomo so that it accepts proxy headers.

I’ve already tested the tips from https://matomo.org/faq/how-to-install/#faq_98.

I am on an Ionos 1and1 managed server.

Does anyone know a solution?

Hi @GFC, @AndreasBW and @Lamy,

Do you use HTTPS? Is your Matomo installed in the root directory or some subdirectory (e.g. https://yoursite.example/matomo/)?

The solution is: Login from https://domain.com instead https://www.domain.com.

Does not work for none of the accounts. Both domain types (with and without www) are included in config.inc.php as trusted_hosts[]. By standard we have a routing included on www by htaccess. All are on SSL. But that shouldn’t be the problem. Any other ideas?

Matomo is installed in a subdirectory.

Thanks, Daniel. Login from https://domain.com does work.
Even though www.domain.com is declared as a trusted host in the config.ini.php, login through www doesn’t work.
@Lukas, Matomo is in a subdir, and it is accessed over https.

1 Like


Could you maybe also tell us which exact package you are using at 1&1?
I am assuming you are referring to www.ionos.de, right?