Token Is Not Valid - Dashboard Won't Load

I have been using Matomo with Wordpress for nearly a year with no issues. I have the latest version of Wordpress and Matomo plugin installed.

When clicking on “reporting”, the dashboard page attempts to load. The header loads at the top of the page, followed by a red bar across the top that says “Token is not valid”. The rest of the page remains blank. All other links (tag manager, settings etc. all report the same error.

Matomo is tracking visits and the summary page works fine and shows recent data, but the reporting page will not load any data.

Here are things I have already tried:

  • Cleared browser cache. Log out/back in
  • Tried several different browsers - same results.
  • Matopmo System Report - no errors or warnings
  • Matomo Diagnostics - cleared cach, sync users, sync site, run updater

When looking at the browser console inspector I see the following errors:

Refused to execute script from ‘https://xxxx.com/’ because its MIME type (‘text/html’) is not executable, and strict MIME type checking is enabled.

Possibly unhandled rejection: Token is not valid.
(anonymous) @ asset_manager_core_js.js?v=4.0.5?cb=5d790bb576dee577218a2d14bff3098d:200

Thanks in advance for any suggestions. This has been very frustrating and google searches have not yielded anything helpful.

Hi,

This one seems interesting. It seems like Matomo tries to load some Javascript, but instead of getting Javascript back, it gets HTML which might be because some PHP error occurs and displays an error message.

Can you try loading that URL and check if there is an error message displayed?

Also please check your PHP error log for potentiall errors

I didn’t find anything that looked related in my error logs.

In researching the problem, my understanding is that my server does strict mime type checking as a security measure, and Matomo is declaring text/javascript when it is really trying to load a java application. That causes the browser to see the strict mime type header from my server and refuses to load the script.

When I view the source code of the page I see this:

        <script type="text/javascript">
var piwik = {};
piwik.token_auth = "247b1278c74fa08fed

followed by a lot more code. I think that may need to say application/javascript to avoid the error. Unfortunately, I have not been able to follow the loading of that page by looking at the source code. I can’t find the source code that loads at that point. I’m not a programmer, but I know enough to get around a follow the logic. I also have full access to my server.

The server setting that sets the strict mime type checking is:
X-Content-Type-Options: nosniff

When I view the full header on the Wordpress/Matomo admin page I can see that that header is being sent. I have also found it in my server nginx config file. I tried removing the command and restarting nginx but it didn’t make a difference. I am using a custom Apache/Nginx/Varnish web server on Centos along with CWP 7 pro Web Panel, so it can get confusing sometime finding the proper config file.

Hi,

What is the URL that is shown in the error?

I think the issue is far more simple than what you listed: Matomo loads its Javascript files from https://matomo.example/index.php?module=Proxy&action=getCoreJs. Your browser expects to get a javascript file from this URL. But there is probably an error on this call and instead this URL returns an error message (which is not valid Javascript and therefore has the text/html mime type).

application/javascript is just an outdated MIME type for javascript
https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguages says

Servers should use text/javascript for JavaScript resources. Servers should not use other JavaScript MIME types for JavaScript resources, and must not use non-JavaScript MIME types.

This is just a completly different security feature and I’d recommend you to keep it in the config. The bug isn’t that the browser doesn’t want to execute the HTML returned as javascript, but that the server is sending HTML instead of Javascript.

Lukas,

Thank you for your input. The URL that throws the error is:

https://xx.com/wp-content/plugins/matomo/app/index.php?module=CoreHome&action=index&idSite=1&period=day&date=yesterday

I don’t think that has ever changed. The top of the page loads, including the search box, site, date and segment info. Then a red horizontal bar appears that says “Token is not valid”. That bar stays for a few seconds and then fades out and disappears.

I was able to temporarily turn of that feature in my server config. It did not solve the problem but it did eliminate the “refused to execute script error”. However, I then found two new errors:

Uncaught SyntaxError: position.min.js:1 Unexpected token ‘<’
Uncaught SyntaxError: widget.min.js:1 Unexpected token ‘<’

I just realized that I should have posted this in the Wordpress Plugin forum. Sorry about that. I’m sure that changes the scope of the problem. I have had a number of problems with jquery and plugins since the Wordpress 5.5 update. They have all been resolved now until this issue popped up. I have also tried disabling other plugins but that had no effect.

Hi,

Sorry, I wasn’t precise enought. I don’t mean the URL of the page with the issue, but the URL in the error in the console.

As I said before that feature isn’t the issue, now that you disabled it your browser is happy to execute the invalid Javascript and fails at it as it isn’t javascript, but instead HTML with an error message (therefore the <). So either look at the response in the network tab of your browser developer tools to see what exactly is this error message or look at the server error log.

There were a couple of errors that pointed to files. I don’t remember the exact errors, but I believe one was a file called position.js. When I looked for the files they didn’t exist in the directory the url was pointing to.

I have since moved in a different direction. As I thought about using Matomo inside of Wordpress, I realized there were other problems along the way. At some point the heatmap quit working and I could not get email reports to work. These things all happened with Wordpress updates, most notably with the Wordpress 5.5 update.

I also was trying to use Matomo as a Wordpress plugin with a very busy site. We get nearly a million pageviews per month and the Matomo integration was just adding to the Wordpress load.

I have a robust dedicated server so I decided to install Matomo as a standalone product instead of a Wordpress plugin. The installation was quick and easy and now I am monitoring the same site with no issues. Every Matomo problem I had encountered went away when I removed it from the Wordpress enviroment.

For a smaller Wordpress site with fewer plugins the Matomo plugin is a great idea. It just didn’t work for me and I was spending way too much time chasing really odd problems.

Thank you for all the help. I love the Matomo product.