Logging in: "The CSRF protection key did not match."

[Bernie Hogya]

I have the exact same problem. Is there an easy fix?

[Marc Stridgen]

I have split this into its own topic for you. Could you please disable all 3rd party items in the first instance, and let us know if you are having the same issue when all 3rd party items are disabled?

[Vegan Gaymer]

Same issue here. I updated my privacy policy and required users to agree with the updated terms and we get this error.

[Marc Stridgen]

On 10/16/2021 at 5:47 PM, Vegan Gaymer said:

Same issue here. I updated my privacy policy and required users to agree with the updated terms and we get this error.

Could you please confirm are your users getting this logging in, or are you getting it when you update the terms?

[Marc Stridgen]

Did you manage to resolve this, @Vegan Gaymer ?

[Circo]

My users have been reporting this same error for sometime now while logging in. Once they get the error they can click on any link in the menu and they are logged in.  This morning while working on my site; I was finally able to capture the error myself.  I went through and disabled applications/addons one at a time and tested.  Nothing fixed the error.  I also re-did Privacy Policy information and nothing changed either.

[Jim M]

20 minutes ago, Circo said:

My users have been reporting this same error for sometime now while logging in. Once they get the error they can click on any link in the menu and they are logged in.  This morning while working on my site; I was finally able to capture the error myself.  I went through and disabled applications/addons one at a time and tested.  Nothing fixed the error.  I also re-did Privacy Policy information and nothing changed either.

Did you switch to an unmodified theme (if applicable) too to test? Are you noticing this on specific users or all users? If specific, could you please let me know their display name(s)?

[Circo]

3 minutes ago, Jim M said:

Did you switch to an unmodified theme (if applicable) too to test? Are you noticing this on specific users or all users? If specific, could you please let me know their display name(s)?

Well, sortta... The theme I'm using is the default IPS theme that I've modified a little for a larger header.  As far as I can tell; this seems to happen for all users as well as myself. It only happens if the user is logging in from the main URL (I guess it's an articles page), but does not happen if using the /forums url.

[Jim M]

41 minutes ago, Circo said:

Well, sortta... The theme I'm using is the default IPS theme that I've modified a little for a larger header.  As far as I can tell; this seems to happen for all users as well as myself. It only happens if the user is logging in from the main URL (I guess it's an articles page), but does not happen if using the /forums url.

I would suggest trying this first with an unmodified theme as even the smallest changes to a template can cause the upgrader to not upgrade that template and it could be missing code changes from version to version. Each upgrade a theme needs to be double checked for compatibility issues, I'm afraid.

I would recommend also checking and removing any custom .htaccess entries you have any leaving just the ones that come with our software in case something is causing an issue there.

[Circo]

On 11/17/2021 at 1:26 PM, Jim M said:

I would suggest trying this first with an unmodified theme as even the smallest changes to a template can cause the upgrader to not upgrade that template and it could be missing code changes from version to version. Each upgrade a theme needs to be double checked for compatibility issues, I'm afraid.

I would recommend also checking and removing any custom .htaccess entries you have any leaving just the ones that come with our software in case something is causing an issue there.

Jim,

I've done everything suggested and still getting this error. I've used unmodified theme, disabled all 3rd party apps, etc. If i go to my site  mysite.com/forums I am able to log in and navigate the site just fine.  If I go to mysite.com it shows me as logged out. If I click to login from mysite.com it gives the CSRF error. I am not using any custom .htaccess files other than the one that come with IPS. 

It appears that I am not able to change the default app either. My default app is currently pages with articles page. I was thinking that going to mysite.com should use the default app. I tried changing the default app to forums, but it still shows the old pages/articles page.  I deleted the page so now anyone going to to my main url are getting "The page you requested does not exist".

I don't know if these are different problems or if they are part of the same. I'm not sure what else to check or do.

[Marc Stridgen]

Please could you let us know which site this is on?

[Circo]

On 12/13/2021 at 4:15 AM, Marc Stridgen said:

Please could you let us know which site this is on?

vpuniverse

This also seems to happen sometimes when accessing admin.  I can't seem to duplicate the admin one as easily as I am the main site one.

[Marc Stridgen]

Could I ask, are you able to repicate this yourself on the front end? I cannot login as unfortunately the access details on file are incorrect

[Circo]

On 12/14/2021 at 10:11 AM, Marc Stridgen said:

Could I ask, are you able to repicate this yourself on the front end? I cannot login as unfortunately the access details on file are incorrect

Login details have been updated. 

Yes, I am able to duplicate the front end issue on a regular basis.  Login to the main domain using /forums.  Then go back to the main URL, you'll see that you are not signed in (you really are though if you go to /forums), click sign-in.  You should get the CSRF response.

[Marc Stridgen]

Could you please check on your server to ensure that no caching is enabled on there. If it is, please disable while testing this.

[Circo]

4 minutes ago, Marc Stridgen said:

Could you please check on your server to ensure that no caching is enabled on there. If it is, please disable while testing this.

I have caching on via Cloudflare.  I've changed it to development mode for now as well as took the forums offline, but your login should still login.

[Jim M]

Is there a specific URL which you have bookmarked or are using when this happens? Unfortunately, when logging in with the credentials provide on both the front-end and ACP, I am not encountering this error.

[Apfelstrudel]

From time to time I have the same issue when pressing „mark site read“.

It appears only since update to 4.6.9.

I can‘t reproduce it exactly but never had it in the past before the update.

[Marc Stridgen]

We need exact URLs when these issues are occurring if possible, then we can advise accordingly.

[Apfelstrudel]

Marc, you have our URL in your backend. It happens in the unread content stream but only from time to time. 

Edited December 17, 2021 by Apfelstrudel

[Circo]

18 hours ago, Jim M said:

Is there a specific URL which you have bookmarked or are using when this happens? Unfortunately, when logging in with the credentials provide on both the front-end and ACP, I am not encountering this error.

No, it's not with a bookmark.

I'm able to duplicate this each and every time.  Even tested from a friends computer that I've never used before.  I go to vpuniverse.com, log-in, it takes to /forums. Go back to vpuniverse.com, not using back button but going to main domain directly. It shows user not logged in. Log-in, get CSRF response. It doesn't matter if it's my account or my test user account that's setup for you.

[Apfelstrudel]

BTW I get the same CSRF error when using the original unmodified theme. 😉

My normal use case is: Opening unread content stream and pressing „mark site read“. 😉 -> CSRF error (sometimes)

Edited December 17, 2021 by Apfelstrudel

[Matt]

The most common reason for a CSRF failure would be a change of session ID. Have you noticed any issues with sessions recently?

[Apfelstrudel]

No, I didn‘t have. Only since 4.6.9 and also with the original theme. 

[Circo]

23 hours ago, Matt said:

The most common reason for a CSRF failure would be a change of session ID. Have you noticed any issues with sessions recently?

 I have not, but not quite sure what to look for exactly.