The CSRF protection key did not match - Cloud

[Como]

Quote

The CSRF protection key did not match. This may indicate a plugin or theme is out of date. Please contact technical support for more information

I had this problem a few months ago. That time, it was due to an addon. It happened again a few days ago, but I had not updated the core of any addons (and still have not). Further, it was occurring only with Edge. The solution was to delete Edge cookies for my site. I logged in again a few minutes ago - no problem. Did a couple of things but received the error message when I visited the home page. I can continue to navigate other pages, post comments, etc. I can also access the ACP.

I can login and access all pages using Firefox.

I've cleared my cookies again - and again, everything now functions normally. Except, I have a consistent problem with logging in - and members have complained about this too - login fails and I must login via the domain.com/login page. I should also add, when I first logged in today, I did not receive the usual login error to the /login page.

[Marc Stridgen]

While I understand what you are saying about not having updated any addons, you have updated our software. So if something is no longer compatible with the latest release, of course it could cause issues. So our advice would still be to disable all 3rd party items, including theme while you are testing

[Como]

Hi @Marc Stridgen

It had been some time since I updated the core - there was no corresponding login problem. Unless I am very much mistaken, I updated to the core 2-3 weeks ago - the CSRF problem first occurred a few days ago.

[Marc Stridgen]

Im a little lost there. According to our records you appear to be on 4.7.15?

[Como]

10 minutes ago, Marc Stridgen said:

Im a little lost there. According to our records you appear to be on 4.7.15?

Hi Marc,

I am not certain when I updated the core, but I note that 4.7.15 was released on January 23rd, which fits with my recolection of last updating the core 2-3 weeks ago. The CSRF error only started a few days ago.

[Como]

@Marc Stridgen I am trying disabling various addons and features to see if I can pin down the problem. Thinking about it, although as I recall the timing does not match, I have recently enabled some blocks - perhaps there is conflict with one of those and an addon.

Since the error is triggered inconsistently, this might take a while.

[Jim M]

You would want to ensure you did not create an custom blocks either which reference something as that can create conflicts as well.

[Como]

1 minute ago, Jim M said:

You would want to ensure you did not create an custom blocks either which reference something as that can create conflicts as well.

Unlikely an issue issue given my very limited use of blocks (they are mostly just tests). But I'll keep this in mind. Thanks.

[Como]

Well. After several days of normal operation, I experienced problems again today with the CSRF error. I disabled addons, but it made no difference. But, again, I could login using Firefox (I had been using Edge). Using FF, I removed any blocks from the front-end - still no joy. Only when (like before) did I delete the cookies for my site from Edge could I login.

I've re-enabled everything except for one small change and will see what happens. Again, I have not updated the core or any add-ons - it is the inconsistency which is frustrating. And why does this apparently only affect Edge or (or its stored cookies my my site)?

[Marc Stridgen]

Unfortunately, as before, we are unable to replicate the issue on a stock install. 

[Como]

Hi @Marc Stridgen. I understand.

I keep being logged out every so often. Though, it would seem, only with Edge (with subsequent CSRF error too). I was logged with Edge and Firefox at the same time - my FF session so far is unaffected.

Edited February 22 by Como

[Marc Stridgen]

Even with edge. I use this on a daily basis. 

[Como]

I've been logged out of FF too. This time, I took a closer look at something which occurred with an earlier login, and now again. When I login, I receive a PM notification, but it is from the 4th Feb. This has happened with both browsers. I presume the cause is connected with me being repeatedly logged out.

[Marc Stridgen]

The only option here at present would be to run default for a while to see if its still happening. I realise that the situation there would mean a stock theme for quite a while for your members, however there really isnt any other way you are going to find the issue, and it does seem to be just for you unfortunately

[Como]

Thanks, @Marc Stridgen

There is an extra complication as one of the bespoke addons improves privacy for members. I cannot simply disable this. So, I'll have change permissions so that guests and search engines cannot access any content. I really wished to avoid this. And, given Google's de-listing policies, I cannot run the site like this for long.

[Randy Calvert]

FYI… if it’s a privacy plugin, there is a reasonable chance it is doing stuff with sessions that could be causing the issue. 

I don’t know the plugin and I don’t know your install, but if it were me… I would personally start my troubleshooting with things that have the potential to play with sessions, session tracking, or activity state change. 

[Como]

Hi @Randy Calvert

The plugin just obfuscates (partially redacts) usernames. It does not - as far as I know - act on sessions.

It looks like I will have go to stock code except for this plugin. If the problem persists, then I'll have no choice but to change access permissions for every part of the community, and for a maximum of 24 hours to avoid content being de-listed.

Edited February 22 by Como

[DawPi]

3 hours ago, Randy Calvert said:

I don’t know the plugin and I don’t know your install, but if it were me…

I know. 😉

That mod do not touching anything related to sessions etc.

[Como]

24 minutes ago, DawPi said:

I know. 😉

That mod do not touching anything related to sessions etc.

As I expected. But good to have it confirmed. 😉

I'll probably properly test out the platform tomorrow.

[Como]

Last Thursday evening, I switch my own account to the IPS theme. Although I have done nothing to theme except add a little CSS, and added the Trim Empty Lines plugin, I thought it worth a try. I was still logged out a little later.

However, I was not logged out when I returned Friday morning. And I have not been logged out since. I am at a loss to explain this. Of course, the intermittent nature of this makes determining the cause almost impossible.

And there was nothing in the logs corresponding with the logouts.

[Marc Stridgen]

Its difficult to know how we can really assist you here unfortuntely. As its very intermittent, and only seems to be happening on your end, there isnt really any way for us to investigate.

[Como]

Hi @Marc Stridgen

I've been logged out 2-3 times today. This is much less than last week (and no problems Friday through Monday). Nothing in the error logs.

I also have a general problem where the initial login attempt fails, and I can only login at the /login page. But, today, I could login at my first attempt. What I did not mention last week is that I would receive occasional notifications which are way out of date. I've now been logged in again for a few hours without being logged out. All these problems seem session-related to me. And happen in two different browsers, and even on a different computer.

I've made no changes. The intermittent nature of these problems makes no sense to me.

Edited February 27 by Como

[Jim M]

Do you have any browser extensions installed which may be deleting cookies? Whether intentionally or not. 

[Como]

11 hours ago, Jim M said:

Do you have any browser extensions installed which may be deleting cookies? Whether intentionally or not. 

I make very little use of extensions. I can (and will) disable what I have (even though none obviously affect cookies). However, since this occurs in two different browsers, and at the same time, this seems highly unlikely.

[FanClub Mike]

I have a member having a similar problem where they're constantly getting logged out. They're using Firefox as well, and they're on Rodgers Internet.

Before are my enabled plugins and applications if you want to see if there's any overlap.

Applications:

- Topic Thumbnails

- Font Awesome 6

- Antispam by Cleantalk

Plugins:

- Delete all system logs button

- Legend News

- Live Topics

Edited March 3 by FanClub Mike