Invalid CSRF token error when logging in to PHPWebAdmin

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
mibyge
New user
New user
Posts: 16
Joined: 2016-09-07 20:28

Invalid CSRF token error when logging in to PHPWebAdmin

Post by mibyge » 2019-04-07 18:52

Hello.

I've been unable to use PHPWebAdmin/hMailAdmin for a while now because I get an "Invalid CSRF token." error when I try to log in.

I've tried multiple browsers from multiple devices (including the server), but it's the same error every time.

I've verified that the "rooturl" value in the config.php files matches the URL I use for login.

The server is a Windows Server 2016 with PHP Version 7.2.16, hMailServer 5.6.7 - Build 2425 and version 1.5 of hMailAdmin.

Any suggestions?

Thanks in advance.

User avatar
mattg
Moderator
Moderator
Posts: 21109
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Invalid CSRF token error when logging in to PHPWebAdmin

Post by mattg » 2019-04-08 09:03

simply clear browser cache and try again (or with another browser).
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

mibyge
New user
New user
Posts: 16
Joined: 2016-09-07 20:28

Re: Invalid CSRF token error when logging in to PHPWebAdmin

Post by mibyge » 2019-04-08 22:34

mattg wrote:
2019-04-08 09:03
simply clear browser cache and try again (or with another browser).
Thank you for the suggestion, but allow me to quote myself :wink:

I've tried multiple browsers from multiple devices (including the server), but it's the same error every time.

User avatar
mattg
Moderator
Moderator
Posts: 21109
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Invalid CSRF token error when logging in to PHPWebAdmin

Post by mattg » 2019-04-08 23:25

What webserver do you run phpWebAdmin from? Is this the same machine that runs hMailserver?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

mibyge
New user
New user
Posts: 16
Joined: 2016-09-07 20:28

Re: Invalid CSRF token error when logging in to PHPWebAdmin

Post by mibyge » 2019-04-10 22:25

mattg wrote:
2019-04-08 23:25
What webserver do you run phpWebAdmin from? Is this the same machine that runs hMailserver?
I'm using IIS10 that comes with Windows Server 2016 and everything (web and mail) is on the same server.

It used to work fine for a long time, but it stopped working at one point. I unfortunately don't know exactly when, which would had helped the troubleshooting if I could have said it was after OS patching or something.

mibyge
New user
New user
Posts: 16
Joined: 2016-09-07 20:28

Re: Invalid CSRF token error when logging in to PHPWebAdmin

Post by mibyge » 2019-04-13 18:18

The issue has been resolved after doing some investigating via Process Monitor.

I found that an error was logged to the "php-errors.log" file with entries like below.

Code: Select all

[13-Apr-2019 18:00:35] PHP Warning:  session_start(): open(D:\path\to\PHPsessions\sess_aojhpmm6ahe2qe0p3ker1u4j06, O_RDWR) failed: Permission denied (13) in D:\path\to\domain\admin\initialize.php on line 8
[13-Apr-2019 18:00:35] PHP Warning:  session_start(): Failed to read session data: files (path: D:\path\to\PHPsessions) in D:\path\to\domain\admin\initialize.php on line 8
Checking the NTFS permissions on the PHPsessions folder, I found that for some reason I had only granted the local group "IIS_IUSRS" permissions to the folder, but not the local user "IUSR" which is actually the context that both the WWW service (w3wp.exe) and PHP (php-cgi.exe) is running as. The local user "IUSR" is not a member of local group "IIS_IUSRS" on the server.

After giving the local user "IUSR" the proper permissions on the folder, then it started working again.

tringstad
New user
New user
Posts: 12
Joined: 2011-12-12 19:49

Re: Invalid CSRF token error when logging in to PHPWebAdmin

Post by tringstad » 2020-04-11 11:03

I'm having tha same issue. Both phpwebadmin and hmailadmin set up with CSRF is failing. I eventually had to revert back to an older version of phpwebadmin to be able to use it.

My server setup is:
IIS 10
PHP 7.4.1 / 7.3.16 / 5.3.28 (not everything supports the newest php, so i need some versions to play with ;) )
mySQL 8.0.19 (hMailServer uses this)

I have tried with permission settings. I have tried with several PHP versions. PHP don't generate anything in the error-log. IIS don't generate any useful log-info. hMailServer-logs don't generate anything... I'm stuck...

I have googleg and read and tried, but no luck with any suggestions I have tried...

Is there anyone with any ideas as to get this to work?

User avatar
RvdH
Senior user
Senior user
Posts: 1139
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Invalid CSRF token error when logging in to PHPWebAdmin

Post by RvdH » 2020-04-11 11:46

Maybe look at the post above yours? Definitively seems a file permission error
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

tringstad
New user
New user
Posts: 12
Joined: 2011-12-12 19:49

Re: Invalid CSRF token error when logging in to PHPWebAdmin

Post by tringstad » 2020-04-11 12:01

If you read my post... I have tried alle permission settings. Tweaked and adjustet in all suggested places from this post and from other posts. Don't know any more where to try. Everything else is working fine on the server, just not this...

Any idea where to check the permissions? Maybe I have overseen some of them?

tringstad
New user
New user
Posts: 12
Joined: 2011-12-12 19:49

Re: Invalid CSRF token error when logging in to PHPWebAdmin

Post by tringstad » 2020-04-19 20:13

Still no luck... I have reconfigurede IIS. I have checked permissions over and over again. I can se that the token is being set and that it is placed in php session path, but nok luck... Nothing helps...

Think I'll have to give up for now... :?

tringstad
New user
New user
Posts: 12
Joined: 2011-12-12 19:49

Re: Invalid CSRF token error when logging in to PHPWebAdmin

Post by tringstad » 2020-05-10 18:06

I have suddenly found the answer! What are the chanses of anyone else ending up where i did...? Well see...

Here is what i found:
I had migrated to a new server, w19std with iis10. One of my motivations to upgrade was to boost security. Therefore I started up with php 7.4 on my IIS.

Suddenly, I remembered that when i was trying to make use of the remaked PHPWebAdmin (https://github.com/coax/hmailserver-webadmin) I got 1 error i "fixed" and didn't give any more thought.

The error was: "description: function get_magic_quotes_gpc() is deprecated". In PHP 7.4 that is...

So, i did a little google and made the errormessage go away. However. This broke the CSRF token function. Reversing this "fix" and letting an older PHP-version run the webadmin did the trick! I do hope someone smarter than me can make an upgrade to this so it will work with a newer version of PHP. As for now, I am running on PHP 5.3.x (!) to make it run as it should.

Anyway. I hope this might be helpful for anyone else going the same one-way-road to the point of giving up making it work... :oops: :wink:

User avatar
RvdH
Senior user
Senior user
Posts: 1139
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Invalid CSRF token error when logging in to PHPWebAdmin

Post by RvdH » 2020-05-10 19:46

I doubt it to related, although it depends how you fixed the magic_quotes thingy
i am using php 7.4 and removed, as shown here, the magic_quotes thingy
I have no issues with Invalid CSRF tokens
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

tringstad
New user
New user
Posts: 12
Joined: 2011-12-12 19:49

Re: Invalid CSRF token error when logging in to PHPWebAdmin

Post by tringstad » 2020-05-10 20:16

Yepp. You are absolutely right. comment out the RIGHT lines will do the trick! :oops:

Running on PHP 7.4.1 for now... :lol:

Post Reply