Invalid CSRF token error when logging in to PHPWebAdmin

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
mibyge
New user
New user
Posts: 16
Joined: 2016-09-07 20:28

Invalid CSRF token error when logging in to PHPWebAdmin

Post by mibyge » 2019-04-07 18:52

Hello.

I've been unable to use PHPWebAdmin/hMailAdmin for a while now because I get an "Invalid CSRF token." error when I try to log in.

I've tried multiple browsers from multiple devices (including the server), but it's the same error every time.

I've verified that the "rooturl" value in the config.php files matches the URL I use for login.

The server is a Windows Server 2016 with PHP Version 7.2.16, hMailServer 5.6.7 - Build 2425 and version 1.5 of hMailAdmin.

Any suggestions?

Thanks in advance.

User avatar
mattg
Moderator
Moderator
Posts: 20622
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Invalid CSRF token error when logging in to PHPWebAdmin

Post by mattg » 2019-04-08 09:03

simply clear browser cache and try again (or with another browser).
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

mibyge
New user
New user
Posts: 16
Joined: 2016-09-07 20:28

Re: Invalid CSRF token error when logging in to PHPWebAdmin

Post by mibyge » 2019-04-08 22:34

mattg wrote:
2019-04-08 09:03
simply clear browser cache and try again (or with another browser).
Thank you for the suggestion, but allow me to quote myself :wink:

I've tried multiple browsers from multiple devices (including the server), but it's the same error every time.

User avatar
mattg
Moderator
Moderator
Posts: 20622
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Invalid CSRF token error when logging in to PHPWebAdmin

Post by mattg » 2019-04-08 23:25

What webserver do you run phpWebAdmin from? Is this the same machine that runs hMailserver?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

mibyge
New user
New user
Posts: 16
Joined: 2016-09-07 20:28

Re: Invalid CSRF token error when logging in to PHPWebAdmin

Post by mibyge » 2019-04-10 22:25

mattg wrote:
2019-04-08 23:25
What webserver do you run phpWebAdmin from? Is this the same machine that runs hMailserver?
I'm using IIS10 that comes with Windows Server 2016 and everything (web and mail) is on the same server.

It used to work fine for a long time, but it stopped working at one point. I unfortunately don't know exactly when, which would had helped the troubleshooting if I could have said it was after OS patching or something.

mibyge
New user
New user
Posts: 16
Joined: 2016-09-07 20:28

Re: Invalid CSRF token error when logging in to PHPWebAdmin

Post by mibyge » 2019-04-13 18:18

The issue has been resolved after doing some investigating via Process Monitor.

I found that an error was logged to the "php-errors.log" file with entries like below.

Code: Select all

[13-Apr-2019 18:00:35] PHP Warning:  session_start(): open(D:\path\to\PHPsessions\sess_aojhpmm6ahe2qe0p3ker1u4j06, O_RDWR) failed: Permission denied (13) in D:\path\to\domain\admin\initialize.php on line 8
[13-Apr-2019 18:00:35] PHP Warning:  session_start(): Failed to read session data: files (path: D:\path\to\PHPsessions) in D:\path\to\domain\admin\initialize.php on line 8
Checking the NTFS permissions on the PHPsessions folder, I found that for some reason I had only granted the local group "IIS_IUSRS" permissions to the folder, but not the local user "IUSR" which is actually the context that both the WWW service (w3wp.exe) and PHP (php-cgi.exe) is running as. The local user "IUSR" is not a member of local group "IIS_IUSRS" on the server.

After giving the local user "IUSR" the proper permissions on the folder, then it started working again.

Post Reply