Announcement

#1 2021-12-06 15:34:07

dmmedia
Member
2021-11-13
5

[resolved] Invalid security token while trying to upload photos

Hello,

I have freshly installed Piwigo 12.1.0.
I have successfully created first album and uploaded 12 photos.
After that I visited album and checked the photos.
When I tried to go back to album photo upload webform, Piwigo logged me out.
When I tried to login, Piwigo kept redirecting me to gallery main page for a while.
Once I logged in again successfully and got into upload web form.
Now when I try to upload photos, Piwigo just prints Invalid security token message for each photo and progress stalled at 0%.
On the next tries, I have selected all photos again and only few were uploaded, then Invalid security token error starts coming again.
When I try to remove some of the uploaded photos from the album I got another error: You are not authorised to access the requested page. Both links Identification and Home redirect to gallery main page.
I have only single admin user for my gallery.
I have Piwigo running in Apache, which is behind Nginx. Nginx is configured to serve _data/i and _data/combined folders from disk and everything else from Apache backend without caching.

Environment

    Piwigo 12.1.0
    Operating system: Linux
    PHP: 7.4.26 (Show info) [2021-12-06 16:12:30]
    MySQL: 8.0.27 [2021-12-06 16:12:30]
    Graphics Library: External ImageMagick 6.9.10-68
    Cache size N/A   never calculated

Activated plugin list 0

    No plugin activated

Piwigo URL: https://gallery.dmmedia.org/

Last edited by dmmedia (2021-12-07 11:26:03)

Offline

 

#2 2021-12-06 20:17:41

dmmedia
Member
2021-11-13
5

Re: [resolved] Invalid security token while trying to upload photos

I have added the following debug output to pwg.images.php:ws_images_upload() inside first if() statement:

error_log("Invalid security token: '" . get_pwg_token() . "' vs '" . $params['pwg_token'] . "'");

Then I've tried to upload several photos and collected log showed, that the first token generated by get_pwg_token() is always unique and different from pwg_token.

pwg_token is always the same for each photo being uploaded.

If I try uploading photos one by one, then pwg_token mostly lags get_pwg_token() by 1 request. In other words, when get_pwg_token() expects new token, pwg_token represents previous value, but not always.

I am not sure if it is related to some sort of caching or something else.

I'd appreciate if somebody could navigate me through debugging, since while I can read and write PHP and change server settings, I do not understand yet Piwigo code structure well.

Offline

 

#3 2021-12-07 10:47:44

dmmedia
Member
2021-11-13
5

Re: [resolved] Invalid security token while trying to upload photos

It seems, that after some tinkering I have nailed down the issue cause, but still not yet aware of how to fix it.

I have searched for 'pwg_token' within '_data/combined' directory and many scripts seem to take 'pwg_token' from HTML page hidden field.

I have checked XHR communication and while 'pwg_token' is sent with the photo being uploaded, server response does not contain updated token. So next photo is sent with the same token and now server sees the token is different and responds with 'Invalid security token'.

Now there are questions to developers:
Should server generate new 'pwg_token' for each request?
Should token be updated after each photo upload?

Still do not understand why I could upload all selcted photos the first time.

As an addition, I have updated my other galleries to 12.1.0 and all started to exhibit similar behavior. Previous 2.x version was working mostly properly. It seems, that changes in 12.1.0 has either some incompatibility with my settings or an issue in the code.

Offline

 

#4 2021-12-07 11:25:32

dmmedia
Member
2021-11-13
5

Re: [resolved] Invalid security token while trying to upload photos

OK, It seems, that I have fixed the problem.

It is indeed the configuration problem, but previous code allowed this configuration, while new code is much stricter about it.

My apache httpd config contained Listen directive with only port set, eg. Listen 1234.

Now when I checked the logs, I have noticed, that Nginx reverse proxy while being configured to talk to 127.0.0.1 backend, uses IPv4 and IPv6 addresses intermittently.
Then I have noticed, that Piwigo sessions are IP address sensitive.

I have reconfigured Apache httpd to listen on explicit IPv4 socket 127.0.0.1:1234 and now have no issues anymore uploading photos, deleting photos, deleting albums.

Offline

 

#5 2021-12-07 12:01:16

erAck
Only trying to help
2015-09-06
1998

Re: [resolved] Invalid security token while trying to upload photos

Good find, and thanks for getting back and providing the solution as well, so others may benefit.


Running Piwigo at https://erack.net/gallery/

Offline

 

#6 2021-12-07 20:24:01

dmmedia
Member
2021-11-13
5

Re: [resolved] Invalid security token while trying to upload photos

I have performed extensive testing and should conclude, that solution works.

I have no issues anymore with installing/removing/(de)activating plugins, managing albums and photos. No random logouts.

Tried with all my galleries and both freshly installed and upgraded now work correctly.

Offline

 

#7 2023-05-21 17:58:30

Steel Rat
Member
2017-10-10
19

Re: [resolved] Invalid security token while trying to upload photos

I would like to fix this on my own leased server, but can't seem to find the setting.

I have WHM access to my Linux CentOS server, but there is no "listen" option in the Apache config.

Can someone point me in the right direction? The security token issues are bugging the %^$##% out of me!

Offline

 

Board footer

Powered by FluxBB

github twitter newsletter Donate Piwigo.org © 2002-2024 · Contact