Jump to content

Prestashop 1.7.3 (Invalid token: direct access to this link may lead to a potential security breach)


Recommended Posts

Our Prestashop site is showing this error  (Invalid token: direct access to this link may lead to a potential security breach)" everytime we want to access several sections, such as create a product, view products, etc.

 

This is the current version we are using Prestashop 1.7.3. This is a clean installation we installed a few days ago.

 

 

 

 

Share this post


Link to post
Share on other sites

  • 2 weeks later...
  • 2 weeks later...
  • 2 weeks later...

Nach dem ich 1.7.3 Update gemacht habe, ich hab das Problem auch,

aber es ist nur ein Tag oder wenn man einen anderen PC oder einen anderen Tag  muss mann nochmal ein geben

Shop-Einstellungen-Kontakt-unter-Shops 

unter shop adress daten Öffnungzeitein angeben dann leuft nur ein tag.

Hat jemand eine Idee, dass die ein Mal richtig eingestellt, richtig speichert

5ad8ea4a4e2a1_tokenungltig.thumb.PNG.a122aea4e54702f058b7c7ba20f689b1.PNG

Edited by antikeck (see edit history)

Share this post


Link to post
Share on other sites

  • 1 month later...

I have the same problem. I am running prestashop 1.7.3.2 and have already moved from php 5.5 to php 7.1.16, then back to php version 7.0. This problem occurs no matter what version of php was running at the time.

 

Can anyone help please?

Share this post


Link to post
Share on other sites

  • 1 month later...
  • 4 weeks later...
  • 3 weeks later...

We do have the same issues. Messages of this type appear on different occasions, on different routes. It's not the page you wish to open that gives the problem, its the way you approach it. Linking directly from Safari to Product-Pages for instance, but not when from administrator to products. From Orders to Customer yes, but not when directly from Dashboard. We do not wish tot change PHP since earlier problems with an important add-on. Problem should be solved after so many posts recently and in the past, within Prestashop it seems.

Share this post


Link to post
Share on other sites

  • 1 month later...

Hey everyone..  

 

Any solutions?  we are suffering same issue - PHP7.0 and 1.7.3

 

Surely there is a solution.. 

 

Unsure if this is related but we have a test site (new install) where we copied all the files from the test-> live site including this parameters file then made changes to the database name etc.

 

So don't know if the cookie/secret is conflicting with the old test site.

 

in app/config/parameters.php there is a secret, I am thinking my browser is caching the same secret.

 

Does anyone know how to make the system regenerate cookies and secret?

 

thanks

 

Share this post


Link to post
Share on other sites

On 2018-03-18 at 9:24 PM, nek666 said:

Our Prestashop site is showing this error  (Invalid token: direct access to this link may lead to a potential security breach)" everytime we want to access several sections, such as create a product, view products, etc.

 

I solved this issue by turning off the control of cookie's IP in Advanced settings/Administration. If your IP is changing during a session, I guess this is the message that comes up to warn you of a potential security breach.

 

With kind regards,

 - Johan.

Share this post


Link to post
Share on other sites

  • 3 weeks later...

Same issiue on Presta 1.7.4.2. Can't edit or add new products.

What I tried:

- changing from PHP 7.0 to 7.1

- disabling control of cookie's IP

- turning off "increased security mode" in Preferences / General

- disabling whole modules that are not made by Presta

And the problem still occurs. Any solution?

Share this post


Link to post
Share on other sites

  • 2 weeks later...
Am 24.11.2018 um 12:44 AM schrieb Velno:

Gleiche Ausgabe auf Presta 1.7.4.2. Kann keine neuen Produkte bearbeiten oder hinzufügen.

Was ich probiert habe:

- Umstellung von PHP 7.0 auf 7.1

- Deaktivierung der Kontrolle der IP des Cookies

- Deaktivieren des "erhöhten Sicherheitsmodus" in Einstellungen / Allgemein

- Deaktivieren ganzer Module, die nicht von Presta hergestellt wurden

. Das Problem tritt jedoch weiterhin auf. Irgendeine Lösungsmöglichkeit?

Probiere Bei kontakt daten alles angeben auch öffnungszeiten bei manchen macht das die fehler

oder immer übersicht 2 mal anklicken nachder ersten anklicken etwas warten ca 10 - 12 sekunde dann nochmal anklicken

Share this post


Link to post
Share on other sites

  • 2 weeks later...

Same problem. Update PHP to 7.1 nothink. to 7.2 and 7.3 same problem. Almost always this problem appear then I copy/paste product or text. It begins from then I created 1000 product. any help? 

Share this post


Link to post
Share on other sites

I too am a PrestaShop Newbie, but a stubborn one! Fighting with these issues listed as well as numerous others, I realized that the issue was more my server configuration than Prestashop code. After updating PHP, Apache and mySQL, EVERY issue disappeared. The most difficult (or at least time consuming) was PHP and all the necessary extensions.

Since it appears that many folks discussing these issues are hosting their own server, I suggest that you assure that all your PHP extensions are up to date. Some of them, such as intl do not automatically update ICU which is currently at version 63.1 and had to be updated through some interesting code to rid my site of many of these problems. The bottom line is that there are many extensions that must be installed and current to avoid troubles. I’m running PS 1.7.4.4 on Ubuntu 16.04.1 LTS with PHP 7.2.12.1 and Apache 2.0

The following is a list of the extensions installed on my server (not all are necessary for PrestaShop)

[email protected]:$ sudo apt-cache search php | grep "^php7"

php7.2 - server-side, HTML-embedded scripting language (metapackage)

php7.2-cgi - server-side, HTML-embedded scripting language (CGI binary)

php7.2-cli - command-line interpreter for the PHP scripting language

php7.2-common - documentation, examples and common module for PHP

php7.2-curl - CURL module for PHP

php7.2-dev - Files for PHP7.2 module development

php7.2-gd - GD module for PHP

php7.2-gmp - GMP module for PHP

php7.2-json - JSON module for PHP

php7.2-ldap - LDAP module for PHP

php7.2-mysql - MySQL module for PHP

php7.2-odbc - ODBC module for PHP

php7.2-opcache - Zend OpCache module for PHP

php7.2-pgsql - PostgreSQL module for PHP

php7.2-pspell - pspell module for PHP

php7.2-readline - readline module for PHP

php7.2-recode - recode module for PHP

php7.2-snmp - SNMP module for PHP

php7.2-sqlite3 - SQLite3 module for PHP

php7.2-tidy - tidy module for PHP

php7.2-xml - DOM, SimpleXML, WDDX, XML, and XSL module for PHP

php7.2-xmlrpc - XMLRPC-EPI module for PHP

php7.1-mapi - transitional package for the rename of php7.1-mapi to php-mapi

php7.2-bcmath - Bcmath module for PHP

php7.2-bz2 - bzip2 module for PHP

php7.2-dba - DBA module for PHP

php7.2-enchant - Enchant module for PHP

php7.2-fpm - server-side, HTML-embedded scripting language (FPM-CGI binary)

php7.2-imap - IMAP module for PHP

php7.2-interbase - Interbase module for PHP

php7.2-intl - Internationalisation module for PHP

php7.2-mbstring - MBSTRING module for PHP

php7.2-phpdbg - server-side, HTML-embedded scripting language (PHPDBG binary)

php7.2-soap - SOAP module for PHP

php7.2-sybase - Sybase module for PHP

php7.2-xsl - XSL module for PHP (dummy)

php7.2-zip - Zip module for PHP

I hope this information will be helpful and solve all your challenges with PrestaShop.

Share this post


Link to post
Share on other sites

  • 2 weeks later...
  • 4 weeks later...

I had an issue very similar to apvandam post above, though I didn't get a 500 error but instead it took 5 minutes to load certain pages via certain routes to that page. I noticed in my CPanel error log (not prestashop log) that when this issue occurred, it could not find a folder under the src/someSubDirectories/ (which I no longer remember unfortunately). When i searched EVERY file under my shop for the folder name string, it didn't show up, except in a few compiled cache files. To keep it short, these findings led me down a long road that made me realize the folder name was generated during compile based on the hash of a password (or something similar to that).

I then realized, that during testing phase, I had previously created a CUSTOMER (ps_customer table) account with the same email as the ADMIN user account email (ps_employee table). I simply deleted that CUSTOMER user account via the BO and all my issues magically disappeared! Not sure if deleting any one customer account would yield the same results. Also, I had this duplicated email up and running for 3 months before any BO issues actually started showing up. Clearing all caches (manually and via BO) server side and browser side did not have any affect.

Anyways, thought I would share my solution since the errors being described are manifesting in many ways and my solution may work for you.

Cheers.:-)

p.s. Does any one know where to change my settings, so that my First and Last name do not show up in a Post? I would just like to display my handle (username) and location. I have no idea where the forum software is grabbing my first and last name from, I have searched every setting I could find.

 

Edited by AndisB
Clarify Wording (see edit history)

Share this post


Link to post
Share on other sites

  • 4 weeks later...

I am interested to see what Crezzur  did with the settings..  Although I would never give a stranger access to my backend.

Come on people, surely there is a fix..  I agree, adding products with constant token issues is becoming a real pain.

 

  • Like 1

Share this post


Link to post
Share on other sites

  • 2 weeks later...

Polish Zenbox hosting https://www.zenbox.pl/ in which we have the services fixed this problem, today we had it, they wrote to me: we have currently turned off the session IP checking in the advanced settings. Advanced -> administration. Here, please uncheck: Check the cookie's IP address and save the changes. In the update to 1.7.5.1 (test shop) I have the same error and this option has also helped.

Share this post


Link to post
Share on other sites

Thanks Adam but that doesn't work. Still have the issue.

I love how Prestashop no longer give a crap about their users. It's been a few years now.

I remember the good old days when one actually get a reply. Alas, those days are gone.

Share this post


Link to post
Share on other sites

  • 5 weeks later...
  • 2 weeks later...
  • 1 month later...
  • 3 months later...

J'ai rencontré ce souci avec la version 1.7.4 et je l'ai résolu de la façon suivante :

Sur votre hébergement, allez dans la version de PHP et passez-là en 7.2 (moi c'était déjà en 7.2)

Ensuite pour "
max_input_vars" moi j'étais à 3000, alors je suis repassée à 1000. autre site que j'ai de même version et qui fonctionne très bien!)
Pensez à modifier vos favoris d'accès à ce site.

En espérant Que cela puisse aider 🙂

Edited by Maguie (see edit history)

Share this post


Link to post
Share on other sites

  • 3 weeks later...
On 5/23/2019 at 9:03 PM, Prestahost.cz said:

Hello,

there is described one of possible causes of invalid token together with the solution

it apply for specific server configuration but be sure to check your phpinfo for $_SERVER[‘HTTPS’]  variable anyway

This is THE solution!

if(isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https'){
    $_SERVER['HTTPS']='on';
}

Add this on your adminxxxxxxxxxxxxx/index.php top, just after <?php

There is NGINX on my server and $_SERVER are rewritten. There wasn't $_SERVER['HTTPS'] variable.

Edited by GuimDotcom (see edit history)

Share this post


Link to post
Share on other sites

  • 2 months later...

My shop was working fine until it suddenly started with the invalid token error.


It turned out that my hosting service hit its maximum file limit, this meant the token could not be stored in the backend and I got the invalid token error presumably because an old token was being read.
I deleted some files and the shop started working.

Share this post


Link to post
Share on other sites

  • 2 months later...
On 11/20/2019 at 10:21 PM, Prestablob said:

My shop was working fine until it suddenly started with the invalid token error.


It turned out that my hosting service hit its maximum file limit, this meant the token could not be stored in the backend and I got the invalid token error presumably because an old token was being read.
I deleted some files and the shop started working.

@Prestablob very informative... Deleted some files... Maybe more specific which one? 

Share this post


Link to post
Share on other sites

  • 2 weeks later...
On 9/2/2019 at 4:52 AM, Maguie said:

J'ai rencontré ce souci avec la version 1.7.4 et je l'ai résolu de la façon suivante :

Sur votre hébergement, allez dans la version de PHP et passez-là en 7.2 (moi c'était déjà en 7.2)

Ensuite pour "
max_input_vars" moi j'étais à 3000, alors je suis repassée à 1000. autre site que j'ai de même version et qui fonctionne très bien!)
Pensez à modifier vos favoris d'accès à ce site.

En espérant Que cela puisse aider 🙂

Obrigado, funcionou perfeitamente essa solução apresentada

Share this post


Link to post
Share on other sites

  • 1 month later...

Hi,
I Had the same problem with login. If you have a customer test account with the same email as admin email. Delete or change the customer email. That helped me when no other things like cookie IP, cookie liftime or other suggestion helped.

 

Share this post


Link to post
Share on other sites

  • 1 month later...

 

On 9/18/2019 at 7:34 AM, GuimDotcom said:

This is THE solution!

There is NGINX on my server and $_SERVER are rewritten. There wasn't $_SERVER['HTTPS'] variable.

Hi,

That link is dead. Please can you elaborate what we need to do to fix this? That would be mega appreciated.

Thanks

Share this post


Link to post
Share on other sites

Some variables were not passed to Apache from Nginx. There are several solutions, I have opted for prepending the code below using php.ini:

 

if(isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https'){
    $_SERVER['HTTPS']='on';
    $_SERVER['SERVER_PORT'] = 443;
}
if(isset($_SERVER['HTTP_X_REAL_IP'])) {
    $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_REAL_IP'];
}
 

  • Like 1

Share this post


Link to post
Share on other sites

21 hours ago, Prestahost.cz said:

Some variables were not passed to Apache from Nginx. There are several solutions, I have opted for prepending the code below using php.ini:

 

if(isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https'){
    $_SERVER['HTTPS']='on';
    $_SERVER['SERVER_PORT'] = 443;
}
if(isset($_SERVER['HTTP_X_REAL_IP'])) {
    $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_REAL_IP'];
}
 

Thanks man. Do I create a .php file with that code in, then add "auto_prepend_file=/php/myfile.php" to the php.ini?

Share this post


Link to post
Share on other sites

3 hours ago, Prestahost.cz said:

Correct, but you will need the full path to the prepended file

I can't seem to get it working with the line:

php_value  auto_prepend_file /home/mysite/public_html/fix.php

Please can I see how you did it? There's a beer in it for anyone who can help me fix this!

Share this post


Link to post
Share on other sites

On 11/23/2018 at 11:44 PM, Velno said:

Same issiue on Presta 1.7.4.2. Can't edit or add new products.

What I tried:

- changing from PHP 7.0 to 7.1

- disabling control of cookie's IP

- turning off "increased security mode" in Preferences / General

- disabling whole modules that are not made by Presta

And the problem still occurs. Any solution?

I did the first 2and forth and still had an issue in 1.7.6.5. so now turned off cookies and i think it has worked.

Share this post


Link to post
Share on other sites

  • 2 months later...
On 4/15/2020 at 7:28 PM, Prestahost.cz said:

Some variables were not passed to Apache from Nginx. There are several solutions, I have opted for prepending the code below using php.ini:

 

if(isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https'){
    $_SERVER['HTTPS']='on';
    $_SERVER['SERVERjDDR'] = $_SERVER['HTTP_X_REAL_IP'];
}
 

Hey man, I still have the problem If you can walk me through this please I will send you 40 EUR, This issue is driving me insane.

Edited by RickieSee
Revision (see edit history)

Share this post


Link to post
Share on other sites

  • 1 month later...
  • 5 months later...
3 minutes ago, hugolin69 said:

Same here, I am under 1.7.5.1, under PHP 7.2, IP check disabled, and I can not find what is wrong.

I give also a reward.

It's driving me crazy. I believe it is some setting on the server. Just, which one? It's not PHP version. I have tried.

Share this post


Link to post
Share on other sites

  • 3 months later...

Soo.. guys.

anyone with a solution for the invalid tokens? Its really annoying and some times even if u "accept risk and go on" it goes in an infinite loop of that error, not letting save edited category for example..

Share this post


Link to post
Share on other sites

If this  not work, edit the file /src/Core/Feature/TokenInUrls.php

change the isDisabled function whith:

public static function isDisabled()
    {
        //return getenv(self::ENV_VAR) === self::DISABLED;
        return false;
    }

greetings

Share this post


Link to post
Share on other sites

On 6/5/2021 at 9:53 AM, raultamayomate said:

If this  not work, edit the file /src/Core/Feature/TokenInUrls.php

change the isDisabled function whith:

public static function isDisabled()
    {
        //return getenv(self::ENV_VAR) === self::DISABLED;
        return false;
    }

greetings

Thanks for your solution. It works, but maybe you mean....

public static function isDisabled()
{
    //return getenv(self::ENV_VAR) === self::DISABLED;
    return true;
}

TRUE (isDisabled) instead of FALSE. This way, you're disabling security tokens for backend, but it works if you're having problems for that.

.... but I'm not sure, when I tried to save after that modification, I have a "The CSRF token is invalid"

Edited by Prestafan33 (see edit history)

Share this post


Link to post
Share on other sites

  • 1 month later...

I had the same problem. In my case it seems that the problem was due to the cache management.
I fixed it by disabling the Prestashop cache options and using the server cache option.
I hope it can be of use to someone.

Share this post


Link to post
Share on other sites

people who has this error, try to check your php.ini options inside cpanel. Probably you have too many options activated inside. One, or more of them, can cause this behaviour.

If this is the case, check what options PS really needs to work and uncheck the others.

Danny

Share this post


Link to post
Share on other sites

  • 4 weeks later...

This error is making Prestashop impossible to use, literally. I have had it come up on occasion, but reloading the page clears it. This has been across more than one version of Prestashop, currently on 1.7.7.3. Now, I am unable to edit any product without it appearing.

I have checked file totals and these are well within range, cleared cache, tried turning off cooking control, checked php version (correct 7.3), tried changing the code in TokenInUrls.php (first suggestion did not work, second replicated the invalid csrf token message and saving was impossible), cache disabled (not using any), cannot stop this appearing in a forever loop. If I do display a page and make a change, it immediately states settings saved, but doesn't really do so ... refresh the page and nothing has been saved but the dreaded error appears.

Any more ideas? I have a non-functioning website in terms of updating at present. My knowledge of how to code and change things is very limited ...

Share this post


Link to post
Share on other sites

6 minutes ago, CJH said:

This error is making Prestashop impossible to use, literally. I have had it come up on occasion, but reloading the page clears it. This has been across more than one version of Prestashop, currently on 1.7.7.3. Now, I am unable to edit any product without it appearing.

I have checked file totals and these are well within range, cleared cache, tried turning off cooking control, checked php version (correct 7.3), tried changing the code in TokenInUrls.php (first suggestion did not work, second replicated the invalid csrf token message and saving was impossible), cache disabled (not using any), cannot stop this appearing in a forever loop. If I do display a page and make a change, it immediately states settings saved, but doesn't really do so ... refresh the page and nothing has been saved but the dreaded error appears.

Any more ideas? I have a non-functioning website in terms of updating at present. My knowledge of how to code and change things is very limited ...

I ended up moving host to a Plesk VPS from a Cpanel VPS. Problem solved. I wish I had done this earlier - it's absolutely unbearable. So much time wasted.

I tried everything. All versions of PHP etc. Nothing worked.

Backup your site and database, move host and point your domain at the new host. Easily done in two hours.

Share this post


Link to post
Share on other sites

  • 5 months later...

Hello,

I just had the same issue in 1.7.8.3. After trying everything, I set SameSite cookies to "none" (in Administration section). Before the setting was "Lax".

So far this has helped.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...

Important Information

Cookies ensure the smooth running of our services. Using these, you accept the use of cookies. Learn More