?
avatar stevejburge
stevejburge
11 May 2017

JINVALID_TOKEN_NOTICE="The security token did not match. The request was aborted to prevent any security breach. Please try again."

This is some intimidating text. Do you think we could make more human-friendly?

screen shot 2017-05-11 at 10 35 20 am

Votes

# of Users Experiencing Issue
1/1
Average Importance Score
5.00

avatar stevejburge stevejburge - open - 11 May 2017
avatar joomla-cms-bot joomla-cms-bot - change - 11 May 2017
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 11 May 2017
avatar franz-wohlkoenig franz-wohlkoenig - change - 11 May 2017
Category Language & Strings
avatar zero-24
zero-24 - comment - 11 May 2017

Can you suggest something better?

avatar franz-wohlkoenig franz-wohlkoenig - change - 11 May 2017
Status New Discussion
avatar stevejburge
stevejburge - comment - 11 May 2017

I guess the message should be simper.

Right now, I'm not even sure what "The security token did not match" means after 10+ years using Joomla. Plus, it's not actionable ... what's the solution for the user?

How about ...

"Sorry, but we weren't able to log you in. Please try again".

avatar mbabker
mbabker - comment - 11 May 2017

It's not just a login failure. I'll let others turn this into user friendly speak, but basically...

There is a CSRF token that gets submitted as a part of most actions (form submissions mainly, but you can do it in other places too) that validates that the request is actually coming from a valid user, then that token is validated against a source (usually the session). If that token doesn't validate, you get the token error message and the action you were aiming to do doesn't process (submit a contact form, log in, etc.).

avatar stevejburge
stevejburge - comment - 11 May 2017

I guess I'm wondering if any of that extra information is useful? These are the kind of details that could be an error log, not presented to a user

avatar PhilETaylor
PhilETaylor - comment - 11 May 2017

You should only ever see this message if you are trying to manipulate/abuse the system - I say it should be harsh... if "users" are acting like real users then it would be very very very rare that a User sees such a message

avatar stevejburge
stevejburge - comment - 11 May 2017

@PhilETaylor I see your point, although:

  1. I wasn't trying to abuse anything
  2. Is this message helpful, either for a non-savvy user or an abuser?
avatar wilsonge
wilsonge - comment - 12 May 2017

I mean the form didn't submit. And it's going to be for a abnormal reason (i.e. it's not typical invalid user input) - because a session token didn't match the token in their form.

There needs to be some sort of message on how to proceed to the user and an explanation of why the form failed to submit successfully.

avatar brianteeman
brianteeman - comment - 12 May 2017

That's why it says "please try again"

On 12 May 2017 4:08 p.m., "George Wilson" notifications@github.com wrote:

I mean the form didn't submit. And it's going to be for a abnormal reason
(i.e. it's not typical invalid user input) - because a session token didn't
match the token in their form.

There needs to be some sort of message on how to proceed to the user and
an explanation of why the form failed to submit successfully.


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#15967 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABPH8R8jWN1PHR0JkEIO9qgl1WH4aZT0ks5r5HYBgaJpZM4NYI7T
.

avatar PhilETaylor
PhilETaylor - comment - 12 May 2017

@stevejburge Can you replicate this issue over and over using "normal" user activity?

avatar stevejburge
stevejburge - comment - 12 May 2017

I can try, but have no idea what I did to cause the message to show.

Agree with @wilsonge on this: the message can give clearer feedback.

avatar mbabker
mbabker - comment - 12 May 2017

It's not that you necessarily did anything wrong, it could be something happened server side (the right data didn't write to the session) or your session timed out as examples. That's why it's hard to give a "good" message (in any platform), or even a context specific message, when there's a CSRF token validation error because generally you validate that token and immediately abort if that fails and the reason for that isn't something that you'll be able to explain in every scenario.

avatar weredigi
weredigi - comment - 19 May 2017

This message is popping up repeatedly for us if you want an example. We need to do 2 logins to get in almost every time. This message is an issue many are experiencing it is all over the threads for Joomla but no one seems to be coming up with a fix. You in no way need to be abusing the system to receive the message. This started occurring after the last 2 updates and has occurred in the past as well. I cant say I totally understand all the technical reason but every thread i have read says it due to plugins and other added feature that are not compliant to Joomla.
My question has always been the same on this issue. why does Joomla allow things that are not compliant to the core to be listed on their site it keeps happening though,

avatar luispoll88
luispoll88 - comment - 21 Jul 2017

This message appears when "System - Page Cache" is enabled and when we try to login inside the front end of Joomla 3.7.3.

Message: "The security token did not match. The request was aborted to prevent any security breach. Please try again."

On the second login attempt the problem goes always, however the problem comes back when we log out and we try to login again.

It happens every time.

Does anyone knows why?

If I disable "System - Page Cache" the problem goes away.


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/15967.
avatar kentanilsson
kentanilsson - comment - 24 Oct 2017

Agree with @luispoll88 . Running 3.8.1 , using SClogin and the error message appears when cache is on. First login is successful. Every time after the first login failure.

Debugging
The Session::checktoken method : token:string(32) "6137a7cca78d58303846d7726a416b20" csrf:string(0) "" fallback:string(0) ""

The test token === csrf fails

Then you get the fallback token and then test for a new session , then OK. If no new session then return false. And of course the baseController::checkToken returns JINVALID_TOKEN_NOTICE. Always!! When cache is on. I don't get it.


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/15967.
avatar PhilETaylor
PhilETaylor - comment - 24 Oct 2017

SClogin? a third party extension?

avatar kentanilsson
kentanilsson - comment - 24 Oct 2017

Yes. Latest version.
I have a test site and using core login function it is working fine.

avatar PhilETaylor
PhilETaylor - comment - 24 Oct 2017

I suggest you go moan at SClogin developers then :) this page is for core Joomla only, we cannot be expected to support everyone elses problems :)

avatar kentanilsson
kentanilsson - comment - 24 Oct 2017

Well, I get that , but when I first commented I havn't tested core functions.

avatar dgt41
dgt41 - comment - 24 Oct 2017

If I disable "System - Page Cache" the problem goes away.

What you need to realise is that Page cache is flatten your page and stores it as a file. If you need to use login in such a page you need to do it through AJAX/Javascript, there is nothing wrong with Joomla or any 3rd PD component/plugin/module here if those were designed to work with dynamic caching and you're forcing them to work (and rightfully they do fail) on static pages.

avatar kentanilsson
kentanilsson - comment - 24 Oct 2017

Page cache is disabled.

avatar brianteeman brianteeman - change - 5 Jan 2018
Status Discussion Closed
Closed_Date 0000-00-00 00:00:00 2018-01-05 23:41:28
Closed_By brianteeman
avatar brianteeman brianteeman - close - 5 Jan 2018
avatar brianteeman
brianteeman - comment - 5 Jan 2018

Closed for the reasons stated above #15967 (comment)

avatar rwbarg
rwbarg - comment - 27 Mar 2018

The System – Page Cache plugin is disabled on our site but we're able to reproduce the error message with the following process:

  1. Log out
  2. Have two tabs that are at the login screen
  3. Log in to an account on one tab
  4. Log in to the same account on another tab

It then takes me to the home page of my site with that same error message.


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/15967.

Add a Comment

Login with GitHub to post a comment