joshuag

this request was aborted because it appears to be forged

Recommended Posts

Hi,

I just moved PW to a new server and now I can't login because I am getting the error:

"this request was aborted because it appears to be forged" when submitting the login form.

I tried changing the password and username with the API... thinking this is session related?

Any suggestions?

Thanks in advance,

Share this post


Link to post
Share on other sites

ok fixed this. It was permission problem... (smacks head.)

had to make sure /site/config.php was readable.

Clear case of the mondays.

  • Like 1

Share this post


Link to post
Share on other sites

I like these posts, clear titles, quick answers.

especially when someone answers their own question ;)

  • Like 2

Share this post


Link to post
Share on other sites

I've just transferred a site from localhost to a live domain and I'm having this exact same problem. Think my permissions on config.php are fine. Can someone confirm what they should be? Thanks

Share this post


Link to post
Share on other sites

Just managed to get in by changing permissions on the assets folder to 777. Not sure how much I fancy leaving it like that but for now will have to do as putting it back down to 755 for example, I get the error message again.

  • Like 1

Share this post


Link to post
Share on other sites

Don't know what they should be, but just looking at a couple of live sites they are 644 on config.php and 755 on /site/assets/.

  • Like 1

Share this post


Link to post
Share on other sites
Just managed to get in by changing permissions on the assets folder to 777. Not sure how much I fancy leaving it like that but for now will have to do as putting it back down to 755 for example, I get the error message again.

Most likely Apache is running as the same user for everybody on the server, probably with a name like "nobody". So it's not going to be able to write to a directory that is only writable to you (755)... it'll only be able to read from it. If the accounts a truly jailed from one another, and one account can't manipulate the files of another (by way of Apache) then 777 should be no problem. Likewise if it's a dedicated or VPS without untrusted accounts on it, then it should be fine. It sounds like that's the only way it'll run right now, so I would set it to that and then check with the web host what they recommend for Apache-writable directory permissions, and do what they suggest. You might also inquire if you can get an suPHP environment, where Apache/PHP would run as your account--in that case, you would only need rwx to yourself (700) or writable to you and rx to others (755).

  • Like 3

Share this post


Link to post
Share on other sites

Same here: I moved a site to a safe live hosting env' and had this error.

The fix proved to be making /site/assets/ 777 and recursively applying that to all inside /site/assets/, that fixed it :) thanks posters.

  • Like 1

Share this post


Link to post
Share on other sites

I've had two lots of hosting where I asked the host to switch it to suPHP - there are only a few minutes of downtime during the process, if that, and the permissions side of things suddenly makes infinitely more sense, so +1 to ryan.

Share this post


Link to post
Share on other sites

I just got this error too, but found that it persisted even after I double-checked my assets and config.php permissions.

I had installed the site using the ProcessWire Blank Profile, so figured I'd try it without that. Not sure why, but it did the trick. Removing the current install and reinsalling while sticking with the default site cleared up the issue.

  • Like 1

Share this post


Link to post
Share on other sites

"this request was aborted because it appears to be forged" message is also shown when try to login and cookies are disabled.

(Somewhat confusing, better to get a message to enable cookies before tying to login)

  • Like 1

Share this post


Link to post
Share on other sites

I just got this error too, but found that it persisted even after I double-checked my assets and config.php permissions.

I had installed the site using the ProcessWire Blank Profile, so figured I'd try it without that. Not sure why, but it did the trick. Removing the current install and reinsalling while sticking with the default site cleared up the issue.

I just ran into the exact same problem trying to use the Blank Profile.

Share this post


Link to post
Share on other sites

Blank profile is done using pw 2.2.0 I think so there could be the problem. However it would take u only little time creating a new one. Or just start with the default install, which is actually very nice start.

Share this post


Link to post
Share on other sites

Is it OK to just use the default install and just delete the fields, pages and templates? Anything else that should be done?

Share this post


Link to post
Share on other sites

Nope. But i pefer to use the fields and templates as a start so never ever do it. :-P

  • Like 1

Share this post


Link to post
Share on other sites
Is it OK to just use the default install and just delete the fields, pages and templates? Anything else that should be done?

This is perfectly fine. I think that's what most people do. Though those fields, pages and templates are the bare minimum foundation for nearly any site I build, so it's rare that they get deleted here. I guess you could say that the default profile is the blank profile for some of us. :)

  • Like 1

Share this post


Link to post
Share on other sites

Just managed to get in by changing permissions on the assets folder to 777. Not sure how much I fancy leaving it like that but for now will have to do as putting it back down to 755 for example, I get the error message again.

Same for me here... I don't know why that happened. Seemes to me like it has got something to do with the rights of my ftp-account - because this error popped up after I created a single ftp-account for the new pw-directory - rather than using one global ftp-account for all directories.

Anyone got a solution here? Cause I feel quite uncomfortable having site/assets/ on 777... 

Share this post


Link to post
Share on other sites
Anyone got a solution here? Cause I feel quite uncomfortable having site/assets/ on 777... 

Is it a shared hosting account, or a dedicated/vps? If it's some kind of dedicated platform where you don't have other accounts under someone else's control, then it's not as much of a concern. But I think this is a question for your hosting provider. What's probably happening is that PHP can't write to /site/assets/. Who is listed as the directory owner? It's most likely you, which would mean that Apache is running under an account other than yours that does not have write access. I would check with your hosting provider to see what permissions they recommend for CMSs that need to have a writable directory. This can very from host to host, so it's tough for us to narrow in on it here short of trying different options (that are more secure than 777) till it works. 

  • Like 1

Share this post


Link to post
Share on other sites

Thanks, Ryan. I will try to get more information from my provider. (Yes, it's a standard account, shared hosting, I guess).

Share this post


Link to post
Share on other sites

I've built a processwire website for a friend and had lots of problems with "this request was aborted because it appears to be forged" after putting it on the production server.

Now, after some weeks of searching for the problem (also at the provider...) solution was very simple and I like to share:

The Webspace on the server was full. And cause every visit creates a session (inside assets/sessions/ folder) no new session could be created (new sessions files were created, but size was zero). The result was the "forged" message. 

So perhaps this could be one more solution, if anyone else has this problem...

  • Like 5

Share this post


Link to post
Share on other sites

At the risk of 'pimping about' another thread where I've touched on /sessions/, I wonder if /sessions/ can safely be excluded in migrations and if so, then seeing no sessions created in /sessions/ would have made it easier, perhaps, in this case to spot the problem. Just a thought (here's the thread where I'm seeking to find the definitive list of stuff not to copy when migrating sites, in case it's of help anytime).

Share this post


Link to post
Share on other sites

I'm experiencing this problem on a vagrant box with nfs mapped www folder.

Changing permissions of site/assets recursively and config.php to 777 doesn't help.

I checked sessions folder. a 0 byte session file gets created. But the vagrant box has plenty of space available.

I checked out brandnew dev branch, installed it and get the error on login to admin.

All other PW sites on that vagrant box have the same problem. They used to work until recently. I'm not aware of any changes to the box that could have led to this behaviour.

Any pointers to a solution would be much appreciated.

Share this post


Link to post
Share on other sites

My issue was related to wrong apache user/group in my vagrant box. After changing those I can now login.

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By matsn0w
      Hey all,
      I am working on a website and I want to style the login page, but I'm a bit confused. 
      I want either the existing login page styled in my own way using some CSS (I guess I prefer that) or I want to create a custom page with a form to login. (Which I could style too).
      I used the code from Ryan and Renobird posted here - which works great - but that doesn't replace the original login page. 
      Is there a way to some sort of 'disable' the original login?
      I hope my question is clear and thanks in advance,
      matsn0w
    • By Lex Sanchez
      Hi everyone:
      I do not know if someone before using ProcessWire with AWS CloudFront, currently I have problems with the login, it does not work for any reason, when I check in the logs generated by ProcessWire, it only indicates This request was aborted because it appears to be forged. (in /wire/core/SessionCSRF.php line 190).
      I have allowed CloudFront to forward all headers, cookies and allow all methods (GET, POST, PUT).
      When I perform the same process from the ip server if it works or from the balancer.
    • By flydev
      OAuth2Login for ProcessWire
      A Module which give you ability to login an existing user using your favorite thrid-party OAuth2 provider (i.e. Facebook, GitHub, Google, LinkedIn, etc.)..
      You can login from the backend to the backend directly or render a form on the frontend and redirect the user to a choosen page.
      Built on top of ThePhpLeague OAuth2-Client lib.
      Registration is not handled by this module but planned.
       
      Howto Install
      Install the module following this procedure:
       - http://modules.processwire.com/modules/oauth2-login/
       - https://github.com/flydev-fr/OAuth2Login
      Next step, in order to use a provider, you need to use Composer to install each provider
      ie: to install Google, open a terminal, go to your root directory of pw and type the following command-line: composer require league/oauth2-google
      Tested providers/packages :
          Google :  league/oauth2-google     Facebook: league/oauth2-facebook     Github: league/oauth2-github     LinkedIn: league/oauth2-linkedin
      More third-party providers are available there. You should be able to add a provider by simply adding it to the JSON config file.

      Howto Use It
      First (and for testing purpose), you should create a new user in ProcessWire that reflect your real OAuth2 account information. The important informations are, Last Name, First Name and Email. The module will compare existing users by firstname, lastname and email; If the user match the informations, then he is logged in.
      ie, if my Google fullname is John Wick, then in ProcessWire, I create a new user  Wick-John  with email  johnwick@mydomain.com
      Next step, go to your favorite provider and create an app in order to get the ClientId and ClientSecret keys. Ask on the forum if you have difficulties getting there.
      Once you got the keys for a provider, just paste it into the module settings and save it. One or more button should appear bellow the standard login form.
      The final step is to make your JSON configuration file.
      In this sample, the JSON config include all tested providers, you can of course edit it to suit your needs :
      { "providers": { "google": { "className": "Google", "packageName": "league/oauth2-google", "helpUrl": "https://console.developers.google.com/apis/credentials" }, "facebook": { "className": "Facebook", "packageName": "league/oauth2-facebook", "helpUrl": "https://developers.facebook.com/apps/", "options": { "graphApiVersion": "v2.10", "scope": "email" } }, "github": { "className": "Github", "packageName": "league/oauth2-github", "helpUrl": "https://github.com/settings/developers", "options": { "scope": "user:email" } }, "linkedin": { "className": "LinkedIn", "packageName": "league/oauth2-linkedin", "helpUrl": "https://www.linkedin.com/secure/developer" } } }  
      Backend Usage
      In ready.php, call the module :
      if($page->template == 'admin') { $oauth2mod = $modules->get('Oauth2Login'); if($oauth2mod) $oauth2mod->hookBackend(); }  
      Frontend Usage
      Small note: At this moment the render method is pretty simple. It output a InputfieldForm with InputfieldSubmit(s) into wrapped in a ul:li tag. Feedbacks and ideas welcome!
      For the following example, I created a page login and a template login which contain the following code :
      <?php namespace ProcessWire; if(!$user->isLoggedin()) { $options = array( 'buttonClass' => 'my_button_class', 'buttonValue' => 'Login with {provider}', // {{provider}} keyword 'prependMarkup' => '<div class="wrapper">', 'appendMarkup' => '</div>' ); $redirectUri = str_lreplace('//', '/', $config->urls->httpRoot . $page->url); $content = $modules->get('Oauth2Login')->config( array( 'redirect_uri' => $redirectUri, 'success_uri' => $page->url ) )->render($options); }
      The custom function lstr_replace() :
      /* * replace the last occurence of $search by $replace in $subject */ function str_lreplace($search, $replace, $subject) { return preg_replace('~(.*)' . preg_quote($search, '~') . '~', '$1' . $replace, $subject, 1); }  
      Screenshot
       



    • By dragan
      If I have two PW sites that sit in separate folders, I can't be logged-in in both sites.
      e.g.
      site.com/project-a/pw-admin-slug/
      site.com/project-b/pw-admin-slug/
      If I login to project-a, then also login to project-b, get back to the first site, I have to login again.
      Is the cookie / session mechanism storing my domain? If it does, and it's meant to be some sort of security enhancement, it should not check my domain, but root-URL of the PW-installation. (strangely, this doesn't happen on localhost)
      Is it possible to prevent that behavior? Often I have two sites open (e.g. check to see if I have the same CKEditor setup and quickly copy and paste it, or copy a user-role)
    • By Jonathan Sachse Mikkelsen
      Hi everyone
      I've hit an error i can't seem to find a solution for. I build this website (www.petervigh.com) last year with processwire, and this week this error started showing up when my client tried to login:
      Catchable fatal error: session_regenerate_id(): Failed to create(read) session ID: memcached (path: nfs01.cl2000.ams1.nl.leaseweb.net:11211) in /srv/psa03/petervigh.com/httpdocs/wire/core/Session.php on line 728
      Recoverable Fatal Error: session_regenerate_id(): Failed to create(read) session ID: memcached (path: nfs01.cl2000.ams1.nl.leaseweb.net:11211) (line 728 of /srv/psa03/petervigh.com/httpdocs/wire/core/Session.php) 
      The site has been up and running for many months and i have done no maintenance or updates on it since it went live and has been working flawless so far. 
      I've had no luck with googling this error, and I've no idea how to go about this.
       
      This is my first time posting on this wonderful forum that has proven a very valuable source of troubleshooting since i started working with processwire a year ago.
      hope to receive some valuable tips and bear with me for my less than great knowledge of php in general
       
      Jonathan