this request was aborted because it appears to be forged

[vmo]

13 minutes ago, vmo said:

Hi,
while migrating a website to a staging server ant to put the site online today i got this error:

ProcessWire: ProcessLogin: This request was aborted because it appears to be forged.

DEBUG MODE ($config->debug == true):
#0 /wire/modules/Inputfield/InputfieldForm.module(155): ProcessWire\SessionCSRF->validate()
#1 /wire/core/Wire.php(397): ProcessWire\InputfieldForm->___processInput(Object(ProcessWire\WireInputData))
#2 /wire/core/WireHooks.php(823): ProcessWire\Wire->_callMethod('___processInput', Array)
#3 /wire/core/Wire.php(465): ProcessWire\WireHooks->runHooks(Object(ProcessWire\InputfieldForm), 'processInput', Array)
#4 /wire/modules/Process/ProcessLogin/ProcessLogin.module(362): ProcessWire\Wire->__call('processInput', Array)
#5 /wire/core/Wire.php(394): ProcessWire\ProcessLogin->___execute()
#6 /wire/core/WireHooks.php(823): ProcessWire\Wire->_callMethod('___execute', Array)
#7 /wire/core/Wire.php(465): ProcessWire\WireHooks->runHooks(Object(ProcessWire\ProcessLogin), 'execute', Array)
#8 /wire/core/ProcessController.php(337): ProcessWire\Wire->__call('execute', Array)
#9 /wire/core/Wire.php(394): ProcessWire\ProcessController->___execute()
#10 /wire/core/WireHooks.php(823): ProcessWire\Wire->_callMethod('___execute', Array)
#11 /wire/core/Wire.php(465): ProcessWire\WireHooks->runHooks(Object(ProcessWire\ProcessController), 'execute', Array)
#12 /wire/core/admin.php(153): ProcessWire\Wire->__call('execute', Array)
#13 /wire/modules/AdminTheme/AdminThemeUikit/controller.php(15): require('/var/www/vhosts...')
#14 /site/templates/admin.php(19): require('/var/www/vhosts...')
#15 /wire/core/TemplateFile.php(318): require('/var/www/vhosts...')
#16 /wire/core/Wire.php(394): ProcessWire\TemplateFile->___render()
#17 /wire/core/WireHooks.php(823): ProcessWire\Wire->_callMethod('___render', Array)
#18 /wire/core/Wire.php(465): ProcessWire\WireHooks->runHooks(Object(ProcessWire\TemplateFile), 'render', Array)
#19 /wire/modules/PageRender.module(536): ProcessWire\Wire->__call('render', Array)
#20 /wire/core/Wire.php(397): ProcessWire\PageRender->___renderPage(Object(ProcessWire\HookEvent))
#21 /wire/core/WireHooks.php(823): ProcessWire\Wire->_callMethod('___renderPage', Array)
#22 /wire/core/Wire.php(465): ProcessWire\WireHooks->runHooks(Object(ProcessWire\PageRender), 'renderPage', Array)
#23 /wire/core/WireHooks.php(924): ProcessWire\Wire->__call('renderPage', Array)
#24 /wire/core/Wire.php(465): ProcessWire\WireHooks->runHooks(Object(ProcessWire\Page), 'render', Array)
#25 /wire/modules/Process/ProcessPageView.module(213): ProcessWire\Wire->__call('render', Array)
#26 /wire/core/Wire.php(397): ProcessWire\ProcessPageView->___execute(true)
#27 /wire/core/WireHooks.php(823): ProcessWire\Wire->_callMethod('___execute', Array)
#28 /wire/core/Wire.php(465): ProcessWire\WireHooks->runHooks(Object(ProcessWire\ProcessPageView), 'execute', Array)
#29 /index.php(55): ProcessWire\Wire->__call('execute', Array)
#30 {main}

How can I identify the files and folders that I need to change the permissions from this?
And what might be the permissions to change to?

Thank you

 

After changing most of all files permissions to 777,
on the admin while trying to save a page I got the same error:

File: .../wire/core/SessionCSRF.php:191

181:         *
182:         * @param int|string|null $id Optional unique ID for this token
183:         * @throws WireCSRFException if token not valid
184:         * @return bool Always returns true or throws exception
185:         * 
186:         */
187:        public function validate($id = '') {
188:            if(!$this->config->protectCSRF) return true; 
189:            if($this->hasValidToken($id)) return true;
190:            $this->resetToken();
191:            throw new WireCSRFException($this->_('This request was aborted because it appears to be forged.')); 
192:        }
193:    
194:        /**
195:         * Clear out token value

Any ideia?

Thank you

[vmo]

4 minutes ago, vmo said:

 

After changing most of all files permissions to 777,
on the admin while trying to save a page I got the same error:

File: .../wire/core/SessionCSRF.php:191

181:         *
182:         * @param int|string|null $id Optional unique ID for this token
183:         * @throws WireCSRFException if token not valid
184:         * @return bool Always returns true or throws exception
185:         * 
186:         */
187:        public function validate($id = '') {
188:            if(!$this->config->protectCSRF) return true; 
189:            if($this->hasValidToken($id)) return true;
190:            $this->resetToken();
191:            throw new WireCSRFException($this->_('This request was aborted because it appears to be forged.')); 
192:        }
193:    
194:        /**
195:         * Clear out token value

Any ideia?

Thank you

I am using the module "Session Handler Database"

Thank you

[Neox]

I currently have the issue above, after moving a site from localhost. Trying everything I can think of, I still haven't fixed and can't login to the admin panel because of this error. Never had this issue in the past.

ProcessWire: ProcessLogin: This request was aborted because it appears to be forged.

DEBUG MODE BACKTRACE ($config->debug == true):
#0 /var/www/vhosts/xxxxxxx/httpdocs/wire/modules/Inputfield/InputfieldForm.module(186): ProcessWire\SessionCSRF->validate()

The only thing that changes it is turning off CSRF, which is not what I want.

EDIT: Typically found the issue right after... I had a cloudflare worker which modified the 'Set-Cookie' header.

[sz-ligatur]

Hello all,
today I have the same problem as described above - I have a new computer with copies of all my local sites. No problem so far, until today, where I can no longer log into a particular backend, with the message as above. 
My attempts, I have …
- @config.php $config->protectCSRF = false;
- deleted the sessions table in the database
- deleted files in /cache
- tried without success to login with $session->forceLogin($user) = Warning: session_regenerate_id(): Session ID cannot be regenerated when there is no active session in /Users/.../wire/core/Session.php on line 1017

Does anyone have an idea where I could find the cause?
I would be very grateful for helpful tips.

PHP 8.0
Processwire 3.0.210 using module SessionHandlerDB

[dotnetic]

Do you also have TracyDebugger installed? I remember a problem in conjunction with SessionHandlerDB. If so, try removing the TracyDebugger files and if you can login then.

[sz-ligatur]

Hi @dotnetic, I tried to log in without any tracy debugger files (removed td-module directory and all cache files), unfortunately the error message persists.
Either way, thanks for the tip, I am very grateful.

My first suspicion was that something could be wrong with my PHP (session) configuration on my new machine... but I can't find any problems on similar Processwire installations. I will have to look further.

ProcessWire: ProcessLogin: Diese Anfrage war anscheinend gefälscht und wurde daher abgebrochen.
DEBUG MODUS ABLAUFVERFOLGUNG ($config->debug == true):
#0 /Users/…www/wire/modules/Inputfield/InputfieldForm.module(238): ProcessWire\SessionCSRF->validate()
#1 /Users/…www/wire/core/Wire.php(416): ProcessWire\InputfieldForm->___processInput(Object(ProcessWire\WireInputData))
#2 /Users/…www/wire/core/WireHooks.php(952): ProcessWire\Wire->_callMethod('___processInput', Array)
#3 /Users/…www/wire/core/Wire.php(484): ProcessWire\WireHooks->runHooks(Object(ProcessWire\InputfieldForm), 'processInput', Array)
#4 /Users/…www/wire/modules/Process/ProcessLogin/ProcessLogin.module(364): ProcessWire\Wire->__call('processInput', Array)
#5 /Users/…www/wire/core/Wire.php(413): ProcessWire\ProcessLogin->___execute()
#6 /Users/…www/wire/core/WireHooks.php(952): ProcessWire\Wire->_callMethod('___execute', Array)
#7 /Users/…www/wire/core/Wire.php(484): ProcessWire\WireHooks->runHooks(Object(ProcessWire\ProcessLogin), 'execute', Array)
#8 /Users/…www/wire/core/ProcessController.php(350): ProcessWire\Wire->__call('execute', Array)
#9 /Users/…www/wire/core/Wire.php(413): ProcessWire\ProcessController->___execute()
#10 /Users/…www/wire/core/WireHooks.php(952): ProcessWire\Wire->_callMethod('___execute', Array)
#11 /Users/…www/wire/core/Wire.php(484): ProcessWire\WireHooks->runHooks(Object(ProcessWire\ProcessController), 'execute', Array)
#12 /Users/…www/wire/core/admin.php(160): ProcessWire\Wire->__call('execute', Array)
#13 /Users/…www/wire/modules/AdminTheme/AdminThemeUikit/controller.php(15): require('/Users/sz/Sites...')
#14 /Users/…www/site/templates/admin.php(31): require('/Users/sz/Sites...')
#15 /Users/…www/wire/core/TemplateFile.php(328): require('/Users/sz/Sites...')
#16 /Users/…www/wire/core/Wire.php(413): ProcessWire\TemplateFile->___render()
#17 /Users/…www/wire/core/WireHooks.php(952): ProcessWire\Wire->_callMethod('___render', Array)
#18 /Users/…www/wire/core/Wire.php(484): ProcessWire\WireHooks->runHooks(Object(ProcessWire\TemplateFile), 'render', Array)
#19 /Users/…www/wire/modules/PageRender.module(575): ProcessWire\Wire->__call('render', Array)
#20 /Users/…www/wire/core/Wire.php(416): ProcessWire\PageRender->___renderPage(Object(ProcessWire\HookEvent))
#21 /Users/…www/wire/core/WireHooks.php(952): ProcessWire\Wire->_callMethod('___renderPage', Array)
#22 /Users/…www/wire/core/Wire.php(484): ProcessWire\WireHooks->runHooks(Object(ProcessWire\PageRender), 'renderPage', Array)
#23 /Users/…www/wire/core/WireHooks.php(1060): ProcessWire\Wire->__call('renderPage', Array)
#24 /Users/…www/wire/core/Wire.php(484): ProcessWire\WireHooks->runHooks(Object(ProcessWire\DefaultPage), 'render', Array)
#25 /Users/…www/wire/modules/Process/ProcessPageView.module(184): ProcessWire\Wire->__call('render', Array)
#26 /Users/…www/wire/modules/Process/ProcessPageView.module(114): ProcessWire\ProcessPageView->renderPage(Object(ProcessWire\DefaultPage), Object(ProcessWire\PagesRequest))
#27 /Users/…www/wire/core/Wire.php(416): ProcessWire\ProcessPageView->___execute(true)
#28 /Users/…www/wire/core/WireHooks.php(952): ProcessWire\Wire->_callMethod('___execute', Array)
#29 /Users/…www/wire/core/Wire.php(484): ProcessWire\WireHooks->runHooks(Object(ProcessWire\ProcessPageView), 'execute', Array)
#30 /Users/…www/index.php(55): ProcessWire\Wire->__call('execute', Array)
#31 {main}

 

[netcarver]

And if you switch back to the files session handler can you log in again?

[sz-ligatur]

@netcarver & @dotnetic  Thank you both for replying that fast. Finally I found the reason: at DSGVO times I tried to avoid cookies as much as possible, so I have the following lines in config.php to let guests without session cookie:

$config->sessionAllow = function ($session) {
  // if there is a session cookie, chances are user is logged in
  if ($session->hasCookie()) return true;

  if (!isset($_SERVER['REQUEST_URI'])) return false;

  // if requested URL is an admin URL, allow session
  if (!empty($session->config->urls->admin) && strpos($_SERVER['REQUEST_URI'], $session->config->urls->admin) === 0) return true;

  // otherwise disallow session
  return false;
};

This somehow got stuck - I disabled that part and was able to log in again. After re-enabling the cookie conditions login/out is working as usual again.

Thanks for your time - I appreciate it .

[cwsoft]

@sz-ligaturMost ProcessWire global config stuff is not available within the early stage of the bootup process inside $config->sessionAllow.

My sessionAllow function looks like follows and works as supposed.
 

$config->sessionAllow = function($session) {
    // Allow sessions in backend.
    if (strpos($_SERVER['REQUEST_URI'], '/your_path_to_pw_backend/') > 0) return true;

    // Enable PW session in frontend if user accepted cookie consent notice.
    if (array_key_exists('pwconsent', $_COOKIE) && $_COOKIE['pwconsent'] == 'allow_necessary') return true;
    
    // If a PW cookie is present, session is likely already in use so we keep it.
    if ($session->hasCookie()) return true;
    
    // Otherwise we disable cookies in the frontend.
    return false;
};

I enable Cookies if request Url contains backend path (2nd line) or if a pwconsent cookie was found. This Cookie is set via my template file in case user gave his consent for using technical required cookies via module PrivacyWire. Cookies are required in frontend to protect my form (e.g. CSRF protection, etc.).

As PrivacyWire uses localStorage to store users consent action, I put the following JS code at the end of my template _main.php just before closing body tag to create a Cookie in case user gave consent to technical required cookies on my site. Why? Cookies access is easier in PHP than trying to read from localStorage (e.g. via AJAX).

<script>
		// Check if user already accepted technical required cookies.
		let json = localStorage.getItem('privacywire') || '';
		if (json) {
			data = JSON.parse(json);
			if (data?.cookieGroups?.necessary) {
				// (Re-)create session cookie if user agreed usage via local storage.
				if (document.cookie?.indexOf('pwconsent=') == -1) {
					document.cookie = 'pwconsent=allow_necessary;path=/;SameSite=Lax;';
					setTimeout(function() { window.location = "<?=$page->httpUrl?>"; }, 0);
				}
			} else {
				// Avoid that user gets locked out by e.g. changing local storage values manually.
				localStorage.removeItem('privacywire');
			}
		}
	</script>

 

[AAD Web Team]

We often get this error ("This request was aborted because it appears to be forged."), but for us it's due to people pressing the "Login" button more than once (or pressing the enter key followed by the Login button). Someone in our group of web authors does this about once per day on average.

For us it'd be a useful system change if the Login button was immediately disabled via JavaScript after clicking (or pressing enter) so that it couldn't be activated twice. (I wonder if there would be any downside to this change?)

[cwsoft]

6 hours ago, AAD Web Team said:

We often get this error ("This request was aborted because it appears to be forged."), but for us it's due to people pressing the "Login" button more than once (or pressing the enter key followed by the Login button). Someone in our group of web authors does this about once per day on average.

For us it'd be a useful system change if the Login button was immediately disabled via JavaScript after clicking (or pressing enter) so that it couldn't be activated twice. (I wonder if there would be any downside to this change?)

Two ideas. Give training to the authors not to submit login twice, or explain the error and how to avoid it. Second option is to apply the code changes you proposed and see how it goes. You should consider not to disable login button on wrong user inputs too, otherwise users may not be able to login at all.