joshuag

this request was aborted because it appears to be forged

Recommended Posts

Has anyone a solution for this problem using Amazon web services?  I have an EC2 that is giving me trouble with this error.  I have given permissions to assets and config.php file but the problem persists.  Thanks for any help here.  

Share this post


Link to post
Share on other sites

Thanks Alanfluff for Solved with 777 on the sessions folder and all contents.  This solved our login issue.  

Share this post


Link to post
Share on other sites

I just came across with this topic and wanted to share my experience.

The problem with permissions is simple:

The Apache user (see: PHP) has no permission on files we upload with our FTP user and the same goes the other way around too. 

On shared hosting the solution for us was to change PHP to run as fastCGI instead of as Apache module.

This way you can upload files via FTP, leave permissions as the recommended 755 and 644 and php will be able to happily write those files/folders.

Also, you can edit/delete files and folders via FTP even though they were created by PHP.

On my VPS running Webmin I just make sure that I upload files with the virtual host user and not with the root user.

I hope it helps to sort the cause of the problem and not just treating the symptom. 

  • Like 1

Share this post


Link to post
Share on other sites

I just ran into this issue, and it was not a permissions problem.

This was a site I have checked into source-control (Git) and the problem was, some folders are exempt from source control, namely "cache", "logs" and "sessions" in the "assets" folder.

Apparently, PW will silently fail when these folders don't exist and can't be written to.

Shouldn't it should throw an exemption on failure to write to any of these folders?

The error message given currently is misleading more than helpful.

  • Like 1

Share this post


Link to post
Share on other sites

u message cumes frm.sessions dir.

but i delete /site/assets/sessions/ and ,it remake.it

     no error

mabe u /site/assets no writtable ?

i testted w/vershion 2.5.21 for.my

grndmoms nudist marchingband.site

  mabe u need.upgrade ?

  • Like 2

Share this post


Link to post
Share on other sites

I have the same problem with the current dev version 2.5.26 and was not able to login. I've noticed that it was the version of PHP 5.6. With PHP version 5.5 it works.

  • Like 1

Share this post


Link to post
Share on other sites

I'm running a vagrant box with nginx and varnish and got this same problem. All folder on 777.

The problem was that in the Varnish `default.vlc` I was disabling cookies from the admin url (/processwire). I commented the line and restarted the service and it worked. :)

Share this post


Link to post
Share on other sites

This issue was happening to me all of a sudden. Happened just after uploading a 3MB photo via the admin.  Tried messing with permissions and no help. Tried deleting the photo via FTP and suddenly was able to login again. Uploaded another photo and got the "appears to be forged" warning. Then it occurred to me that possibly I had maxed out my allocated storage. This was the case.  I increased my space on my hosting account and everything is good again.

  • Like 2

Share this post


Link to post
Share on other sites
On 4/24/2017 at 8:40 AM, erikvanberkum said:

I just had this issue, the problem was caused by a full hard drive. 

I had my hard drive full and clearing the servers /temp folder solved the issue.

Share this post


Link to post
Share on other sites

I'm having this issue after moving to production.

I'm hosting on a Linux web app on Azure.

All permissions are set as rwxrwxrwx for all folder and files in the webroot.

I have plenty of free space.

I tried deleting the site/assets/sessions directory...a new one gets created properly automatically upon next sign in attempt.

Session files are being created in the site/assets/sessions directory, so I know that processwire is able to access that.

 

What else could be the issue if it's not permissions or storage space?

Share this post


Link to post
Share on other sites
16 minutes ago, rastographics said:

I'm having this issue after moving to production.

I'm hosting on a Linux web app on Azure.

All permissions are set as rwxrwxrwx for all folder and files in the webroot.

I have plenty of free space.

I tried deleting the site/assets/sessions directory...a new one gets created properly automatically upon next sign in attempt.

Session files are being created in the site/assets/sessions directory, so I know that processwire is able to access that.

 

What else could be the issue if it's not permissions or storage space?

check this, I experience that before:

 

Share this post


Link to post
Share on other sites

@Pixrael I'm not very experienced with linux but I thought that if PW is creating new files in site/assets/sessions directory, it has permissions to write there? Or is the php session path a different thing than the PW session path?

Share this post


Link to post
Share on other sites

I changed my .htaccess file to successfully get the session.save_path to change to a local directory that I am sure I have full ownership permissions on:

 

image.thumb.png.13d371063231b067fec5da9d24f8c583.png

 

I restarted the site, cleared all cookies, and still get the error. Any ideas?

Share this post


Link to post
Share on other sites

I tried the methods in that stackoverflow question and they did not work. As you can see in my posted screenshot, I was able to get phpinfo() to recognize a different save_path by using .htaccess. However that did not keep the "appears to be forged" error from showing up when logging in.

 

The app is using the docker configuration based on standard php apache image as seen in this repo:

https://github.com/Azure-App-Service/php/tree/master/7.2.5-apache

 

Please if anyone has any other ideas of what can be keeping me from logging in, this is preventing us from bringing our ready website to production. Thanks!

Share this post


Link to post
Share on other sites

In site/config.php if I set:

$config->protectCSRF = false;

Then 3 different things happen:

A wires_challenge cookie is now showing up in my browser (wasn't there before.)

The error "appears to be forged" no longer shows up.

?login=1 is added to the url string

Still does not login 😞

Share this post


Link to post
Share on other sites

Installed fresh processwire from scratch on identical hosting setup.

When going through installer, everything checks out as normal, except on the final review page after install, these errors appear:

 

image.thumb.png.f77987a9a642d82ee7fdb38658e78e44.png

 

I can still continue on to login page, but original error is still present and prevents login.

Share this post


Link to post
Share on other sites

Take a look at the raw http response body in your browser's developer console. My guess is that some kind of error/warning output from PHP (perhaps a configuration conflict in php.ini or a PHP version issue) performs some early output and thus prevents sessions and login from working. But the raw response should contain some kind of hint about it.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By ridgedale
      Reference: PW 3.0.111 and uikit3 based site using the Regular-Master profile.
      I'm trying to automatically redirect a logged-in user to a custom profile page using $session->redirect() and need to add $user->name to the redirect path.
      All my attempts appear to have failed:
      $session->redirect('/user-profile/')->name; $session->redirect('/user-profile/')->$user->name; $session->redirect('/user-profile/' . get($user->name . '/')); $session->redirect('/user-profile/' & get($user->name)); Can anyone point out where I am going wrong?
    • By matsn0w
      Hey all,
      I am working on a website and I want to style the login page, but I'm a bit confused. 
      I want either the existing login page styled in my own way using some CSS (I guess I prefer that) or I want to create a custom page with a form to login. (Which I could style too).
      I used the code from Ryan and Renobird posted here - which works great - but that doesn't replace the original login page. 
      Is there a way to some sort of 'disable' the original login?
      I hope my question is clear and thanks in advance,
      matsn0w
    • By Lex Sanchez
      Hi everyone:
      I do not know if someone before using ProcessWire with AWS CloudFront, currently I have problems with the login, it does not work for any reason, when I check in the logs generated by ProcessWire, it only indicates This request was aborted because it appears to be forged. (in /wire/core/SessionCSRF.php line 190).
      I have allowed CloudFront to forward all headers, cookies and allow all methods (GET, POST, PUT).
      When I perform the same process from the ip server if it works or from the balancer.
    • By flydev
      OAuth2Login for ProcessWire
      A Module which give you ability to login an existing user using your favorite thrid-party OAuth2 provider (i.e. Facebook, GitHub, Google, LinkedIn, etc.)..
      You can login from the backend to the backend directly or render a form on the frontend and redirect the user to a choosen page.
      Built on top of ThePhpLeague OAuth2-Client lib.
      Registration is not handled by this module but planned.
       
      Howto Install
      Install the module following this procedure:
       - http://modules.processwire.com/modules/oauth2-login/
       - https://github.com/flydev-fr/OAuth2Login
      Next step, in order to use a provider, you need to use Composer to install each provider
      ie: to install Google, open a terminal, go to your root directory of pw and type the following command-line: composer require league/oauth2-google
      Tested providers/packages :
          Google :  league/oauth2-google     Facebook: league/oauth2-facebook     Github: league/oauth2-github     LinkedIn: league/oauth2-linkedin
      More third-party providers are available there. You should be able to add a provider by simply adding it to the JSON config file.

      Howto Use It
      First (and for testing purpose), you should create a new user in ProcessWire that reflect your real OAuth2 account information. The important informations are, Last Name, First Name and Email. The module will compare existing users by firstname, lastname and email; If the user match the informations, then he is logged in.
      ie, if my Google fullname is John Wick, then in ProcessWire, I create a new user  Wick-John  with email  johnwick@mydomain.com
      Next step, go to your favorite provider and create an app in order to get the ClientId and ClientSecret keys. Ask on the forum if you have difficulties getting there.
      Once you got the keys for a provider, just paste it into the module settings and save it. One or more button should appear bellow the standard login form.
      The final step is to make your JSON configuration file.
      In this sample, the JSON config include all tested providers, you can of course edit it to suit your needs :
      { "providers": { "google": { "className": "Google", "packageName": "league/oauth2-google", "helpUrl": "https://console.developers.google.com/apis/credentials" }, "facebook": { "className": "Facebook", "packageName": "league/oauth2-facebook", "helpUrl": "https://developers.facebook.com/apps/", "options": { "graphApiVersion": "v2.10", "scope": "email" } }, "github": { "className": "Github", "packageName": "league/oauth2-github", "helpUrl": "https://github.com/settings/developers", "options": { "scope": "user:email" } }, "linkedin": { "className": "LinkedIn", "packageName": "league/oauth2-linkedin", "helpUrl": "https://www.linkedin.com/secure/developer" } } }  
      Backend Usage
      In ready.php, call the module :
      if($page->template == 'admin') { $oauth2mod = $modules->get('Oauth2Login'); if($oauth2mod) $oauth2mod->hookBackend(); }  
      Frontend Usage
      Small note: At this moment the render method is pretty simple. It output a InputfieldForm with InputfieldSubmit(s) into wrapped in a ul:li tag. Feedbacks and ideas welcome!
      For the following example, I created a page login and a template login which contain the following code :
      <?php namespace ProcessWire; if(!$user->isLoggedin()) { $options = array( 'buttonClass' => 'my_button_class', 'buttonValue' => 'Login with {provider}', // {{provider}} keyword 'prependMarkup' => '<div class="wrapper">', 'appendMarkup' => '</div>' ); $redirectUri = str_lreplace('//', '/', $config->urls->httpRoot . $page->url); $content = $modules->get('Oauth2Login')->config( array( 'redirect_uri' => $redirectUri, 'success_uri' => $page->url ) )->render($options); }
      The custom function lstr_replace() :
      /* * replace the last occurence of $search by $replace in $subject */ function str_lreplace($search, $replace, $subject) { return preg_replace('~(.*)' . preg_quote($search, '~') . '~', '$1' . $replace, $subject, 1); }  
      Screenshot
       



    • By dragan
      If I have two PW sites that sit in separate folders, I can't be logged-in in both sites.
      e.g.
      site.com/project-a/pw-admin-slug/
      site.com/project-b/pw-admin-slug/
      If I login to project-a, then also login to project-b, get back to the first site, I have to login again.
      Is the cookie / session mechanism storing my domain? If it does, and it's meant to be some sort of security enhancement, it should not check my domain, but root-URL of the PW-installation. (strangely, this doesn't happen on localhost)
      Is it possible to prevent that behavior? Often I have two sites open (e.g. check to see if I have the same CKEditor setup and quickly copy and paste it, or copy a user-role)