weixin_39913105
weixin_39913105
2021-01-01 00:02

Invalid token session. Please login again.

Hi,

Basically it's a small issue, but it is there. After you login to admin panel, you can't go back (hit browser's "go back" button) to "forgotten password" or "login" screen without seeing "Invalid token session. Please login again.". It is quite obvious - you're logged in, so Opencart redirects you to your admin home screen, but then it can't find token within your url, so you see login screen with error, not home page. You can't even click on "forgotten password" link on login screen because it will redirect you to homepage which doesn't work.

Steps to recreate: 1. Go to admin login screen, login as normal. 2. Go through couple of pages in admin panel. 3. Click on your browser's "go back" button and select directly login screen. 4. Opencart will see that you're logged in, so will redirect to home page. 5. Homepage won't find token within your url, so it will show you login screen. 6. Url actually says admin/index.php?route=common/home (home page) 7. You see error and login screen instead of home page.

My fix currently is to logout user when token is not found, so in admin/controller/common/header after line 135 I put:


        $this->user->logout();
        unset($this->session->data['token']);

I'm not sure if it will affect anything else, but that's my quick idea.

Thanks!

该提问来源于开源项目:opencart-ce/opencart-ce

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

16条回答

  • weixin_39789979 weixin_39789979 4月前

    In hindsight it's probably a good idea to remove the forgotten password redirect completely since it would suffer from the same issue.

    点赞 评论 复制链接分享
  • weixin_39913105 weixin_39913105 4月前

    Yeah, you are right. Sorry, at first I thought about it as a bug, now it's a feature. I think it's better to go back to old behaviour.

    点赞 评论 复制链接分享
  • weixin_39913105 weixin_39913105 4月前

    I'm going back to the idea from my first post above - edit common/header to logout. To me it looks like the best solution - safe and still allowing user to login back again or go to forgotten password form.

    点赞 评论 复制链接分享
  • weixin_39789979 weixin_39789979 4月前

    The redirect loop was a bug, it just happened to be useful for security.

    The token error itself is an important diagnostic tool telling the user there's a mismatch between the session and request token. Having it fail silently would have all kinds of negative implications from development to security.

    点赞 评论 复制链接分享
  • weixin_39976733 weixin_39976733 4月前

    unsubscribe

    On 13 June 2014 00:06, rph notifications.com wrote:

    The redirect loop was a bug, it just happened to be useful for security.

    The token error itself is an important diagnostic tool telling the user there's a mismatch between the session and URL token. Having it fail silently would have all kinds of implications from development to security.

    Reply to this email directly or view it on GitHub https://github.com/opencart-ce/opencart-ce/issues/67#issuecomment-45948054 .

    点赞 评论 复制链接分享
  • weixin_39957271 weixin_39957271 4月前

    Caros, peço desculpas se aqui não for o melhor lugar pra fazer a pergunta. Estou pronto para migrar minha loja virtual para Opencart. Só me falta uma coisa: preciso de um correção aqui<não consigo acessar minha área administrativa em um site demo "http://www.tecnowcell.com/admin/index.php?route=common/dashboard&token=JaYpM5KN9BbJy9Ue7oj7I93xh3QR0EhA" Veja também oque acontece ao clicar em qualquer produto http://www.tecnowcell.com/

    点赞 评论 复制链接分享
  • weixin_39729837 weixin_39729837 4月前

    Wrong place for this try the OpenCart forums. http://forum.opencart.com/

    点赞 评论 复制链接分享
  • weixin_39637049 weixin_39637049 4月前

    some light needed here to as you can spend nights to read help forum and if you are lucky ... you will maybe see something interesting in the answer ... Since I have installed (not sure but it seems) a new module allowing me to load several photos for an item (up 10) I published 4 items then got back to regular item posting. I posted 2 items then started to have a message - while going to the add the default photo (data) - I got the message Invalide Token blah blah login again and lost the item post ...

    Got to Opencart forum and saw - after a lot of reads - someone saying to find a code and put a # before WHERE in the username .... I did then got back to post when I find out that Category autocomplete was dead as well as the Downloads ... so ... stuck again OC V 2.1.0.1 ... www.kolectorama.com ... really need help on this one Thank you

    点赞 评论 复制链接分享
  • weixin_39729837 weixin_39729837 4月前

    This is a bug tracker for OpenCart Community Edition which doesn't even cover OpenCart version 2. If you are getting no help on the forums, try contacting the developer of the new module you have added. Or one of the companies offering support. http://www.opencart.com/index.php?route=support/support Or OpenCart directly. http://www.opencart.com/index.php?route=support/contact

    点赞 评论 复制链接分享
  • weixin_39729837 weixin_39729837 4月前

    I'm having trouble recreating this. Is this on the latest master branch of CE, the RC1 release or another version of OpenCart?

    Line 135 of admin/controller/common/header.php is https://github.com/opencart-ce/opencart-ce/blob/master/upload/admin/controller/common/header.php#L135, which doesn't seem to tie up with your change.

    点赞 评论 复制链接分享
  • weixin_39913105 weixin_39913105 4月前

    Sorry, my fault, I forgot that I formatted my code, so the line number is different. Actually I put my code in line 107 https://github.com/opencart-ce/opencart-ce/blob/master/upload/admin/controller/common/header.php#L107

    It is on the latest master branch. Few minutes ago I downloaded zip file from github, unpacked it, installed, entered admin panel, clicked on few links and went back to login screen without logging out. The issue is still the same. BTW if it helps, I'm on Mac OSX Mavericks and tested it on Firefox 30 and Chrome 35.0.1916.153

    点赞 评论 复制链接分享
  • weixin_39729837 weixin_39729837 4月前

    I've given it another try and now see what you mean. Could not get the forgotten password screen to show, which would be a problem.

    点赞 评论 复制链接分享
  • weixin_39789979 weixin_39789979 4月前

    It affects OpenCart too. I believe the cause is at https://github.com/opencart-ce/opencart-ce/blob/master/upload/admin/controller/common/forgotten.php#L6-L8 . I think it can be addressed by changing the code to:

     php
    if ($this->user->isLogged() && isset($this->session->data['token'])) {
        $this->redirect($this->url->link('common/home', 'token=' . $this->session->data['token'], 'SSL'));
    }
    
    点赞 评论 复制链接分享
  • weixin_39729837 weixin_39729837 4月前

    It's clear the the following lines are wrong. If logged in why redirect to a page that will cause a error (due to the missing token on the URL).

    https://github.com/opencart-ce/opencart-ce/blob/master/upload/admin/controller/common/forgotten.php#L7

    https://github.com/opencart-ce/opencart-ce/blob/master/upload/admin/controller/common/reset.php#L7

    点赞 评论 复制链接分享
  • weixin_39913105 weixin_39913105 4月前

    We're nearly there I think, forgotten password screen is now fine, but what about login screen? I'm logged in, I go back to login screen in my browser and I see nasty message and the login form. I would also change line https://github.com/opencart-ce/opencart-ce/blob/master/upload/admin/controller/common/login.php#L35 or just add before it:

    if ($this->user->isLogged()) { $this->redirect($this->url->link('common/home', 'token=' . $this->session->data['token'], 'SSL')); }

    then I hit "go back" and instead of login screen I'm back to dashboard.

    点赞 评论 复制链接分享
  • weixin_39789979 weixin_39789979 4月前

    If a user didn't explicitly log out anyone using the computer during the session life would automatically gain admin access.

    点赞 评论 复制链接分享

相关推荐