News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

Token Verification Failed

Started by FrizzleFried, March 05, 2022, 09:46:56 AM

Previous topic - Next topic
Print
Go Down Pages 1 2 All
User actions

davo88

#20
May 09, 2022, 04:04:47 AM
5-6 hours later... still getting 'Token Verification Failed' errors when I try to log in.

Quote from: davo88When it does manage to log in successfully, I notice there is a significant lag after clicking the LOG IN button. I notice the same lag happens on my own 2.1 test sites.

That lag mentioned above, can be significant - from a couple of seconds to a sort of hang situation which clears if I click outside the log in window somewhere on the main page. All other movement around the SMF site is crisp and fast.

On my own 2.1 test sites, I get the lag on log in, but not on the second log in to the Admin area. That is also crisp and fast.


Steve

#21
May 09, 2022, 01:50:16 PM
Did you do a hard refresh in between each test in your post #18 above?
DO NOT pm me for support!

davo88

#22
May 09, 2022, 02:47:30 PM
Throughout this whole exercise, I have been trying both hard refreshes (Ctrl+F5), soft refreshes (F5 or browser refresh button) and no refresh. Although the sample size of tests is small, I haven't yet noticed a clear difference in what happens in the subsequent login attempt.  

Which type of refresh I did yesterday, I don't recall exactly. (yesterday was along time ago :)). But I do remember I have tried hard refreshes on some occasions and being surprised that it didn't fix the problem.

Note also what I wrote yesterday (below). But this may not have been equivalent to a hard refresh.

Quote from: davo88So I closed the Firefox browser window, opened a new one, tried again -> same result.

Steve

#23
May 10, 2022, 08:01:09 AM
Quote from: davo88 on May 09, 2022, 02:47:30 PMSo I closed the Firefox browser window, opened a new one, tried again -> same result.
Depends on your Firefox settings (Settings -> Privacy & Security). And even then, I've found that Firefox doesn't do the greatest job of deleting the cache.

At any rate, I'm marking this as not solved.
DO NOT pm me for support!

davo88

#24
May 10, 2022, 08:50:19 PM
Just did a test of hard refreshing before each log in attempt. It gave the 'Token Verification Failed' on the first five attempts. Each attempt was preceded by a control + F5 and fully reloaded the page.

On the sixth attempt, it hung on this display.

You cannot view this attachment. 

I then did a soft refresh using the browser refresh button and the log in had been successful. This hanging situation followed by a successful log in, happens a quite frequently.

shawnb61

#25
May 10, 2022, 09:30:34 PM
If you haven't yet tried it - the next thing I'd try is deleting cookies for that site.  FF lets you target cookie deletions like that.
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

davo88

#26
May 11, 2022, 04:54:09 AM
There were 11 cookies for simplemachines.org.

You cannot view this attachment.
Deleted those then attempted to log in and log out a few times.
First two log ins were successful and at normal speed - no hanging problem.

Next two generated the Token Verification Failed error.

You cannot view this attachment.

Then final two logged in successfully, but with hanging issue (login window stays visible and main page stays greyed out as shown below) and having to refresh to bring up the main page.

You cannot view this attachment.

Although the first two logins were smooth and normal, this pattern of successful logins, failed logins and hanging after successful login, is pretty consistent with what was happening before the 11 cookies were deleted.

After doing the above, cookies for simplemachines.org now shows 4 cookies.

You cannot view this attachment.

shawnb61

#27
May 11, 2022, 04:29:01 PM
I cannot reproduce this at all.  I've tried this site & other SMF sites.  I've tried alternating user IDs (on sites where I have multiple).  I've tried alternating logon durations.  I've tried the exact same thing 10x rapidly in a row...  I've tried multiple rapid OK clicks...  Not one token error.  (I'm on FF 100 64-bit.)

Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

davo88

#28
May 11, 2022, 05:10:34 PM
Quote from: shawnb61(I'm on FF 100 64-bit.)
Same here.
Also using 1 hour logins every time now.

Would there be anything in either the SMF or server logs that might indicate the type of token failure?
Is it possible to do some of the things that have caused the error for you in the past eg leaving multiple tabs open on various site pages?

shawnb61

#29
May 11, 2022, 05:27:26 PM
Yes, it's trivial to reproduce via a "2nd tab". 

  • Logout
  • Duplicate the tab, so both have the login button
  • On the first tab, click login so the popup window appears (but don't touch anything)
  • On the second tab, click login so the popup window appears (but don't touch anything)
  • Go back to the first tab & logon
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

davo88

#30
May 11, 2022, 05:44:00 PM
OK, so in that scenario I assume we are generating two tokens and then attempting to login using the earlier one which has now been replaced by the second. So that is understandable.

How about the situation where a forum user has opened a few pages which he/she intends to read again or use in some way.
They leave them open for some period (hours to maybe days), then try to log in again.
This will be a far more usual scenario, particularly for a forum that discusses technical information of some sort. The user may want to copy and paste out the info into their own docs, or save the attachments, or whatever.

What does the authentication system think is going on here?
Does the authentication system feedback any more information other than "... it failed"?
Is it possible to allow for this scenario in the code/error message somehow?

So if the problem is being caused by an identifiable situation at the user's end, the error message can respond with appropriate wording eg "Please close any other tabs you my have open"?

Sesquipedalian

#31
May 11, 2022, 06:11:30 PM
Your example scenario would not normally generate token validation problems, because just looking at content doesn't involve any tokens at all. Tokens are only used when trying to perform specific actions.

Token validation errors are expected if you try to perform one of those actions in multiple tabs at the same time, or if there has been a long period of time between when the token was created and when it was submitted (for example, if the login form sat open for a long time before the submit button was clicked).

In contrast, if the user simply leaves open a tab where they were reading a topic, no tokens are involved with that. Even if the user logs out in some other tab and then logs back in (and even if the user repeats this process any number of times), refreshingly the tab that was viewing the topic will not involve any tokens at all. The refreshed page will simply reflect the user's current login state (i.e logged in or logged out), and that's it.
I promise you nothing.
Sesqu... Sesqui... what?
Sesquipedalian, the best word in the English language.

shawnb61

#32
May 11, 2022, 06:27:51 PM
Yep - there should be no issues having multiple tabs open & copying & pasting from them.  I do that all the time.

Web browsers themselves don't lend themselves to multiple-day transactions...   It you want to compose something over multiple days, I'd suggest using 2.1's drafts feature.  Or composing in an external editor & pasting at post time.

If you continue to experience token errors every 3rd transaction, I suspect there is something wrong with your browser environment somehow.  My first suggestion would be to try a new browser.  If that works, and you continue to have issues in FF, you need to figure out what's wrong with your FF environment (disable plugins? reinstall?). 
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

davo88

#33
May 11, 2022, 06:34:55 PM
OK, thanks. I will look closely at the current FF setup and do some tests with Chrome.

davo88

#34
May 18, 2022, 05:17:42 PM
Have been testing the authentication process using Chrome and FF.
All testing done using 1 hour log in period.

Chrome on same PC
It works every time. Can't recreate the error! It also seems to log in faster than FF. Multiple windows with multiple tabs -> no problems.
Pity I'm not a Google fan  :(

Firefox on same PC
From a fresh start (all FF windows closed), FF will login in successfully somewhere in the region of maybe 5 - 10 times before problems begin.
So I disabled, then removed three extensions - Colorzilla, DuckDuckGo Privacy Essentials, EFF's Privacy Badger. Same results as before.
Uninstalled above extensions - same results
Checked other settings to make sure they were standard - same results.

Firefox on Intel NUC
Same version of FF 100.0 (x64) unmodified.
Again, it works OK for a while, but with a slight delay before logging in. Not as snappy as Chrome.
Then the error situations started again. This time there was another message flashed up very briefly saying something "... in 2 seconds". Hadn't seen that before.

FF definitely has more difficulty making smooth, fast, successful logins. But the error may never occur for someone who starts FF freshly each time and doesn't hammer it. As Sesquipedalian explained above, having additional tabs open shouldn't affect logging in. But it seems far more likely to happen when this is the case.

Now testing FF with logged in "Forever". Going OK so far.
Print
Go Up Pages 1 2 All
User actions
Advertisement: