Token Verification Failed

FrizzleFried · March 05, 2022, 09:46:56 AM

I installed the UIS theme here.

After installation I attempted add my site logo to it.

When I went to save i got an error:

TOKEN VARIFICATION FAILED.

I logged out, then attempted to log in.

I am now getting TOKEN VARIFICATION FAILED errors whenever I attempt to log in.

What happened and how do I fix that?

FrizzleFried · March 05, 2022, 09:54:39 AM

Welp, nevermind. I was able to login with Firefox without issue. I then removed the UIS theme... then I logged in with Chrome and all was well again. I am not 100% sure it was the UIS theme, it just happened right after I installed it.

davo88 · May 04, 2022, 09:58:51 PM

Anyone know what causes this "Token verification failed" error?
It happens quite a bit on my 2.1.1 test forums, even ones without any theme changes or mods.

Just tried it here on the SMF site. I have been logged in "Forever" for weeks. So I logged out and attempted to log in again for "1 Hour" and bingo, it happened.

You cannot view this attachment.
But I haven't found a sequence of steps that will consistently re-produce it. However, logging out with one user name and logging in again using a different user name, does seem to trigger it more often than using a single user name.

Sometimes, it will just keep happening over and over again. The only way to get around it, is to navigate to another page and log in from there. That fix seems to work consistently.

Browser is Firefox 99.0.1

Arantor · May 05, 2022, 03:32:01 AM

So for many actions in 2.1, a one-time code is generated before you press the button and checked after. If you then end up doing something to cause that code to be regenerated, there is a mismatch between the one-time code your page has and the code the server expects to receive.

Additionally if you leave a tab open for more than 20 minutes without a refresh, good chance you'll get it.

These tokens aren't used everywhere, but throughout admin for sure, and on sensitive things like login.

davo88 · May 05, 2022, 04:18:40 AM

Thanks for the info Arantor. Some questions...
1. What is the purpose of generating this one time code when logging in?

Quote from: Arantor... a one-time code is generated before you press the button and checked after

2. So in the case of logging in, is the one time code generated when the Log-in button at the top of the screen is pressed, then checked when the Log-in button in the popup window is pressed?

Quote from: ArantorAdditionally if you leave a tab open for more than 20 minutes without a refresh, good chance you'll get it.

With the error message generated here and shown above, I simply logged out and attempted to log back in again. No delay, no changes.
3. Why does it happen in this situation?

Arantor · May 05, 2022, 04:26:18 AM

"Security." The token can't be forged or reused - either you have it or you don't. Means that someone can't apply certain kinds of attacks against you while logging in. Personally I wouldn't be regenerating the tokens every fresh page load but that's just me.

In the case of login, it's literally the same thing - both the main login page and the login pop up are actually the same piece of code and the token is generated just before the form is spat out.

In the case of logging out and immediately trying to log back in, I'd speculate without looking that there's a one page delay involved. Logging out forces a brand new session on the user but without a refresh your browser can still have cookies for the previous session. So when you generate the token, I think it's getting logged against the wrong session.

Disclaimer: I haven't investigated. This would also be seriously annoying to actually debug.

Also note that any old themes that haven't been properly updated will definitely give you troubles.

davo88 · May 05, 2022, 04:38:17 AM

When attempting to post my message above, this error message occurred.

You cannot view this attachment.

So I try "to re-submit...". Message repeats. So I copy the text of the message, open a new browser tab with the topic, click Reply (to Arantor) and paste the message into the window. This time it posts.

Quote from: ArantorThis would also be seriously annoying to actually debug.

Imagine what it will do to all the users of SMF forums.

davo88 · May 05, 2022, 04:43:40 AM

Finally, I get yet another error message after inserting the attachment in the above post.
You cannot view this attachment.
The trouble with all these error messages (apart from the fact that they occur in the first place) is that they don't tell the average user what to do to fix it. They are written for the coders, not the users.

Arantor · May 05, 2022, 04:50:31 AM

Now you're conflating two different things, thinking they're the same thing.

SMF has always had some anti-spoofing measures where a value held in session is compared to what is sent when making a post. If you keep a tab open for 20+ minutes without refreshing this value may change, but as you see you can just resubmit (without even opening a new tab) because by that time it will have caught up. The session protection is also not per-page but a single value across everything.

If the SMF team weren't so stubborn about using the features their platform had, and turned auto saving drafts on, this would solve 95% of the problem by refreshing for you in the background every 30 seconds after typing something. (If you leaves it for 20+ minutes and don't interact on any tab, though, that's a different story.)

I don't disagree about the error messages, except that they don't even tell the coders what's wrong, other than "I didn't get the thing I expected".

davo88 · May 05, 2022, 05:00:32 AM

Quote from: ArantorNow you're conflating two different things, thinking they're the same thing.

No, I didn't mean to imply that the two issues were related. I just posted that because the combined experience of all these error messages is pretty deflating (to put it politely) for my enthusiasm about upgrading to 2.1.
I couldn't unleash all this on my forum members. I would have to call in the riot squad to quell their reaction.

But thanks very much for explaining these things Arantor, it does help us admins begin to understand a tiny bit of what is going on.

davo88 · May 05, 2022, 05:05:11 AM

Quote from: Arantor...but as you see you can just resubmit (without even opening a new tab...

No, it wouldn't work with a re-submission (tried several times). Only when pasted in a new Reply window in a new tab.

Steve · May 05, 2022, 05:55:48 AM

@FrizzleFried, are satisfied with the explanations Arantor gave and can close this out?

I was wondering about the occasional Token Verication Failed errors I was getting but now I understand why.

Arantor · May 05, 2022, 05:57:45 AM

Quote from: davo88 on May 05, 2022, 05:05:11 AM
Quote from: Arantor...but as you see you can just resubmit (without even opening a new tab...
No, it wouldn't work with a re-submission (tried several times). Only when pasted in a new Reply window in a new tab.

Weird, that always worked for me, going back 1.1 RC2 as my first use of SMF.

I do think the token setup should be less aggressive though. One time tokens rather than, say, 10 minute tokens, would achieve most of the effective protection without being as user hostile.

davo88 · May 05, 2022, 03:21:07 PM

Quote from: Steve@FrizzleFried, are satisfied with the explanations Arantor gave and can close this out?

This subject of error messages isn't something that should be "closed out" in a hurry.
If SMF is serious about wanting to improve the end-user experience, we should be asking how can we make things better?

Technical explanations are fine for admins and technical people, but for the average forum user, encountering three hard-to-understand errors, in the one day, would cause them to just give up and go elsewhere.

End users can handle an ocassional error message and frustrating experience. But a barrage of meaningless messages, offering no solid advice on what to do, just makes people plain angry. Remember, these "errors" aren't just happening on my own 2.1 forums, they are happening right here in SMF's own backyard... frequently.

That means they are also likely to be happening in many other 2.1 forums. I don't know how widely SMF is used, but maybe a few hundred thousand end users are going to have a frustrating time using 2.1. Admins will tire of continually having to support and placate their members. They will then start looking to transition to other forum software. This doesn't bode well for the long term success of SMF.

Don't we want to fix this situation?

Arantor · May 05, 2022, 03:46:09 PM

I don't want to be funny, but this is an argument that has been had countless times, and one I have *lost* more than once.

Until fairly recently (last couple of years?) it used to be adequate to document it in the wiki and that was enough. If it was documented, it was solved, never mind the end-user reaction. I won't fault Sesq and co, though, because they're really trying to fix some of these things, but I don't know how strong the battle of 'usability vs security' needs to be fought.

The session timeout issue you mention is longstanding, there is a mitigation in the code that has never worked properly for it, and the actual solution is to have the software call home more often to renew the current session. There is any number of valid reason you'd want to do this, and the general solution of getting a message bus going is one that has half-heartedly been attempted but really should be reviewed again.

The token verification issue is a much more complex challenge, and I remember arguing at the time that it was too aggressive but the resounding view was 'but security' so I didn't argue it any further. That was in 2013 or so... Then again were it up to me, I'd divorce admin away from the rest of the site, theme and all, and this would immediately improve the security situation, plus I'd cycle tokens on a 5-10 minute cycle rather than forcibly regenerating on request, for me the security tradeoff would be worth the usability.

Steve · May 05, 2022, 04:03:59 PM

Quote from: davo88 on May 05, 2022, 03:21:07 PM
Quote from: Steve@FrizzleFried, are satisfied with the explanations Arantor gave and can close this out?
This subject of error messages isn't something that should be "closed out" in a hurry.

That was not the intention of my question. I was going to split out your posts and Arantor,s answers into a separate topic but the conversation has evolved to include everything so far so splitting doesn't make sense now.

I do have a reason for asking these things.

shawnb61 · May 05, 2022, 04:09:00 PM

When I get the token errors, it's usually because I am using multiple tabs, & doing similar/identical things across those multiple tabs, esp. acp functions. Sticking to one tab gets rid of those - or at least doing completely different things on each.

The other source I've seen is that - under some circumstances - your browser can generate 2 clicks. Like if you whack that mouse button or enter key quite hard...

The generated token isn't valid for the 2nd click... If you try a bunch of times, you'll see this happen. (I discovered this testing this fix:
https://github.com/SimpleMachines/SMF2.1/pull/6571)

Not sure there is a real global fix for this, but if it's a common problem for you, I'd consider trying different browsers/keyboards/mice.

davo88 · May 07, 2022, 02:57:43 PM

shawnb61... thank you for passing on your experience. I am testing your ideas and will report back. This may take a while.

davo88 · May 08, 2022, 10:03:41 PM

Quote from: shawnb61When I get the token errors, it's usually because I am using multiple tabs, & doing similar/identical things across those multiple tabs, esp. acp functions. Sticking to one tab gets rid of those - or at least doing completely different things on each.

I have been testing shawnb61's observations, especially the one about having multiple tabs open, while logging in to this SMF site. Yesterday I couldn't trigger a 'Token Verification Failed' error, no matter how many tabs were open. I also tried double clicking and really hammered it, but still no errors.

Today, (PC was rebooted earlier today), no other SMF tabs open, tried to login for 1 Day, the error message appears on the first attempt.

You cannot view this attachment.

You cannot view this attachment.

So I closed the Firefox browser window, opened a new one, tried again -> same result.
On the third try, it logged in successfully. So I logged out and attempted to log back in again. The error appeared again. Note I am being very careful not to double click today.

You cannot view this attachment.

When it does manage to log in successfully, I notice there is a significant lag after clicking the LOG IN button. I notice the same lag happens on my own 2.1 test sites.

I imagine most users of this site choose the 'Forever' option when logging in. I usually do and am only choosing a shorter period for the purpose of this testing. So the error may not be happening for many people.

davo88 · May 08, 2022, 10:09:38 PM

So this is interesting. I have just posted the above message and have three SMF tabs open. I go back to the first tab which was displaying Unread Posts, and get the 'Session verification failed' error message. This was a similar pattern to what happened during my first few posts above.

You cannot view this attachment.

News:

Token Verification Failed