@Fonata opened this Issue on September 25th 2016

The full message is Error in Piwik: Action 'lostPassword' not found in the module 'Login'.

I am using Apache 2.4 on Windows 2008 R2, but could not find any entry in the access log that matches the time of the PHP error_log entry. Maybe it was a CLI process? While we do have scheduled cron.php runs, but the time doesn't match the log entries either.

I'm puzzled on how to debug this one.

@mattab commented on September 26th 2016 Member

Which Piwik version are you using? can you grep your access log | grep Login | grep lostPassword?

@Fonata commented on September 27th 2016

I am using Piwik 2.16.2.

Here come the results of cat access.log | grep Login | grep lostPassword:

66.249.76.44 - - [16/Jul/2016:13:57:29 +0200] "GET /piwik/index.php?module=Login&action=lostPassword HTTP/1.1" 200 1748
66.249.78.28 - - [19/Jul/2016:05:01:54 +0200] "GET /piwik/index.php?module=Login&action=lostPassword HTTP/1.1" 200 1748
66.249.78.14 - - [21/Jul/2016:18:07:53 +0200] "GET /piwik/index.php?module=Login&action=lostPassword HTTP/1.1" 200 1748
66.249.79.173 - - [03/Aug/2016:23:51:51 +0200] "GET /piwik/index.php?module=Login&action=lostPassword HTTP/1.1" 200 1748
66.249.78.28 - - [07/Aug/2016:17:17:26 +0200] "GET /piwik/index.php?module=Login&action=lostPassword HTTP/1.1" 200 1733
66.249.76.50 - - [16/Aug/2016:10:54:28 +0200] "GET /piwik/index.php?module=Login&action=lostPassword HTTP/1.1" 200 1733
66.249.79.96 - - [08/Sep/2016:13:49:32 +0200] "GET /piwik/index.php?module=Login&action=lostPassword HTTP/1.1" 200 1733
66.249.79.88 - - [08/Sep/2016:13:49:33 +0200] "GET /piwik/index.php?module=Login&action=lostPassword HTTP/1.1" 200 1733
66.249.76.88 - - [11/Sep/2016:08:15:14 +0200] "GET /piwik/index.php?module=Login&action=lostPassword HTTP/1.1" 200 1733
66.249.76.88 - - [11/Sep/2016:08:15:15 +0200] "GET /piwik/index.php?module=Login&action=lostPassword HTTP/1.1" 200 1733
66.249.76.84 - - [25/Sep/2016:05:00:16 +0200] "GET /piwik/index.php?module=Login&action=lostPassword HTTP/1.1" 200 1733

I have looked up these IPs: they are the beloved Googlebot. It turns out that the PHP error_log is 2 hours behind the Apache access.log - so mystery solved, where the entry comes from: a regular HTTP request.

Which way do you suggest to get rid of the occasional entry in the error log? Block them in the Apache conf?

@mattab commented on September 27th 2016 Member

Still it is to me a mistery that Piwik would write to your error log Error in Piwik: Action 'lostPassword' not found in the module 'Login' - do you understand why this occurs?

@Fonata commented on October 1st 2016

I believe Google added this URL to its index back when it was returned by a previous version of Piwik. Piwik did use this URL, at least in 2012.

This previously-valid URL now shows this output on our server:
image

Currently, the page returns HTTP status 200 (OK). I suggest that error pages like this should return a different HTTP header by adding a call to http_response_code(404) somewhere in Piwik_GetErrorMessagePage, as this would hopefully tell Google to drop this URL from its index. In the Pull Request, I took a more dramatic approach and added it to the HTTP\ControllerResolver.php file - which might produce unexpected side effects.

@Fonata commented on January 27th 2018

Requests such as the following are still coming in (from Apache's access.log):

66.249.69.46 - - [27/Jan/2018:03:52:03 +0100] "GET /piwik/index.php?module=Login&action=lostPassword HTTP/1.1" 200 1660

I can confirm that with Matomo 3.3.0, this request still created an entry in the PHP error_log. While this is fine, I see the issue with Google not understanding that the page doesn't need to be crawled, because of the status code of 200.
A potentially less risky solution is to add this tag to the output of the error page:

<meta name="robots" content="noindex, nofollow, noarchive">

@Findus23 commented on January 27th 2018 Member

@Fonata
I guess the easiest way to stop Google and others to try and access this website is adding it to the robots.txt

@Fonata commented on January 27th 2018

@Findus23 Thanks, I just did that. I should have done that years ago.

Powered by GitHub Issue Mirror