@Findus23 opened this Issue on March 12th 2019 Member

#12208 improved the security of Matomo sessions, but it also seems to have caused some (broken) environments that formerly worked to fail with the Form security failed error.

At the moment the error mentions four suggestions:

  • Please reload the form
  • and check that your cookies are enabled.
  • If you use a proxy server, you must configure Matomo to accept the proxy header that forwards the Host header.
  • Also, check that your Referrer header is sent correctly.

But there seem to be more reasons that can cause this bug:

https://forum.matomo.org/t/cant-login-after-fresh-and-successfull-install-behind-proxy-3-8-1/32006
(reverse proxy blocked the cookie header)
https://forum.matomo.org/t/cannot-login-after-3-7-to-3-8-1-update/31969?u=lukas

I do have a reverse proxy (haproxy) as well as a cache layer (varnish) before apache 2.4, with remoteip module enabled.

https://forum.matomo.org/t/update-to-3-8-0-problems/31336/10?u=lukas

https://forum.matomo.org/t/2-problems-with-matomo/31434/9?u=lukas

Unfortunately it is hard to know what exactly is causing the issue in the latter cases, so maybe just a FAQ that lists common reason could already help.

@mattab commented on July 9th 2019 Member

@Findus23 a new FAQ sounds good :+1: Could you maybe suggest a question and answer text for this?

(then we could maybe add a brief link to this new faq in the error message).

@mattab commented on November 24th 2020 Member

This improvement will be great. we get this report a few times per month.

@Starker3 commented on November 25th 2020

This error can occur when you were previously logged into Matomo over HTTPS and are now logging in over HTTP.

This is due to the fact the Matomo sets the "secure" cookie flag when you login over HTTPS which causes form security to fail when you go back to HTTP.
When this happens you will see the following in the browser console: warning: Cookie "MATOMO_SESSID" has been rejected because there is an existing "secure" cookie.
This can be avoided in the future by ensuring the force_ssl is set to 1 in your /config/config.ini.php file or by installing the Force SSL plugin

We can create a new FAQ with the above reasons, as well as any other reasons so that users can click on the link to find solutions rather than needing to search for the error message.
It also will make it easier to keep updated so when we discover new reasons for this error it can be updated without requiring an update.

@darnellkeithj commented on December 1st 2020

It's really annoying that there are no answers to this. My site has always had ssl from the beginning and this is my fourth time installing matomo because of this issue. I've even connected it to cloudflare to make sure https is working and included the ; Uncomment line below if you use CloudFlare
proxy_client_headers[] = HTTP_CF_CONNECTING_IP
in the config and it still doesn't fix it. Console shows 403 error with no additional information.

@tenacioustechie commented on August 3rd 2021

I'm hitting this issue right now with Matomo behind AWS CloudFront.
I've been through all the documentation I can find to resolve the issue.
I am using the docker container version of Matomo on kubernetes (which is working quite well until now).
The installation is working fine bypassing CloudFront.

When I print out headers in a temporary PHP file, I can see various headers

Host: an.my-direct-domain.com
X-Request-ID: b50506826105a509dabd3156d3d91396
X-Real-IP: 64.252.000.000
X-Forwarded-For: 64.252.000.000
X-Forwarded-Host: an.my-direct-domain.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Scheme: https
X-Original-Forwarded-For: 203.54.000.000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36
X-Amz-Cf-Id: 7nymC3OP5LP1J2groOdVwFOSggT5QD9IcLG1Kgy2yOH9AHpRuqqY5A==
Cookie: MATOMO_SESSID=54a2cc444f402cfca4e5077a70e32343
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
CloudFront-Forwarded-Proto: https
Via: 2.0 f74d75c3aecb5117c66f70690295.cloudfront.net (CloudFront)
Accept-Encoding: gzip, deflate, br
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Google Chrome";v="92"
sec-ch-ua-mobile: ?0
upgrade-insecure-requests: 1
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
Cache-Control: max-age=0

I dont see the console log error about cookies, and I can see a cookie being set (and seen in the above headers)
I've set various config items

[General]
force_ssl = 1
login_allowlist_apply_to_reporting_api_requests = 0
assume_secure_protocol = 1
proxy_uri_header = 1
proxy_client_headers[] = HTTP_X_ORIGINAL_FORWARDED_FOR
proxy_client_headers[] = X-Original-Forwarded-For
proxy_host_headers[] = X-Forwarded-Host
proxy_host_headers[] = HTTP_X_FORWARDED_HOST
salt = "my-salt"
trusted_hosts[] = "ana.my-cloudfront-domain.com"
trusted_hosts[] = "an.my-direct-domain.com"

The temporary php file I use to collect this is the content below in a headers.php in the root of my site. This allows me to see exactly the headers PHP is seeing.

<?php
$headers =  getallheaders();
foreach($headers as $key=>$val){
  echo $key . ': ' . $val . '<br>';
}
?>

I still can't work out why I still see the Error
"Error: Form security failed. Please reload the form and check that your cookies are enabled. If you use a proxy server, you must configure Matomo to accept the proxy header that forwards the Host header. Also, check that your Referrer header is sent correctly."

Any suggestions? or troubleshooting advice?
I'd be happy to help write some troubleshooting advice if that would help, but I'm out of thoughts on how at the moment.

Some other references

@peterhashair commented on October 8th 2021 Contributor

I think this is related to this PR: #18051. Once that PR is ready to go, I can document this in the FAQ.

@peterhashair commented on October 14th 2021 Contributor

Draft FAQ document, here 😃

@tsteur commented on October 14th 2021 Member

👍 made a few tweaks. Few parts may be bit technical or it won't be clear how to do them but it's better than nothing and otherwise we have to go into heaps of details. From my perspective sounds good to publish for now.

@Findus23 did you want to have a read too?

Powered by GitHub Issue Mirror