#12208 improved the security of Matomo sessions, but it also seems to have caused some (broken) environments that formerly worked to fail with the Form security failed
error.
At the moment the error mentions four suggestions:
But there seem to be more reasons that can cause this bug:
https://forum.matomo.org/t/cant-login-after-fresh-and-successfull-install-behind-proxy-3-8-1/32006
(reverse proxy blocked the cookie header)
https://forum.matomo.org/t/cannot-login-after-3-7-to-3-8-1-update/31969?u=lukas
I do have a reverse proxy (haproxy) as well as a cache layer (varnish) before apache 2.4, with remoteip module enabled.
https://forum.matomo.org/t/update-to-3-8-0-problems/31336/10?u=lukas
https://forum.matomo.org/t/2-problems-with-matomo/31434/9?u=lukas
Unfortunately it is hard to know what exactly is causing the issue in the latter cases, so maybe just a FAQ that lists common reason could already help.
@Findus23 a new FAQ sounds good :+1: Could you maybe suggest a question and answer text for this?
(then we could maybe add a brief link to this new faq in the error message).
This improvement will be great. we get this report a few times per month.
This error can occur when you were previously logged into Matomo over HTTPS and are now logging in over HTTP.
This is due to the fact the Matomo sets the "secure" cookie flag when you login over HTTPS which causes form security to fail when you go back to HTTP.
When this happens you will see the following in the browser console: warning: Cookie "MATOMO_SESSID" has been rejected because there is an existing "secure" cookie.
This can be avoided in the future by ensuring the force_ssl is set to 1 in your /config/config.ini.php file or by installing the Force SSL plugin
We can create a new FAQ with the above reasons, as well as any other reasons so that users can click on the link to find solutions rather than needing to search for the error message.
It also will make it easier to keep updated so when we discover new reasons for this error it can be updated without requiring an update.
It's really annoying that there are no answers to this. My site has always had ssl from the beginning and this is my fourth time installing matomo because of this issue. I've even connected it to cloudflare to make sure https is working and included the ; Uncomment line below if you use CloudFlare
proxy_client_headers[] = HTTP_CF_CONNECTING_IP
in the config and it still doesn't fix it. Console shows 403 error with no additional information.
I'm hitting this issue right now with Matomo behind AWS CloudFront.
I've been through all the documentation I can find to resolve the issue.
I am using the docker container version of Matomo on kubernetes (which is working quite well until now).
The installation is working fine bypassing CloudFront.
When I print out headers in a temporary PHP file, I can see various headers
Host: an.my-direct-domain.com
X-Request-ID: b50506826105a509dabd3156d3d91396
X-Real-IP: 64.252.000.000
X-Forwarded-For: 64.252.000.000
X-Forwarded-Host: an.my-direct-domain.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Scheme: https
X-Original-Forwarded-For: 203.54.000.000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36
X-Amz-Cf-Id: 7nymC3OP5LP1J2groOdVwFOSggT5QD9IcLG1Kgy2yOH9AHpRuqqY5A==
Cookie: MATOMO_SESSID=54a2cc444f402cfca4e5077a70e32343
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
CloudFront-Forwarded-Proto: https
Via: 2.0 f74d75c3aecb5117c66f70690295.cloudfront.net (CloudFront)
Accept-Encoding: gzip, deflate, br
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Google Chrome";v="92"
sec-ch-ua-mobile: ?0
upgrade-insecure-requests: 1
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
Cache-Control: max-age=0
I dont see the console log error about cookies, and I can see a cookie being set (and seen in the above headers)
I've set various config items
[General]
force_ssl = 1
login_allowlist_apply_to_reporting_api_requests = 0
assume_secure_protocol = 1
proxy_uri_header = 1
proxy_client_headers[] = HTTP_X_ORIGINAL_FORWARDED_FOR
proxy_client_headers[] = X-Original-Forwarded-For
proxy_host_headers[] = X-Forwarded-Host
proxy_host_headers[] = HTTP_X_FORWARDED_HOST
salt = "my-salt"
trusted_hosts[] = "ana.my-cloudfront-domain.com"
trusted_hosts[] = "an.my-direct-domain.com"
The temporary php file I use to collect this is the content below in a headers.php in the root of my site. This allows me to see exactly the headers PHP is seeing.
<?php
$headers = getallheaders();
foreach($headers as $key=>$val){
echo $key . ': ' . $val . '<br>';
}
?>
I still can't work out why I still see the Error
"Error: Form security failed. Please reload the form and check that your cookies are enabled. If you use a proxy server, you must configure Matomo to accept the proxy header that forwards the Host header. Also, check that your Referrer header is sent correctly."
Any suggestions? or troubleshooting advice?
I'd be happy to help write some troubleshooting advice if that would help, but I'm out of thoughts on how at the moment.
Some other references
I think this is related to this PR: #18051. Once that PR is ready to go, I can document this in the FAQ.
Draft FAQ document, here 😃
👍 made a few tweaks. Few parts may be bit technical or it won't be clear how to do them but it's better than nothing and otherwise we have to go into heaps of details. From my perspective sounds good to publish for now.
@Findus23 did you want to have a read too?
sounds good @peterhashair feel free to publish and we can tweak afterwards if needed
The FAQ is pretty easily readable. Of course the issue on how to "check your Matomo setup" still remains as there are no real logs about this. But nevertheless this is a good improvement.