@Findus23 opened this Issue on March 12th 2019 Member

#12208 improved the security of Matomo sessions, but it also seems to have caused some (broken) environments that formerly worked to fail with the Form security failed error.

At the moment the error mentions four suggestions:

  • Please reload the form
  • and check that your cookies are enabled.
  • If you use a proxy server, you must configure Matomo to accept the proxy header that forwards the Host header.
  • Also, check that your Referrer header is sent correctly.

But there seem to be more reasons that can cause this bug:

https://forum.matomo.org/t/cant-login-after-fresh-and-successfull-install-behind-proxy-3-8-1/32006
(reverse proxy blocked the cookie header)
https://forum.matomo.org/t/cannot-login-after-3-7-to-3-8-1-update/31969?u=lukas

I do have a reverse proxy (haproxy) as well as a cache layer (varnish) before apache 2.4, with remoteip module enabled.

https://forum.matomo.org/t/update-to-3-8-0-problems/31336/10?u=lukas

https://forum.matomo.org/t/2-problems-with-matomo/31434/9?u=lukas

Unfortunately it is hard to know what exactly is causing the issue in the latter cases, so maybe just a FAQ that lists common reason could already help.

@mattab commented on July 9th 2019 Member

@Findus23 a new FAQ sounds good :+1: Could you maybe suggest a question and answer text for this?

(then we could maybe add a brief link to this new faq in the error message).

@mattab commented on November 24th 2020 Member

This improvement will be great. we get this report a few times per month.

@Starker3 commented on November 25th 2020

This error can occur when you were previously logged into Matomo over HTTPS and are now logging in over HTTP.

This is due to the fact the Matomo sets the "secure" cookie flag when you login over HTTPS which causes form security to fail when you go back to HTTP.
When this happens you will see the following in the browser console: warning: Cookie "MATOMO_SESSID" has been rejected because there is an existing "secure" cookie.
This can be avoided in the future by ensuring the force_ssl is set to 1 in your /config/config.ini.php file or by installing the Force SSL plugin

We can create a new FAQ with the above reasons, as well as any other reasons so that users can click on the link to find solutions rather than needing to search for the error message.
It also will make it easier to keep updated so when we discover new reasons for this error it can be updated without requiring an update.

@darnellkeithj commented on December 1st 2020

It's really annoying that there are no answers to this. My site has always had ssl from the beginning and this is my fourth time installing matomo because of this issue. I've even connected it to cloudflare to make sure https is working and included the ; Uncomment line below if you use CloudFlare
proxy_client_headers[] = HTTP_CF_CONNECTING_IP
in the config and it still doesn't fix it. Console shows 403 error with no additional information.

Powered by GitHub Issue Mirror