#12208 improved the security of Matomo sessions, but it also seems to have caused some (broken) environments that formerly worked to fail with the
Form security failed error.
At the moment the error mentions four suggestions:
But there seem to be more reasons that can cause this bug:
(reverse proxy blocked the cookie header)
I do have a reverse proxy (haproxy) as well as a cache layer (varnish) before apache 2.4, with remoteip module enabled.
Unfortunately it is hard to know what exactly is causing the issue in the latter cases, so maybe just a FAQ that lists common reason could already help.
@Findus23 a new FAQ sounds good :+1: Could you maybe suggest a question and answer text for this?
(then we could maybe add a brief link to this new faq in the error message).
This improvement will be great. we get this report a few times per month.
This error can occur when you were previously logged into Matomo over HTTPS and are now logging in over HTTP.
This is due to the fact the Matomo sets the "secure" cookie flag when you login over HTTPS which causes form security to fail when you go back to HTTP.
When this happens you will see the following in the browser console:
warning: Cookie "MATOMO_SESSID" has been rejected because there is an existing "secure" cookie.
This can be avoided in the future by ensuring the force_ssl is set to 1 in your /config/config.ini.php file or by installing the Force SSL plugin
We can create a new FAQ with the above reasons, as well as any other reasons so that users can click on the link to find solutions rather than needing to search for the error message.
It also will make it easier to keep updated so when we discover new reasons for this error it can be updated without requiring an update.
It's really annoying that there are no answers to this. My site has always had ssl from the beginning and this is my fourth time installing matomo because of this issue. I've even connected it to cloudflare to make sure https is working and included the ; Uncomment line below if you use CloudFlare
proxy_client_headers = HTTP_CF_CONNECTING_IP
in the config and it still doesn't fix it. Console shows 403 error with no additional information.