New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Plugin update failure - Could not verify the security token on this form #14556
Comments
Any chance you spent some time on the plugins page before updating? In theory the range date should be fine there but haven't tried to reproduce yet. |
No, it was immediate action. |
I've just tried to reproduce this in various ways and couldn't. Can you reproduce it @dev-101 ? |
Plugin SecurityInfo is now already updated to latest 3.0.7, I have changed the value in json manifest and database fields to lower version to trigger update availability again, but it still shows 3.0.7 in dashboard plugins list and nothing happens. I am not sure if there is some cache or cron cycle required. I'll wait and see if I can repeat the test. |
I have also seen the error a few times when quickly updating some plugins. But I have no way to repoduce it and most of the time it works, so I never reported it. |
You could update in |
It will then be possible to update again |
@tsteur Thanks, I missed that field. |
How exactly do you update the plugin? Through the marketplace? The plugins page? If on the plugins page, through which button? Have you changed any configs? |
I update it through Admin dashboard as explained in opening post: This is the only customization in my config, which is unrelated (and it doesn't work for what I want in changing available chart ranges, but that's not relevant now):
|
Here's the Update button link:
And error page: This is not an urgent bug or error, I have found workaround and plugin updates are not that frequent. |
I don't know how security tokens work, do you keep the value in sessions (which are now stored in database)? I mean, there was that famous issue with login and cookies, wonder if that fix could be related to this. Or maybe it is not. |
When I reload the update plugins page (so, I click first on the Plugins menu item in Administration (gear) section and then reload it again (on purpose)) and then click on Update button, it works. It seems that token generated on first page load isn't synchronized properly, but works on second reload well. |
I can confirm this problem.
|
Can't reproduce it unfortunately. Looking at the code it seems also straight forward. The token should be stored in the session which is stored in the DB and it is valid for a few minutes. If someone who can reproduce this, can find out more, that would be great. Are you using otherwise any Login plugins or third party plugins (plugins that are neither from Matomo nor from InnoCraft)? |
@mattab feel free to move the issue out of the milestone if we can't reproduce it by the time we're wanting to create a release |
I only use AutoSetIgnore plugin that I made, it sets the ignore cookie for admin. I don't think it is related to tokens in any way. Other plugins are all official. |
Updating plugins to latest version works for me in 3.10-rc release. Are you able to reproduce this consistently? |
Yes, apparently. I just noticed that updating is not the only affected operation. |
Ok, when I deactivated my plugin, problem is gone on first click (activate, deactivate, uninstall). (1) Now, when I refresh (F5) the page again, it will be shown as inactive, as it should first time. (2) Also, interesting part is this: if I do not refresh the page, and then click on e.g. Deactivate action button again, token message appears again and fails. It seems to me that some kind of caching occurs internally in Matomo here, I just cannot explain why it manifests in different ways when my plugin is installed. Since I use platform initialized registered event, to trigger cookie set/refresh, it could be related somehow. |
Could this be a problem that was fixed with 3.10? I do have this problem in 3.9.1. |
Have the same problem on 3.13. Updating plugin page several times helps. However, this is not the preferred solution |
AFAIK this happens when:
This is actually working on purpose in some way, as our nonce is re-generated whenever the plugin page is reloaded. Closing this as won't fix. If you can reproduce this issue consistently, please open a new issue with steps to reproduce. |
I think this is a real bug/race condition that still happens with Matomo. |
Log out and Login again worked for me. |
Matomo 3.9.1
Today I decided to update one plugin that received an update recently, and when I navigated from a "Home" dashboard to Admin dashboard > Plugins and tried to click on Update button, error occurred and this error was generated in my log:
Error in Matomo: Could not verify the security token on this form., referer: /.../index.php?module=CorePluginsAdmin&action=plugins&idSite=1&period=range&date=last30&activated=
This URL seems very wrong to me, why would it contain date range (seems like a leftover from some of the pages I visited before)?
When I removed date range in the URL of the plugin update page so that it looked like this:
/.../index.php?module=CorePluginsAdmin&action=plugins&idSite=1
update went fine without issues, and I noticed token parameter was properly passed via get.
The text was updated successfully, but these errors were encountered: