Any chance you spent some time on the plugins page before updating? In theory the range date should be fine there but haven't tried to reproduce yet.

No, it was immediate action.

I've just tried to reproduce this in various ways and couldn't. Can you reproduce it @dev-101 ?

Plugin SecurityInfo is now already updated to latest 3.0.7, I have changed the value in json manifest and database fields to lower version to trigger update availability again, but it still shows 3.0.7 in dashboard plugins list and nothing happens. I am not sure if there is some cache or cron cycle required. I'll wait and see if I can repeat the test.

I have also seen the error a few times when quickly updating some plugins. But I have no way to repoduce it and most of the time it works, so I never reported it.

You could update in plugins/SecurityInfo/plugin.json the version number to 3.0.6 and also in the DB execute eg update matomo_options set option_value ='3.0.6' where option_name= 'version_SecurityInfo'

It will then be possible to update again

@tsteur Thanks, I missed that field.
Yes, the issue is triggered again :(

How exactly do you update the plugin? Through the marketplace? The plugins page? If on the plugins page, through which button? Have you changed any configs?

I update it through Admin dashboard as explained in opening post:

This is the only customization in my config, which is unrelated (and it doesn't work for what I want in changing available chart ranges, but that's not relevant now):

; maximum number of rows for any of the Referers tables (keywords, search engines, campaigns, etc.), and Custom variables names
; datatable_archiving_maximum_rows_referrers = 1000
; maximum number of rows for any of the Referers subtable (search engines by keyword, keyword by campaign, etc.), and Custom variables values
; datatable_archiving_maximum_rows_subtable_referrers = 500
; maximum number of rows for any of the Actions tables (pages, downloads, outlinks)
datatable_archiving_maximum_rows_actions = 3650
; maximum number of rows for pages in categories (sub pages, when clicking on the + for a page category)
; datatable_archiving_maximum_rows_subtable_actions = 500
; maximum number of rows for any of the Events tables (Categories, Actions, Names)
; datatable_archiving_maximum_rows_events = 500
; maximum number of rows for sub-tables of the Events tables (eg. for the subtables Categories>Actions or Categories>Names).
; datatable_archiving_maximum_rows_subtable_events = 100
; maximum number of rows for all individual Custom Dimensions reports, and for Custom Variables names report
; datatable_archiving_maximum_rows_custom_variables = 5000
; maximum number of rows for the Custom Dimensions subtables (list of all Page URLs per dimension value), and for Custom Variables values reports
; datatable_archiving_maximum_rows_subtable_custom_variables = 5000

Here's the Update button link:

https:// ... /index.php?module=Marketplace&action=updatePlugin&idSite=1&period=range&date=last30&activated=&pluginName=SecurityInfo&nonce=ce1234b61cfb307227845r25f08329c0

And error page:

This is not an urgent bug or error, I have found workaround and plugin updates are not that frequent.

I don't know how security tokens work, do you keep the value in sessions (which are now stored in database)? I mean, there was that famous issue with login and cookies, wonder if that fix could be related to this. Or maybe it is not.

When I reload the update plugins page (so, I click first on the Plugins menu item in Administration (gear) section and then reload it again (on purpose)) and then click on Update button, it works.

It seems that token generated on first page load isn't synchronized properly, but works on second reload well.

I can confirm this problem.

2019/06/24 15:54:35 [error] 32371#32371: *2957284 FastCGI sent in stderr: "PHP message: Error in Matomo: Das Sicherheitstoken des Formulars konnte nicht verifiziert werden" while reading response header from upstream, client: 62.54.176.1, server: stats.promato.de, request: "GET /index.php?module=Marketplace&action=updatePlugin&idSite=2&period=day&date=today&activated=&pluginName=SecurityInfo&nonce=a3169d1ddf89d48dd896e7dbe1da1312 HTTP/1.1", upstream: "fastcgi://unix:/var/run/php/php7.2-fpm.sock:", host: "stats.promato.de", referrer: "https://stats.promato.de/index.php?module=CorePluginsAdmin&action=plugins&idSite=2&period=day&date=today&activated="

Can't reproduce it unfortunately. Looking at the code it seems also straight forward. The token should be stored in the session which is stored in the DB and it is valid for a few minutes.

If someone who can reproduce this, can find out more, that would be great.

Are you using otherwise any Login plugins or third party plugins (plugins that are neither from Matomo nor from InnoCraft)?

@mattab feel free to move the issue out of the milestone if we can't reproduce it by the time we're wanting to create a release

Are you using otherwise any Login plugins or third party plugins (plugins that are neither from Matomo nor from InnoCraft)?

I only use AutoSetIgnore plugin that I made, it sets the ignore cookie for admin. I don't think it is related to tokens in any way. Other plugins are all official.

Updating plugins to latest version works for me in 3.10-rc release. Are you able to reproduce this consistently?

Yes, apparently. I just noticed that updating is not the only affected operation.
Plugin Deactivate (uninstall) button is affected, too. I'll remove my plugin, just in case and repeat the tests, that's how I discovered this.

Ok, when I deactivated my plugin, problem is gone on first click (activate, deactivate, uninstall).
However, when the page refreshes after the action, the value in the table still remains the same.
For example, if my button's action was the Deactivate function, plugin will be deactivated (*2), but the table will still show it as active (*1).

(1) Now, when I refresh (F5) the page again, it will be shown as inactive, as it should first time.

(2) Also, interesting part is this: if I do not refresh the page, and then click on e.g. Deactivate action button again, token message appears again and fails.

It seems to me that some kind of caching occurs internally in Matomo here, I just cannot explain why it manifests in different ways when my plugin is installed. Since I use platform initialized registered event, to trigger cookie set/refresh, it could be related somehow.

Updating plugins to latest version works for me in 3.10-rc release. Are you able to reproduce this consistently?

Could this be a problem that was fixed with 3.10? I do have this problem in 3.9.1.

Have the same problem on 3.13. Updating plugin page several times helps. However, this is not the preferred solution

AFAIK this happens when:

• You open the Plugins page
• Then you may open some other pages in a new tab (for example activating, deactivating some plugins, or clicking "Upgrade")
• Then in the first tab, you click another link -> Got the error

This is actually working on purpose in some way, as our nonce is re-generated whenever the plugin page is reloaded. Closing this as won't fix. If you can reproduce this issue consistently, please open a new issue with steps to reproduce.

I think this is a real bug/race condition that still happens with Matomo.
I created #15608 with more details.

Log out and Login again worked for me.

Hi, just to add a "me too", I have had the same problem upgrading to Matomo 4.12.2 and to 4.12.3.
The update on my local copy (xampp) worked while the error raised on the production site installed on Aruba hosting (not famous for its speed, IMHO).