After upgrading from a really old Piwik installation (0.5.x), I cannot login anymore.

The problem boils down to the referrer check during nonce validation.

URL::getLocalReferer() calls URL::isLocalUrl() with the current referer.

Eventually, the referer is compared against $_SERVER['HTTP_HOST'] from URL::getCurrentHost().

In my case, $_SERVER['HTTP_HOST'] is the name of the internal server name which is not known outside, while the referer contains the public, "official" domain name.

There should be an option to specify the default public url used for referer checking, or just use the first url of the urls areeady provided for a website.