Problems, need help? Have a tip or advice? Post it here.
6 posts Page 1 of 1
hi, I recently launched a site with user registration using extended users. There is a problem when someone tries to register on the site - when the registration form is submitted the message "Security tokens do not tally for executing this action. Please try again." is displayed. I have tried registering myself and the same thing happens - and that is using a 'fresh' URL ... any suggestions please?!

EDIT: I was able to submit the registration form when I was logged in as super admin. I then tried adding <cms:no_cache/> to the template and logged off to try to register - but got the same problem.

EDIT 2: I changed
Code: Select all
<cms:db_persist_form   _invalidate_cache='0' ...
to
Code: Select all
<cms:db_persist_form   _invalidate_cache='1' ...
and was able to simulate registering as a 'user' ... i.e. not logged in. Is that setting OK to use?

The other issue with this site is that I am intermittently seeing the message "Cookies must be enabled to use CouchCMS" when I log in ... I have taken action as suggested https://www.couchcms.com/forum/viewtopic.php?f=4&t=32&hilit=cookies+cms and defined the site URL - but even having done that I have seen that message again.
@potato, I assume you have a working copy of the site on your local machine also.
If the problem functions are working fine there then the problem is not with the code. Rather, we have to look at server specific causes.

I have a feeling the two problems you mentioned are stemming form a single source - aggressive caching being done by the host.

The thread you mentioned actually explores several different causes (and possible solutions) for this issue. One was the kind of caching I mentioned above - viewtopic.php?f=4&t=32&hilit=cookies+cms&start=20#p22021

Please check with the host if they are deploying such caching/proxies etc.
If so, please ask them skip the URLs you are using for registration, login etc.

Hope it helps.
Thanks for your reply @KK

Yes the site works fine on localhost. It is the site which had the problem with the SSL certificate https://www.couchcms.com/forum/viewtopic.php?f=4&t=11315

I contacted the host about caching as you suggested and they replied:

Please note that we do not implement any form of caching on our cloud platform by default.
Kindly advise what's the exact issue you're experiencing - please?

Before getting back in touch with the host I suppose I need to understand in a bit more detail exactly what is triggering the error messages from Couch i.e. "Security tokens do not tally for executing this action. Please try again." when submitting the registration form and "Cookies must be enabled to use this CMS" when attempting to login. Incidentally I have been able to get past the latter message by clicking submit on login a 2nd or 3rd time, but a user may not try twice and the error doesn't look great!

Is the setting
<cms:db_persist_form _invalidate_cache='1' ...
having any effect at all - should I change it back? But since changing it to '1' I have been able to go through the registration process 2 or 3 times without the security tokens error.
If you could provide me with a bit of explanation about the errors I will be able to reply to the host and take it from there - many thanks!
The "Security tokens do not tally for executing this action" problem -

When a databound-form is generated by Couch, it attaches a security token to it. When the form is submitted back the token is returned back along with form data. Couch checks if the returned token is identical to what was sent in the first place. If the check fails, the submission is rejected.

This check is a security measure to prevent CSRF vulnerabilities where a user can be tricked into inadvertently submitting a form.

The token has a validity period of 24 hours - which is more than sufficient period for a form to be generated and submitted back. However, in case the page containing the form gets cached (either by Couch when caching is on form config or by a proxy used by the host), it is quite possible that the form being served to the user was actually generated more that 24 hours back and so has a stale token. When this form is submitted, Couch will reject the token throwing the "Security tokens do not tally for executing this action" error in question. (this issue also came up here - viewtopic.php?f=4&t=11239).

So, we have to look at the cache to prevent this from happening.
I think you have caching on in Couch. If so, that will explain the problem.

Your using <cms:db_persist_form _invalidate_cache='1' ... would explain alleviating the issue because that setting busts the cache every time the form submission results in a page being created (which is what we do while registering a user) and all stale pages are removed. However, this can only be considered as a 'side effect' and not a cure because if no new user is registered for more that 24 hours, visitors after that period will again get the stale form and the problem will return.

The solution is simply not to cache the form containing page.
To do that, you can ask Couch to exempt the page containing this form from being cached by placing a <cms:no_cache /> tag in the template.

That should take care of the first issue.

As for the second problem "Cookies must be enabled to use this CMS" - that happens only at login time. When Couch displays the login box, it sends a cookie and expects it to be returned back when the login form is submitted. Absence of the cookie upon submission will trigger the error.

Since you are using a custom template for the login page, once again, one of the reason for this could be caching.
Try placing the <cms:no_cache /> tag in your login template too.

Edit and save any random page from your admin-panel to bust the existing cache. The revised templates with the no_cache tag should now not get cached. Please test and let me know if this helps.
I added the <cms:no_cache/> tag to the login, registration, forgotten password and user profile templates. Cleared browser cache and I still got the cookies error message when attempting login. I checked the page source and could see
<!-- Page generated by CouchCMS - Simple Open-Source Content Management -->
rather than
<!-- Cached page -->


I then had an Internal Server Error. I removed the <cms:no_cache/> tags and the site was grinding along incredibly slowly. It seemed to be looping through the different errors - cookies error / Internal Server Error.

I put back the <cms:no_cache/> tags and tried login and registration and all was OK ... what is occurring?!?!?

I'll have to try registration again after a 24 hour gap and see what happens and keep an eye on what's going on.
If anyone is interested, I may have found a lazy workaround:

I have a small site with one password-protected page for authenticated users (only access to that page, nothing fancier)

    I added a logout button with logout link from the dump and encountered the "Security tokens do not tally for executing this action. Please try again."
    From that blank error page I went to the https://site.com/couch, where I got an "access denied" warning (see screenshot) ... along with a link to logout.
    I took that link and used it for the logout button anv voila!
BTW, the link also contain a redirect parameter, which I joyfully used to my liking.

On a related topic, can I alter the login page visual, or would that be considered whitelabelling? Certainly, I an okay with crediting Couch, only would maybe make it a more in style...

Attachments

6 posts Page 1 of 1
cron