Token Issue

Hi,
Their appears to be a token issue with my Opencart, it keeps saying "Invalid token session. Please login again." after making changes, i believe the issue may be caused by one of the below.
a) expire to quickly
b) dont have the domain setup correctly.

Could you advise me of where to change this setup in acp ?

no the issue is most likely because you installed a mod that was for an older verison of opencart on 1.4.8 or newer and it overwrote the admin header file with one that does not have the token in the links.

I'm having the Token issue on a fresh install with no mods or extensions.
Every time I click a tab in the admin area, I have to log in again.

If your time was expiring, you would just go back to the admin login page without the warning. The warning shows that there is an existing session, but it wasn't included in the url. Perhaps you are manually linking to the admin section and not including the url token?

I made a screencast of the Invalid Token Issue/problem I'm having.

http://screencast.com/t/9YqxBaOCPH

I have a fresh installation of 1.4.9.1.
No modifications etc.

Help would be appreciated.

Mark

does this happen without the automatic logger in script?

It could be that you have the wrong permissions on the session tmp directory.

I don't think this is an opencart problem, its more a how you setup your server or possibly the browser.

what happens when you login to the frontend as a customer?

I tried to set up a new account as a customer and got this:

Warning: session_start() [function.session-start]: open(/tmp/php_sessions/sess_dae6ada2d7aaa5aaa16efaaca34fc174, O_RDWR) failed: No such file or directory (2) in /homepages/25/d322582833/htdocs/system/library/session.php on line 11Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /homepages/25/d322582833/htdocs/index.php:92) in /homepages/25/d322582833/htdocs/system/library/session.php on line 11Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /homepages/25/d322582833/htdocs/index.php:92) in /homepages/25/d322582833/htdocs/system/library/session.php on line 11Warning: Cannot modify header information - headers already sent by (output started at /homepages/25/d322582833/htdocs/index.php:92) in /homepages/25/d322582833/htdocs/system/engine/controller.php on line 27
Fatal error: Call to a member function get() on a non-object in /homepages/25/d322582833/htdocs/index.php on line 91

I also did the CSRF exploit fix, but reverted to the original to make sure that
wasn't causing the problem, since that had to do with sessions and tokens.

The auto login tool just fills in the fields.
But, yes, it still happens without the tool.

I made sure all the files had the correct permissions when I did the install, as per the instructions.

I changed the user agent in FireFox to IE8. Same problem.
I used Chrome. Same problem
I tried Opera. Same problem.

I think I can conclude it's not a browser issue or setting.

open(/tmp/php_sessions/sess_dae6ada2d7aaa5aaa16efaaca34fc174, O_RDWR) failed: No such file or directory (2)

sounds like a permissions issue on the server.

Thanks Xsecrets.

I changed these files to 0777, as per the installation instructions:

For Linux/Unix make sure the following folders and files are writable.

chmod 0755 or 0777 image/
chmod 0755 or 0777 image/cache/
chmod 0755 or 0777 cache/
chmod 0755 or 0777 download/
chmod 0755 or 0777 config.php
chmod 0755 or 0777 admin/config.php

If 0755 does not work try 0777.

I'm getting this message on the store front:

Warning: session_start() [function.session-start]: open(/tmp/php_sessions/sess_f2800afee4c32521cb193036e94180ef, O_RDWR) failed: No such file or directory (2) in /homepages/25/d322582833/htdocs/system/library/session.php on line 11Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /homepages/25/d322582833/htdocs/index.php:92) in /homepages/25/d322582833/htdocs/system/library/session.php on line 11

Any help is greatly appreciated.

yea.. looks like its not able to write the session to the tmp file. This would be a webhost issue

My host company tech guys fixed it by adding:
"session.save_path = tmp"
to the php.ini file
That fixed my "/tmp/php_sessions/" problem.

They also added the tmp folder to the root.
I can now see the session id's.
I hope that's not a security issue.

It took them about 5 minutes to solve it for me.


Still working on the Invalid Token session issue.

Thanks for the help so far.

Mark

I'm facing this very annoying situation as well. Started ever after upgraded to 1.4.9.2. So, please don't say it's a server issue. If it is, state a solution. If not, it's a code fail. I run a wordpress blog on the same server and it doesn't require me to re-login every minute. And yes, everything mentioned above in this and any other thread was performed.

This affects backoffice and frontoffice.

This is very VERY annoying!

Logins use php sessions. php sessions are set on the server. The php.ini tries to override the default timeout to something higher. Realistically, a default session should expire in 1 hr on most hosts. Typically the session is stored in a linux server in something like var/tmp or something.

The server creates a unique session id for each user that visits the site. It uses this to track the user and any variables that are set for that user. The session code is stored as a cookie on the user's browser. When the browser loads a page on the server, it says "Hi, this is my cookie, do you know me?" and the server looks through all its session ids and says "Yes, I have your cookie session id here. I know you and you are already logged in I see". Unless it doesn't find a matching value.

Some reasons it might expire:
- The server default timeout is wrong
- The server var/tmp path is being cleaned up by another process due to misconfiguration
- The browser cleared all cookies or has cookie protection that blocks cookies
- The session timed out as it was older than 1 hour without being refreshed

The admin "token" is simply a variable in the session called "token". Aside from the session id, the url maintains a token=xxxxxxxxxx value. It compares that token value with the one stored in the session.

If you change the url and delete the token=xxxxxxxxxxxx stuff, you will get "Invalid token" and have to login again.
if you log in on 2 different tabs, only the newest tab will have the new token and refreshing the older tab will get "Invalid Token" and have to relogin. But that will then become the newest token, and the previous new tab will now be old.
If you get sent to the admin login screen without the "Invalid Token" error, then that means the session has expired.

I know my old host did not allow overriding the php.ini file and the default session was 5 minutes. I contacted them and they switched me to a different php installation that allowed php.ini to be overridden and it worked fine.