Prestashop 1.7.3 (Invalid token: direct access to this link may lead to a potential security breach)

[nek666]

Our Prestashop site is showing this error  (Invalid token: direct access to this link may lead to a potential security breach)" everytime we want to access several sections, such as create a product, view products, etc.

 

This is the current version we are using Prestashop 1.7.3. This is a clean installation we installed a few days ago.

 

 

 

 

[Zitty]

I have the same issue with version 1.7.3.0 when I create or edit a product.

Some ideas?

[prestag00d]

i have the same problem , is there is any fix for this ....

[prestag00d]

the solution is changing the php version to 7.0.1 on Multiphp Manger @ cpanel

 

 

 

 

Edited August 12, 2023 by prestag00d (see edit history)

[antikeck]

Nach dem ich 1.7.3 Update gemacht habe, ich hab das Problem auch,

aber es ist nur ein Tag oder wenn man einen anderen PC oder einen anderen Tag  muss mann nochmal ein geben

Shop-Einstellungen-Kontakt-unter-Shops 

unter shop adress daten Öffnungzeitein angeben dann leuft nur ein tag.

Hat jemand eine Idee, dass die ein Mal richtig eingestellt, richtig speichert

Edited April 19, 2018 by antikeck (see edit history)

[mowax]

I have the same problem. I am running prestashop 1.7.3.2 and have already moved from php 5.5 to php 7.1.16, then back to php version 7.0. This problem occurs no matter what version of php was running at the time.

 

Can anyone help please?

[eagleman]

same issue 1.7.4.1

[SliderFlash]

same issue 1.7.4.2

[Hendan]

same issue 1.7.4.2

 

hat denn niemand eine Lösung parat ????

nobody, who can help here ????????

[apvandam]

We do have the same issues. Messages of this type appear on different occasions, on different routes. It's not the page you wish to open that gives the problem, its the way you approach it. Linking directly from Safari to Product-Pages for instance, but not when from administrator to products. From Orders to Customer yes, but not when directly from Dashboard. We do not wish tot change PHP since earlier problems with an important add-on. Problem should be solved after so many posts recently and in the past, within Prestashop it seems.

[soundmatrix2003]

any news on this? seems there are allot of people having this problem...

[burty1109]

Hey everyone..  

 

Any solutions?  we are suffering same issue - PHP7.0 and 1.7.3

 

Surely there is a solution.. 

 

Unsure if this is related but we have a test site (new install) where we copied all the files from the test-> live site including this parameters file then made changes to the database name etc.

 

So don't know if the cookie/secret is conflicting with the old test site.

 

in app/config/parameters.php there is a secret, I am thinking my browser is caching the same secret.

 

Does anyone know how to make the system regenerate cookies and secret?

 

thanks

 

[ozdemir]

Hi, on my case i just stopped Varnish service on my server setting (Im using Cloudways).

Now is working well.

This error some way related with server/hosting settings.

 

[hstrom]

On 2018-03-18 at 9:24 PM, nek666 said:

Our Prestashop site is showing this error  (Invalid token: direct access to this link may lead to a potential security breach)" everytime we want to access several sections, such as create a product, view products, etc.

 

I solved this issue by turning off the control of cookie's IP in Advanced settings/Administration. If your IP is changing during a session, I guess this is the message that comes up to warn you of a potential security breach.

 

With kind regards,

 - Johan.

[Velno]

Same issiue on Presta 1.7.4.2. Can't edit or add new products.

What I tried:

- changing from PHP 7.0 to 7.1

- disabling control of cookie's IP

- turning off "increased security mode" in Preferences / General

- disabling whole modules that are not made by Presta

And the problem still occurs. Any solution?

[antikeck]

Am 24.11.2018 um 12:44 AM schrieb Velno:

Gleiche Ausgabe auf Presta 1.7.4.2. Kann keine neuen Produkte bearbeiten oder hinzufügen.

Was ich probiert habe:

- Umstellung von PHP 7.0 auf 7.1

- Deaktivierung der Kontrolle der IP des Cookies

- Deaktivieren des "erhöhten Sicherheitsmodus" in Einstellungen / Allgemein

- Deaktivieren ganzer Module, die nicht von Presta hergestellt wurden

. Das Problem tritt jedoch weiterhin auf. Irgendeine Lösungsmöglichkeit?

Probiere Bei kontakt daten alles angeben auch öffnungszeiten bei manchen macht das die fehler

oder immer übersicht 2 mal anklicken nachder ersten anklicken etwas warten ca 10 - 12 sekunde dann nochmal anklicken

[inf]

Same problem. Update PHP to 7.1 nothink. to 7.2 and 7.3 same problem. Almost always this problem appear then I copy/paste product or text. It begins from then I created 1000 product. any help? 

[delete-account-pleas]

If anyone give us credentials of FTP and BO we will take a look at this issue in order to resolve it for you guys.

Edited December 16, 2018 by Crezzur (see edit history)

[inf]

I can give. can you write your email?

[delete-account-pleas]

You can use the messageboard on prestashop.

 

[alpha]

I too am a PrestaShop Newbie, but a stubborn one! Fighting with these issues listed as well as numerous others, I realized that the issue was more my server configuration than Prestashop code. After updating PHP, Apache and mySQL, EVERY issue disappeared. The most difficult (or at least time consuming) was PHP and all the necessary extensions.

Since it appears that many folks discussing these issues are hosting their own server, I suggest that you assure that all your PHP extensions are up to date. Some of them, such as intl do not automatically update ICU which is currently at version 63.1 and had to be updated through some interesting code to rid my site of many of these problems. The bottom line is that there are many extensions that must be installed and current to avoid troubles. I’m running PS 1.7.4.4 on Ubuntu 16.04.1 LTS with PHP 7.2.12.1 and Apache 2.0

The following is a list of the extensions installed on my server (not all are necessary for PrestaShop)

alpha@webserver:$ sudo apt-cache search php | grep "^php7"

php7.2 - server-side, HTML-embedded scripting language (metapackage)

php7.2-cgi - server-side, HTML-embedded scripting language (CGI binary)

php7.2-cli - command-line interpreter for the PHP scripting language

php7.2-common - documentation, examples and common module for PHP

php7.2-curl - CURL module for PHP

php7.2-dev - Files for PHP7.2 module development

php7.2-gd - GD module for PHP

php7.2-gmp - GMP module for PHP

php7.2-json - JSON module for PHP

php7.2-ldap - LDAP module for PHP

php7.2-mysql - MySQL module for PHP

php7.2-odbc - ODBC module for PHP

php7.2-opcache - Zend OpCache module for PHP

php7.2-pgsql - PostgreSQL module for PHP

php7.2-pspell - pspell module for PHP

php7.2-readline - readline module for PHP

php7.2-recode - recode module for PHP

php7.2-snmp - SNMP module for PHP

php7.2-sqlite3 - SQLite3 module for PHP

php7.2-tidy - tidy module for PHP

php7.2-xml - DOM, SimpleXML, WDDX, XML, and XSL module for PHP

php7.2-xmlrpc - XMLRPC-EPI module for PHP

php7.1-mapi - transitional package for the rename of php7.1-mapi to php-mapi

php7.2-bcmath - Bcmath module for PHP

php7.2-bz2 - bzip2 module for PHP

php7.2-dba - DBA module for PHP

php7.2-enchant - Enchant module for PHP

php7.2-fpm - server-side, HTML-embedded scripting language (FPM-CGI binary)

php7.2-imap - IMAP module for PHP

php7.2-interbase - Interbase module for PHP

php7.2-intl - Internationalisation module for PHP

php7.2-mbstring - MBSTRING module for PHP

php7.2-phpdbg - server-side, HTML-embedded scripting language (PHPDBG binary)

php7.2-soap - SOAP module for PHP

php7.2-sybase - Sybase module for PHP

php7.2-xsl - XSL module for PHP (dummy)

php7.2-zip - Zip module for PHP

I hope this information will be helpful and solve all your challenges with PrestaShop.

[inf]

.I gave Crezzur access to  web anf files and after 30min my eshop works perfect. no more invalid token or error 500.th anks a lot  Crezzur .

[Martin C]

On 12/27/2018 at 10:39 AM, inf said:

.I gave Crezzur access to  web anf files and after 30min my eshop works perfect. no more invalid token or error 500.th anks a lot  Crezzur .

But what did Crezzur to get rid of the error message?

 

Edited December 28, 2018 by Martin C (see edit history)

[inf]

I dont know. Just give him acc codes and will be fine 

[AndisB]

I had an issue very similar to apvandam post above, though I didn't get a 500 error but instead it took 5 minutes to load certain pages via certain routes to that page. I noticed in my CPanel error log (not prestashop log) that when this issue occurred, it could not find a folder under the src/someSubDirectories/ (which I no longer remember unfortunately). When i searched EVERY file under my shop for the folder name string, it didn't show up, except in a few compiled cache files. To keep it short, these findings led me down a long road that made me realize the folder name was generated during compile based on the hash of a password (or something similar to that).

I then realized, that during testing phase, I had previously created a CUSTOMER (ps_customer table) account with the same email as the ADMIN user account email (ps_employee table). I simply deleted that CUSTOMER user account via the BO and all my issues magically disappeared! Not sure if deleting any one customer account would yield the same results. Also, I had this duplicated email up and running for 3 months before any BO issues actually started showing up. Clearing all caches (manually and via BO) server side and browser side did not have any affect.

Anyways, thought I would share my solution since the errors being described are manifesting in many ways and my solution may work for you.

Cheers.:-)

p.s. Does any one know where to change my settings, so that my First and Last name do not show up in a Post? I would just like to display my handle (username) and location. I have no idea where the forum software is grabbing my first and last name from, I have searched every setting I could find.

 

Edited January 20, 2019 by AndisB
Clarify Wording (see edit history)

[Ehsan Tafreshi]

just change your PHP version to 7.0 and say your problem to your host ,they know what they should do to solve INVALID TOKEN problem. 

[Rizzzle]

Did anyone fix this?

This is making adding products laborious.

[burty1109]

I am interested to see what Crezzur  did with the settings..  Although I would never give a stranger access to my backend.

Come on people, surely there is a fix..  I agree, adding products with constant token issues is becoming a real pain.

 

[Rizzzle]

Anyone?

I have this problem with 1.7.4.4

[adam1762]

Polish Zenbox hosting https://www.zenbox.pl/ in which we have the services fixed this problem, today we had it, they wrote to me: we have currently turned off the session IP checking in the advanced settings. Advanced -> administration. Here, please uncheck: Check the cookie's IP address and save the changes. In the update to 1.7.5.1 (test shop) I have the same error and this option has also helped.

[Rizzzle]

Thanks Adam but that doesn't work. Still have the issue.

I love how Prestashop no longer give a crap about their users. It's been a few years now.

I remember the good old days when one actually get a reply. Alas, those days are gone.

[abexxs]

No solution in this topic is working for me.

I'm getting desperate.

[Rizzzle]

Anyone?

[Maurice]

Yes at present date 22/04/2019 i did not find the right solution ,

kindly ask if anyone can help

[Prestahost]

Hello,

there is described one of possible causes of invalid token together with the solution

it apply for specific server configuration but be sure to check your phpinfo for $_SERVER[‘HTTPS’]  variable anyway

[Maguie]

J'ai rencontré ce souci avec la version 1.7.4 et je l'ai résolu de la façon suivante :

Sur votre hébergement, allez dans la version de PHP et passez-là en 7.2 (moi c'était déjà en 7.2)

Ensuite pour " max_input_vars" moi j'étais à 3000, alors je suis repassée à 1000. autre site que j'ai de même version et qui fonctionne très bien!)
Pensez à modifier vos favoris d'accès à ce site.

En espérant Que cela puisse aider 🙂

Edited September 2, 2019 by Maguie (see edit history)

[GuimDotcom]

On 5/23/2019 at 9:03 PM, Prestahost.cz said:

Hello,

there is described one of possible causes of invalid token together with the solution

it apply for specific server configuration but be sure to check your phpinfo for $_SERVER[‘HTTPS’]  variable anyway

This is THE solution!

if(isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https'){
    $_SERVER['HTTPS']='on';
}

Add this on your adminxxxxxxxxxxxxx/index.php top, just after <?php

There is NGINX on my server and $_SERVER are rewritten. There wasn't $_SERVER['HTTPS'] variable.

Edited April 16, 2020 by GuimDotcom (see edit history)

[Prestablob]

My shop was working fine until it suddenly started with the invalid token error.

It turned out that my hosting service hit its maximum file limit, this meant the token could not be stored in the backend and I got the invalid token error presumably because an old token was being read.
I deleted some files and the shop started working.

[Darius1990]

On 11/20/2019 at 10:21 PM, Prestablob said:

My shop was working fine until it suddenly started with the invalid token error.

It turned out that my hosting service hit its maximum file limit, this meant the token could not be stored in the backend and I got the invalid token error presumably because an old token was being read.
I deleted some files and the shop started working.

@Prestablob very informative... Deleted some files... Maybe more specific which one? 

[Lucio Eric]

On 9/2/2019 at 4:52 AM, Maguie said:

J'ai rencontré ce souci avec la version 1.7.4 et je l'ai résolu de la façon suivante :

Sur votre hébergement, allez dans la version de PHP et passez-là en 7.2 (moi c'était déjà en 7.2)

Ensuite pour " max_input_vars" moi j'étais à 3000, alors je suis repassée à 1000. autre site que j'ai de même version et qui fonctionne très bien!)
Pensez à modifier vos favoris d'accès à ce site.

En espérant Que cela puisse aider 🙂

Obrigado, funcionou perfeitamente essa solução apresentada

[Amir58]

Hi,
I Had the same problem with login. If you have a customer test account with the same email as admin email. Delete or change the customer email. That helped me when no other things like cookie IP, cookie liftime or other suggestion helped.

 

[rrv]

This error is due to the modification of this max_execution_time server variable, you just have to set it to 90 and it's ready to work again. :)

[Rizzzle]

 

On 9/18/2019 at 7:34 AM, GuimDotcom said:

This is THE solution!

There is NGINX on my server and $_SERVER are rewritten. There wasn't $_SERVER['HTTPS'] variable.

Hi,

That link is dead. Please can you elaborate what we need to do to fix this? That would be mega appreciated.

Thanks

[Prestahost]

Some variables were not passed to Apache from Nginx. There are several solutions, I have opted for prepending the code below using php.ini:

 

if(isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https'){
    $_SERVER['HTTPS']='on';
    $_SERVER['SERVER_PORT'] = 443;
}
if(isset($_SERVER['HTTP_X_REAL_IP'])) {
    $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_REAL_IP'];
}
 

[Rizzzle]

21 hours ago, Prestahost.cz said:

Some variables were not passed to Apache from Nginx. There are several solutions, I have opted for prepending the code below using php.ini:

 

if(isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https'){
    $_SERVER['HTTPS']='on';
    $_SERVER['SERVER_PORT'] = 443;
}
if(isset($_SERVER['HTTP_X_REAL_IP'])) {
    $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_REAL_IP'];
}
 

Thanks man. Do I create a .php file with that code in, then add "auto_prepend_file=/php/myfile.php" to the php.ini?

[Prestahost]

Correct, but you will need the full path to the prepended file

[RickieSee]

2 hours ago, Prestahost.cz said:

Correct, but you will need the full path to the prepended file

Thanks man. I will try it now.

Edited April 16, 2020 by RickieSee (see edit history)

[RickieSee]

3 hours ago, Prestahost.cz said:

Correct, but you will need the full path to the prepended file

I can't seem to get it working with the line:

php_value  auto_prepend_file /home/mysite/public_html/fix.php

Please can I see how you did it? There's a beer in it for anyone who can help me fix this!

[BONNYD]

On 11/23/2018 at 11:44 PM, Velno said:

Same issiue on Presta 1.7.4.2. Can't edit or add new products.

What I tried:

- changing from PHP 7.0 to 7.1

- disabling control of cookie's IP

- turning off "increased security mode" in Preferences / General

- disabling whole modules that are not made by Presta

And the problem still occurs. Any solution?

I did the first 2and forth and still had an issue in 1.7.6.5. so now turned off cookies and i think it has worked.

[RickieSee]

On 4/15/2020 at 7:28 PM, Prestahost.cz said:

Some variables were not passed to Apache from Nginx. There are several solutions, I have opted for prepending the code below using php.ini:

 

if(isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https'){
    $_SERVER['HTTPS']='on';
    $_SERVER['SERVERjDDR'] = $_SERVER['HTTP_X_REAL_IP'];
}
 

Hey man, I still have the problem If you can walk me through this please I will send you 40 EUR, This issue is driving me insane.

Edited July 12, 2020 by RickieSee
Revision (see edit history)

[TehranShop]

Hi guys

you must be set php from php selector in C-Panel

on 7.2 and everything working fine and great

 

goodluck

[hugolin69]

Same here, I am under 1.7.5.1, under PHP 7.2, IP check disabled, and I can not find what is wrong.

I give also a reward.

Edited February 4, 2021 by hugolin69 (see edit history)

[Rizzzle]

3 minutes ago, hugolin69 said:

Same here, I am under 1.7.5.1, under PHP 7.2, IP check disabled, and I can not find what is wrong.

I give also a reward.

It's driving me crazy. I believe it is some setting on the server. Just, which one? It's not PHP version. I have tried.

[hugolin69]

I have PHP 7.2 also.

But for the solution about the IP, I am not sure, because, I disabled the IP check, then even if there is some kind of proxy, it should not impact it.

[orotoi]

Soo.. guys.

anyone with a solution for the invalid tokens? Its really annoying and some times even if u "accept risk and go on" it goes in an infinite loop of that error, not letting save edited category for example..

[Rizzzle]

It is the most annoying problem. I cannot solve this. 

[orotoi]

are you using cloudflare or some other proxy?

I m trying to figure out if this is the problem or related..

[Rizzzle]

No. No Proxy.

It is most likely a configuration on your server coupled with crappy code.

[raultamayomate]

Hi, try this.

Create a file in document root where is index.php, called ".env" or if you almost have a file called .env, add a new line whith this content:

_TOKEN_=disabled

 

Greetings

[raultamayomate]

If this  not work, edit the file /src/Core/Feature/TokenInUrls.php

change the isDisabled function whith:

public static function isDisabled()
    {
        //return getenv(self::ENV_VAR) === self::DISABLED;
        return false;
    }

greetings

[Prestafan33]

On 6/5/2021 at 9:53 AM, raultamayomate said:

If this  not work, edit the file /src/Core/Feature/TokenInUrls.php

change the isDisabled function whith:

public static function isDisabled()
    {
        //return getenv(self::ENV_VAR) === self::DISABLED;
        return false;
    }

greetings

Thanks for your solution. It works, but maybe you mean....

public static function isDisabled()
{
    //return getenv(self::ENV_VAR) === self::DISABLED;
    return true;
}

TRUE (isDisabled) instead of FALSE. This way, you're disabling security tokens for backend, but it works if you're having problems for that.

.... but I'm not sure, when I tried to save after that modification, I have a "The CSRF token is invalid"

Edited June 9, 2021 by Prestafan33 (see edit history)

[JuanAFT]

I had the same problem. In my case it seems that the problem was due to the cache management.
I fixed it by disabling the Prestashop cache options and using the server cache option.
I hope it can be of use to someone.

[Danny]

people who has this error, try to check your php.ini options inside cpanel. Probably you have too many options activated inside. One, or more of them, can cause this behaviour.

If this is the case, check what options PS really needs to work and uncheck the others.

Danny

[CJH]

This error is making Prestashop impossible to use, literally. I have had it come up on occasion, but reloading the page clears it. This has been across more than one version of Prestashop, currently on 1.7.7.3. Now, I am unable to edit any product without it appearing.

I have checked file totals and these are well within range, cleared cache, tried turning off cooking control, checked php version (correct 7.3), tried changing the code in TokenInUrls.php (first suggestion did not work, second replicated the invalid csrf token message and saving was impossible), cache disabled (not using any), cannot stop this appearing in a forever loop. If I do display a page and make a change, it immediately states settings saved, but doesn't really do so ... refresh the page and nothing has been saved but the dreaded error appears.

Any more ideas? I have a non-functioning website in terms of updating at present. My knowledge of how to code and change things is very limited ...

[Rizzzle]

6 minutes ago, CJH said:

This error is making Prestashop impossible to use, literally. I have had it come up on occasion, but reloading the page clears it. This has been across more than one version of Prestashop, currently on 1.7.7.3. Now, I am unable to edit any product without it appearing.

I have checked file totals and these are well within range, cleared cache, tried turning off cooking control, checked php version (correct 7.3), tried changing the code in TokenInUrls.php (first suggestion did not work, second replicated the invalid csrf token message and saving was impossible), cache disabled (not using any), cannot stop this appearing in a forever loop. If I do display a page and make a change, it immediately states settings saved, but doesn't really do so ... refresh the page and nothing has been saved but the dreaded error appears.

Any more ideas? I have a non-functioning website in terms of updating at present. My knowledge of how to code and change things is very limited ...

I ended up moving host to a Plesk VPS from a Cpanel VPS. Problem solved. I wish I had done this earlier - it's absolutely unbearable. So much time wasted.

I tried everything. All versions of PHP etc. Nothing worked.

Backup your site and database, move host and point your domain at the new host. Easily done in two hours.

[hannes01]

Hello,

I just had the same issue in 1.7.8.3. After trying everything, I set SameSite cookies to "none" (in Administration section). Before the setting was "Lax".

So far this has helped.

[HardlyFungible]

PS on 1.7.8.3, Cookie IP to Yes and Cookie SameSite to Strict worked for me on php 7.4.27

[John Zaw]

I have the same issue. This issue is over 4 years long and we still can't find the right solution. Is Prestashop a bad platform?

[CJH]

I've suffered this for iterations through 1.6, 1.7 and now in 8.03. Generally now only when I log in, but very occasionally when changing tabs in back office. But I still get it, despite a different install, version and php change.