Hello!
I'm having a curious problem that's probably caused by my server, but I would still very much appreciate your thoughts and advise.
Since yesterday my elgg site no longer accepts form input (preventing users to log in and post stuff), because of a token mismatch. I've been digging all day to find out what's going on. I've traced the problem to the session variable __elgg_session (i.e. $_SESSION['__elgg_session']) changing with every page view. Elgg uses this session variable when generating the token, which is sent to the browser in the hidden input field of forms and subsequently sent back to elgg when the user submits the form again. Since this session variable is for some reason changing with every page view, this causes elgg to return the token mismatch error... I am absolutely certain that this is the problem, because I've made a test script and tested on two different servers running the same elgg versions. On the production server, the variable changes with every page view, while on the test server, it remains constant, and the entire problem doesn't occur as a result.
I'm wondering why this session variable keeps changing with every page view... Here's what I can tell you from my subsequent investigations:
Just for completeness sake:
The production server is running PHP 5.3.19, while the test server is running PHP 5.3.3. Both are running Linux. Ow, and both are not using elgg's simplecache/systemcache at the moment (probably has no influence in this case anyway).
All ideas and comments greatly appreciated!
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by RaĆ¼l Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
- llanddewi@llandewi
llanddewi - 0 likes
You must log in to post replies.I found out what happened! :) The users_sessions table had crashed. Perhaps related to the server problems I mentioned. This is the table in which elgg stores session variables, so if it isn't accessible, the whole session won't work. After repairing the table in phpMyAdmin, all was well again.