XF 2.2 Security error occurred. Please press back, refresh the page, and try again.

[Mr Lucky]

I've seen other threads with this issue, but this doesn't seem to fit in with those.

This notice:

The Security error occurred. Please press back, refresh the page, and try again.

Seems to appear randomly and backspace/refresh doesn't fix it. Sometimes clearing cookies and cache fixes it. (But other times it initiates it!)

The most recent case was happening when I'm logged out and (using Firefox/Mac) click on any of the three big buttons on my home page, and sometimes on the cookie notice (accept all or reject optional)

Another time

• clicking on accept all cookies just reloads the page but not dismiss the notice but
• clicking on reject optional gets the security error

The randomness is obviously very annoying but right now on Firefox (not logged in) I've been stuck with the cookie notice. Over and over not working. Then leave it and come back 15 minutes later and it all works fine. (until it doesn't)

If it wasn't so random I'd try disabling addons (so far I have disabled the lite speed cache addon)

So can anyone shed any light on what might be causing this?

Thanks

 

[Rhody]

Perhaps a Cache or VPN issue?

 

[Mr Lucky]

Perhaps a Cache or VPN issue?

I'm not using a VPN, but it it does seem maybe cache as I noticed the page itself doesn't show edited changes immediately - could be related??? From what I recall pages should show a change as soon as you have edited , saved and reloaded.

That's why I disabled the Litespeed addon but it made no difference.

Oh yes, it isn't just me (or I wouldn't be too bothered) . Other people are getting this - I was alerted not be a user but by someone (guest) just browsing the site.

 

[Rhody]

I'm not using a VPN, but it it does seem maybe cache as I noticed the page itself doesn't show edited changes immediately - could be related??? From what I recall pages should show a change as soon as you have edited , saved and reloaded.

That's why I disabled the Litespeed addon but it made no difference.

Oh yes, it isn't just me (or I wouldn't be too bothered) . Other people are getting this - I was alerted not be a user but by someone (guest) just browsing the site.

I get the error on your site as soon as I click the COOKIE consent option.

 

[JustinHawk]

I've seen other threads with this issue, but this doesn't seem to fit in with those.

This notice:

The Security error occurred. Please press back, refresh the page, and try again.

Seems to appear randomly and backspace/refresh doesn't fix it. Sometimes clearing cookies and cache fixes it. The most recent case was happening when I'm logged out and (using Rirefox/Mac) click on any of the three big buttons on my home page, and sometimes on the cookie notice (accept all or reject optional)

Another time

• clicking on accept all cookies just reloads the page but not dismiss the notice but
• clicking on reject optional gets the security error

The randomness is obviously very annoying but right now on Firefox (not logged in) I've been stuck with the cookie notice. Over and over not working. Then leave it and come back 15 minutes later and it all works fine. (until it doesn't)

If it wasn't so random I'd try disabling addons (so far I have disabled the lite speed cache addon)

So can anyone shed any light on what might be causing this?

Thanks

This could happen if you are using extensive caching. Making browser cache pages for like few minutes. Make sure whatever caching you have setup, it's correct. You should check for your cache setup. If you are using litespeed please update your .htacess file and restart litespeed web server for changes to take effect.

 

[digitalpoint]

It looks like it's a backend caching problem. Specifically whatever you are using to cache the HTML of pages is caching the CSRF token as part of that. So any POST/AJAX request (for example accepting the cookie consent screen) is going to fail because the stale CSRF token isn't valid. XenForo should probably replace CSRF tokens with the Sec-Fetch-Site header that all modern browsers support now. Related suggestion here:

Compatibility for CSRF protection & Cloudflare full HTML page caching

I'm curious if there's any better way for CSRF protection that would work with Cloudflare or other CDN's guest full HTML page caching which uses cookies to differentiate between logged in/logged out guest users? The issue that arises with Xenforo 2.x in CSRF and full page HTML caching is...

xenforo.com

If you want to keep doing HTML caching however you are doing it on the backend and don't want to wait for XenForo to start using Sec-Fetch-Site instead of CSRF tokens, my PWA add-on adds Sec-Fetch-Site support (for a PWA app it happens a lot because the "app" stays on the same page... like you reopen the app later and it's still on the page it was before... at which point the CSRF token might have gone stale just because the page sat idle for a long period of time even if you aren't caching the HTML). So even if you aren't using PWA, the addon replaces CSRF tokens for all requests (not just PWA).

Beta - [DigitalPoint] PWA

This addon adds a few things that I felt were missing from XenForo's PWA app: If the user that is installing the PWA app is logged in, auto-log them into the PWA app (don't need to force users to log-in from scratch when they first load the...

xenforo.com

 

[MattW]

# LiteSpeed XenForo cache
<IfModule litespeed>
    CacheLookup public on
    RewriteEngine On
    # cache
    RewriteCond %{HTTP_COOKIE} !(xf_lscxf_logged_in|xf_user|xf_session_admin) [NC]
    RewriteCond %{REQUEST_URI} !/install/ [NC]
    RewriteRule .* - [E=Cache-Control:max-age=360]
    # no cache
    RewriteCond %{HTTP_COOKIE} (xf_lscxf_logged_in|xf_user|xf_session_admin) [NC]
    RewriteRule .* - [E=Cache-Control:vary=loggedin,E=Cache-Control:no-cache]
</IfModule>

The site has the standard Litespeed plugin .htaccess config set.

 

[MattW]

# LiteSpeed XenForo cache
<IfModule litespeed>
    CacheLookup public on
    RewriteEngine On
    # cache
    RewriteCond %{HTTP_COOKIE} !(xf_lscxf_logged_in|xf_user|xf_session_admin) [NC]
    RewriteCond %{REQUEST_URI} !/install/ [NC]
    RewriteRule .* - [E=Cache-Control:max-age=360]
    # no cache
    RewriteCond %{HTTP_COOKIE} (xf_lscxf_logged_in|xf_user|xf_session_admin) [NC]
    RewriteRule .* - [E=Cache-Control:vary=loggedin,E=Cache-Control:no-cache]
</IfModule>

The site has the standard Litespeed plugin .htaccess config set.

I've removed this from his .htaccess, and the error no longer occurs.

 

[Mr Lucky]

So it seems it was caused by the Litespeed addon and so disabling didn’t solve it until Matt pointed out about the htaccess.

I would have thought disabling the addon should remove the code how else to troubleshoot???

Anyway Matt has pointed out the addon is unmaintained so with any luck this has sorted it.

Thanks to everyone and thanks to @MattW for incredibly speedy hosting support!

But with Litespeed addon gone the site gets a slightly lower Lighthouse score (93 down from 99 )

 

[SelamT]

What exactly was the problem you were having?
I also installed this add-on today.
My desktop scores are all 100 but the performance score on mobile is quite low.
It gives a warning like cache images, css, js files.
Is there a solution for this?

 

[Rhody]

I'm running Litespeed cache on both of my Xenforos, without the issue.

 

[SelamT]

What are your mobile scores? (google speed)

 

[Rhody]

Link me to your preferred tool, and I'll check it

 

[digitalpoint]

So it seems it was caused by the Litespeed addon and so disabling didn’t solve it until Matt pointed out about the htaccess.

I would have thought disabling the addon should remove the code how else to troubleshoot???

Anyway Matt has pointed out the addon is unmaintained so with any luck this has sorted it.

Thanks to everyone and thanks to @MattW for incredibly speedy hosting support!

But with Litespeed addon gone the site gets a slightly lower Lighthouse score (93 down from 99 )

If it's purely just caching pages for non-logged in users (I assume that's what it's doing because it would be pretty weird to be caching pages for logged in users showing their avatar and username as logged in), there's better ways to do it than a cache sitting on your origin server. For example Cloudflare (or other CDNs) can have the cache stored in the hundreds of data centers around the world, so the cache can be served much faster (from the closest data center to the user). For $0 (at least in the case of Cloudflare).

No matter how well you cache something at the origin (your server), a user could still be 20,000km away from your server and you can't fetch the cached item faster than the speed of light. So putting the cache closer to the users is always going to be a win.

You can see an example of XenForo's HTML being served from Cloudflare's data centers here: https://appforcf.com/

GTmetrix Performance Report

GTmetrix Grade: A (Performance: 100% / Structure: 100%)

gtmetrix.com

 

[SelamT]

PageSpeed Insights

pagespeed.web.dev

 

[Rhody]

GTMetrics 95%
Pagespeed NOT great! hah But I'm also on shared reseller hosting plan, on cloudlinux.

 

[SelamT]

Thank you for sharing.
my results other than my performance scores are 100. but the performance score never goes up, especially on mobile.
no matter what I do.

 

[SelamT]

@digitalpoint



I have litespeed installed on my server.
When I checked it from cloudflare according to your information, the score seems to be low due to the above problem.
Do you know any way to solve this?

Thanks

 

[Mr Lucky]

I'm running Litespeed cache on both of my Xenforos, without the issue.

It may have been going on a long time without me knowing as it was quite intermittant

 

[digitalpoint]

@digitalpoint

View attachment 293649

I have litespeed installed on my server.
When I checked it from cloudflare according to your information, the score seems to be low due to the above problem.
Do you know any way to solve this?

Thanks

If they are items served from your server, ya... you can control the network edge cache of static assets via Cache-Control headers from the web server. For example if I hit my origin server directly, you can see that Nginx is giving a Cache-Control header that says the JavaScript file can be cached for 31536000 seconds (1 year):

twin1:~ # curl https://localhost/js/xf/preamble.js -k -H 'Host: appforcf.com' -I

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 08 Nov 2023 18:33:02 GMT
Content-Type: application/javascript
Content-Length: 7307
Last-Modified: Sun, 11 Jun 2023 16:51:10 GMT
Connection: keep-alive
ETag: "6485fb7e-1c8b"
Cache-Control: public, max-age=31536000
Accept-Ranges: bytes

That Cache-Control header is what instructs Cloudflare to go ahead and cache it at the network edge (in their data centers). A normal request for the same file (passing through Cloudflare):

HTTP/3 200 OK
Age: 17
Alt-Svc: h3=":443"; ma=86400
Cache-Control: public, max-age=31536000
Cf-Cache-Status: HIT
Cf-Ray: 822fee1f6c897cf2-LAX
Content-Encoding: br
Content-Type: application/javascript
Date: Wed, 08 Nov 2023 18:37:57 GMT
Etag: W/"6485fb7e-1c8b"
Last-Modified: Sun, 11 Jun 2023 16:51:10 GMT
Server: cloudflare
Vary: Accept-Encoding

So ya.... the key thing is simply being able to set the Cache-Control header at your web server. I don't personally know how to do it with LiteSpeed (I don't use it), but I'm 100% sure it can be done if it doesn't simply do it automatically be default.