XF 2.2 Security error occurred. Please press back, refresh the page, and try again.

Mr Lucky

Mr Lucky

Well-known member
I've seen other threads with this issue, but this doesn't seem to fit in with those.

This notice:

The Security error occurred. Please press back, refresh the page, and try again.

Seems to appear randomly and backspace/refresh doesn't fix it. Sometimes clearing cookies and cache fixes it. (But other times it initiates it!)

The most recent case was happening when I'm logged out and (using Firefox/Mac) click on any of the three big buttons on my home page, and sometimes on the cookie notice (accept all or reject optional)

Another time
  • clicking on accept all cookies just reloads the page but not dismiss the notice but
  • clicking on reject optional gets the security error
The randomness is obviously very annoying but right now on Firefox (not logged in) I've been stuck with the cookie notice. Over and over not working. Then leave it and come back 15 minutes later and it all works fine. (until it doesn't)

If it wasn't so random I'd try disabling addons (so far I have disabled the lite speed cache addon)

So can anyone shed any light on what might be causing this?

Thanks
 
Last edited:
Sort by date Sort by votes
I guess adding litespeed to the server doesn't work by itself. you need to sit down and tune it.
And I don't know anything about that.
I hope I can find someone who understands.

Thank you very much for your detailed explanations.
 
Upvote 0 Downvote
SelamT said:
I guess adding litespeed to the server doesn't work by itself. you need to sit down and tune it.
And I don't know anything about that.
I hope I can find someone who understands.

Thank you very much for your detailed explanations.
Click to expand...
Ya a generic HTML cache at the origin like LiteSpeed cache or Varnish is going to usually just be problematic unless the site is pretty vanilla/basic. You need to make sure the user isn't logged in (easy enough) and you also need to make sure the HTML source of the page doesn't have anything intended for the guest user who the page was generated for or time-sensitive... and for XenForo that means the CSRF tokens are problematic because they are in the page source on every page view (even for guests) and expire. CSRF tokens are intended just for the user who received it. And that's the fundamental issue which started this thread. :)
 
Upvote 0 Downvote
Mr Lucky said:
The Security error occurred. Please press back, refresh the page, and try again.
Click to expand...
The likely cause for this is xf_csrf (see Cookie usage > Standard cookies we set > Essential cookies). And the likely cure for this is inserting |xf_csrf in “.haccess” as follows:

Rich (BB code): 
# LiteSpeed XenForo cache
<IfModule litespeed>
    CacheLookup public on
    RewriteEngine On
    # cache
    RewriteCond %{HTTP_COOKIE} !(xf_lscxf_logged_in|xf_user|xf_session_admin|xf_csrf) [NC]
    RewriteCond %{REQUEST_URI} !/install/ [NC]
    RewriteRule .* - [E=Cache-Control:max-age=360,E="cache-vary:xf_style_id,xf_language_id"]
    # no cache
    RewriteCond %{HTTP_COOKIE} (xf_lscxf_logged_in|xf_user|xf_session_admin|xf_csrf) [NC]
    RewriteRule .* - [E=Cache-Control:vary=loggedin,E=Cache-Control:no-cache]
</IfModule>
Give it a try and let us know if it works for you.
 
Upvote 0 Downvote
Aivaras said:
The likely cause for this is xf_csrf (see Cookie usage > Standard cookies we set > Essential cookies). And the likely cure for this is inserting |xf_csrf in “.haccess” as follows:

Rich (BB code): 
# LiteSpeed XenForo cache
<IfModule litespeed>
    CacheLookup public on
    RewriteEngine On
    # cache
    RewriteCond %{HTTP_COOKIE} !(xf_lscxf_logged_in|xf_user|xf_session_admin|xf_csrf) [NC]
    RewriteCond %{REQUEST_URI} !/install/ [NC]
    RewriteRule .* - [E=Cache-Control:max-age=360,E="cache-vary:xf_style_id,xf_language_id"]
    # no cache
    RewriteCond %{HTTP_COOKIE} (xf_lscxf_logged_in|xf_user|xf_session_admin|xf_csrf) [NC]
    RewriteRule .* - [E=Cache-Control:vary=loggedin,E=Cache-Control:no-cache]
</IfModule>
Give it a try and let us know if it works for you.
Click to expand...

Hello @Aivaras ,

I would recommend against this solution as it would likely be the same as disabling guest caching with how prevalent CSRF tokens are in XenForo.

On the same note, I'm looking into the plugin code now to see if it is possible to resolve this by having the plugin replace a page's CSRF token with a fresh one through an AJAX request.

Regards,
-Michael
 
Upvote 0 Downvote
Mr Lucky said:
I'm not using a VPN, but it it does seem maybe cache as I noticed the page itself doesn't show edited changes immediately - could be related??? From what I recall pages should show a change as soon as you have edited , saved and reloaded.

That's why I disabled the Litespeed addon but it made no difference.

Oh yes, it isn't just me (or I wouldn't be too bothered) . Other people are getting this - I was alerted not be a user but by someone (guest) just browsing the site.
Click to expand...
Can you try your own isp’s ip address?
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

sneakyy
  • Question Question
XF 2.2 An unexpected database error occurred. Please try again later.
Replies
7
Views
214
sneakyy
sneakyy
eivindsimensen
  • Question Question
XF 2.2 Can't log into admin
Replies
8
Views
586
eivindsimensen
eivindsimensen
Ferdinand
  • Question Question
XF 2.2 An error occurred while connecting with Linkedin. Please try again later.
Replies
7
Views
598
tom3
tom3
I
"Security error occurred" dialog when IP address changes
Replies
8
Views
1K
digitalpoint
digitalpoint
Joan1211
  • Solved
XF 2.2 Flickering of Cookie Notice on Page Load/Refresh
Replies
4
Views
482
Joan1211
Joan1211
Top Bottom