XF 2.2 Security error occurred. Please press back, refresh the page, and try again.

Mr Lucky

Well-known member
I've seen other threads with this issue, but this doesn't seem to fit in with those.

This notice:

The Security error occurred. Please press back, refresh the page, and try again.

Seems to appear randomly and backspace/refresh doesn't fix it. Sometimes clearing cookies and cache fixes it. (But other times it initiates it!)

The most recent case was happening when I'm logged out and (using Firefox/Mac) click on any of the three big buttons on my home page, and sometimes on the cookie notice (accept all or reject optional)

Another time
  • clicking on accept all cookies just reloads the page but not dismiss the notice but
  • clicking on reject optional gets the security error
The randomness is obviously very annoying but right now on Firefox (not logged in) I've been stuck with the cookie notice. Over and over not working. Then leave it and come back 15 minutes later and it all works fine. (until it doesn't)

If it wasn't so random I'd try disabling addons (so far I have disabled the lite speed cache addon)

So can anyone shed any light on what might be causing this?

Thanks
 
Last edited:
I guess adding litespeed to the server doesn't work by itself. you need to sit down and tune it.
And I don't know anything about that.
I hope I can find someone who understands.

Thank you very much for your detailed explanations.
 
I guess adding litespeed to the server doesn't work by itself. you need to sit down and tune it.
And I don't know anything about that.
I hope I can find someone who understands.

Thank you very much for your detailed explanations.
Ya a generic HTML cache at the origin like LiteSpeed cache or Varnish is going to usually just be problematic unless the site is pretty vanilla/basic. You need to make sure the user isn't logged in (easy enough) and you also need to make sure the HTML source of the page doesn't have anything intended for the guest user who the page was generated for or time-sensitive... and for XenForo that means the CSRF tokens are problematic because they are in the page source on every page view (even for guests) and expire. CSRF tokens are intended just for the user who received it. And that's the fundamental issue which started this thread. :)
 
The Security error occurred. Please press back, refresh the page, and try again.
The likely cause for this is xf_csrf (see Cookie usage > Standard cookies we set > Essential cookies). And the likely cure for this is inserting |xf_csrf in “.haccess” as follows:

Rich (BB code):
# LiteSpeed XenForo cache
<IfModule litespeed>
    CacheLookup public on
    RewriteEngine On
    # cache
    RewriteCond %{HTTP_COOKIE} !(xf_lscxf_logged_in|xf_user|xf_session_admin|xf_csrf) [NC]
    RewriteCond %{REQUEST_URI} !/install/ [NC]
    RewriteRule .* - [E=Cache-Control:max-age=360,E="cache-vary:xf_style_id,xf_language_id"]
    # no cache
    RewriteCond %{HTTP_COOKIE} (xf_lscxf_logged_in|xf_user|xf_session_admin|xf_csrf) [NC]
    RewriteRule .* - [E=Cache-Control:vary=loggedin,E=Cache-Control:no-cache]
</IfModule>
Give it a try and let us know if it works for you.
 
The likely cause for this is xf_csrf (see Cookie usage > Standard cookies we set > Essential cookies). And the likely cure for this is inserting |xf_csrf in “.haccess” as follows:

Rich (BB code):
# LiteSpeed XenForo cache
<IfModule litespeed>
    CacheLookup public on
    RewriteEngine On
    # cache
    RewriteCond %{HTTP_COOKIE} !(xf_lscxf_logged_in|xf_user|xf_session_admin|xf_csrf) [NC]
    RewriteCond %{REQUEST_URI} !/install/ [NC]
    RewriteRule .* - [E=Cache-Control:max-age=360,E="cache-vary:xf_style_id,xf_language_id"]
    # no cache
    RewriteCond %{HTTP_COOKIE} (xf_lscxf_logged_in|xf_user|xf_session_admin|xf_csrf) [NC]
    RewriteRule .* - [E=Cache-Control:vary=loggedin,E=Cache-Control:no-cache]
</IfModule>
Give it a try and let us know if it works for you.

Hello @Aivaras ,

I would recommend against this solution as it would likely be the same as disabling guest caching with how prevalent CSRF tokens are in XenForo.

On the same note, I'm looking into the plugin code now to see if it is possible to resolve this by having the plugin replace a page's CSRF token with a fresh one through an AJAX request.

Regards,
-Michael
 
I'm not using a VPN, but it it does seem maybe cache as I noticed the page itself doesn't show edited changes immediately - could be related??? From what I recall pages should show a change as soon as you have edited , saved and reloaded.

That's why I disabled the Litespeed addon but it made no difference.

Oh yes, it isn't just me (or I wouldn't be too bothered) . Other people are getting this - I was alerted not be a user but by someone (guest) just browsing the site.
Can you try your own isp’s ip address?
 
Back
Top Bottom