XF 2.1 Getting "Cannot perform action because you are no longer logged in" when trying to import a theme

[Ian Hitt]

I receive this error when trying to import a theme. I have tried the steps to debug the issue:

1. Tried creating a new theme instead of importing. This does still work.
2. Tried logging in and out to resolve the issue. This does not work.
3. Tried logging in via different accounts to perform the style import. This does not work.
4. Tried logging in via incogntio window. This also does not work.

There is no site caching that would be effecting this, and it is a new installation. Additionally, I see a 403 error on admin.php?styles/import:1 in the console. There are no server error logs.

 

[Chris D]

An unexpected 403 error is usually going to be related to something on the server, such as mod_security or similar.

 

[Mike]

The 403 is the "no longer logged in" message I believe, so that wouldn't be unexpected given that message.

However, this issue may well be related to things like the file being too large for the server to handle and inputs being dropped when sent to PHP (thus we don't get the session cookie as expected). You can try uploading an empty style as I suspect it will work. Unfortunately, this is likely to require adjustments on the server side to allow the request through.

 

[Ian Hitt]

@Mike Thank you, your suggestion looks to be correct. Importing a small and/or empty style does work as expected.

 

[Brent W]

Hi Mike,

This is happening because CloudFlare is attempting to request a Captcha be displayed and completed before the action can complete. For some reason, CloudFlare can not show the Captcha within XF though it is being sent as you can see below.

 

[Chris D]

It can’t display it because we’re currently performing an Ajax request and do not expect our output to be hijacked by someone else.

You would need to configure CloudFlare not to attempt to throttle you in these cases. It’s detecting what you’re doing presumably as exceeding some rate limits or as a DDoS attack.

 

[Brent W]

Disabling the WAF for the Admin area no longer presents a Captcha but now simply sends:

{
    "status": "error",
    "errors": [
        "This action could not be completed because you are no longer logged in. Please reload the page."
    ],
    "errorHtml": {
        "content": "\n\n<div class=\"blockMessage\">\n\t\n\t\tThis action could not be completed because you are no longer logged in. Please reload the page.\n\t\n</div>",
        "title": "Oops! We ran into some problems."
    }
}

The theme attempting to be uploaded is 1,018 KB. I have attempted to upload this on a site that is on a completely different server with the same error.

 

[eva2000]

The theme attempting to be uploaded is 1,018 KB. I have attempted to upload this on a site that is on a completely different server with the same error.

try uninstallng Install & Upgrade addon first

 

[Brent W]

try uninstallng Install & Upgrade addon first

We didn't have that one. I was able to get this working on my personal server as it was entirely Cloudflare blocking it. However, still unable to upload on client server due to not logged in error.

 

[Chris D]

Might be worth checking stuff like post_max_size (which is mostly what Mike was alluding to).

Obviously PHP's default for that is usually 8MB so there shouldn't be a problem, but with this file being greater than 1MB it just makes me wonder if you're hitting some incredibly small file upload limit, either in PHP, the web server or some other software.

 

[Brent W]

I don't think it is a PHP issue since it is returning a 403 forbidden response and the error relates to cookies. This is on a development server.

$config['cookie']['prefix'] = 'staging_'; is set

I am seeing staging_csrf in the request cookies.

 

[Brent W]

Should I be sending more cookies than this. On the site where it works there are many more sent.

 

[Chris D]

They are generally the ones I'd expect to see in order to remain logged in.

 

[eva2000]

Should I be sending more cookies than this. On the site where it works there are many more sent.

View attachment 196114

you're missing staging_user if logged in

 

[Brent W]

you're missing staging_user if logged in

Even if only in the admin area? I've tested over multiple browsers and I can't figure out what is going on here. I have tried it with an 85 KB style as well. Same issue.

 

[eva2000]

for admin only then yes only staging_session_admin needed

 

[Chris D]

Even if only in the admin area? I've tested over multiple browsers and I can't figure out what is going on here. I have tried it with an 85 KB style as well. Same issue.

Are the values of the cookies changing between requests? If the session_admin cookie is changing between requests then that's significant. A cause for that would be if your IP address is changing between requests. For security, if your IP address changes, that invalidates your session.

I feel like this is unlikely in your case, but connecting through some proxy servers can cause this. There should be some level of protection against CloudFlare itself causing this (because we generally see your real IP address rather than the CF IP address) but if you are going through a proxy/VPN, or you are on an unreliable connection, then it is feasible.

 

[Ian Hitt]

@Brent W I believe we are speaking in regards to the same demo. I have just test imported a 10kb theme (color palette changes only) and it works just fine. I'm not sure what that threshold is, but seems like the file size plays at least some factor here.