SID-01031: invalid crypt token

Status:	Asked	TWiki version:	5.0.0	Perl version:	perl 5.8.8 x86_64
Category:	CategorySecurity	Server OS:	cent0S 5.3 Linux 2.6.18 64bit	Last update:	9 years ago

I get an invalid crypt token when trying to create and save a page from a form. I used the format in ContactDB. If I disable {CryptToken}{Enable} then the page is created with no problems. However when enabled I get the "invalid crypt token" . Is there something special i need to do to make this work?

Below is a stripped down test i was using just to see if anything would work.

<Form name="new" action="%SCRIPTURLPATH{"save"}%/%WEB%/" method="post"> 
| Candidate Page Name  | <input name="topic" value=' ' class=twikiInputField /> |
|| <input type="submit" class="twikiSubmit" value="Create New Candidate" /> |
<input type="hidden" name="action_save" value="1" />
<input type="hidden" name="text" value="---+testtesttest" />
<input type="hidden" name="topicparent" value="CandidatesPage" />
</form>

Discussion and Answer

Strange, the crypt taken is added automatically, so it should work. Keep in mind that the form can only be used once. That is, if you go back in your browser after submitting the form, you have to reload the page that contains the form.

-- PeterThoeny - 2011-01-04

Where and how I can disable the CrypToken?, in order to be able to edit forms from a mobile App

-- Pablo Jovanni Lopez Garcia - 2016-02-26

Run configure. Read the implications on disabling the crypt token.

-- Peter Thoeny - 2016-02-26

Thanks Peter

-- Pablo Jovanni Lopez Garcia - 2016-02-29

I'm having the same problem. TWiki::UI::verifyCryptToken cannot find the CryptToken in the CGI session.

-- Ian Holmes - 2016-12-30

Incidentally everything was working just fine until the last plugin I installed (which was DirectedGraphPlugin)

-- Ian Holmes - 2016-12-30

And to be clear it's not exactly the same problem. It happens whenever I try to edit any page at all (or specifically when I try to save the edit).

-- Ian Holmes - 2016-12-30

Insertion of debugging "warn" messages into LoginManager::createCryptToken suggests that the crypt token is being created, but manual inspection of the CGI session file in working/tmp indicates that the token does not appear to be saved in the CGI session. Permissions on files and directories do seem to be OK and CGI session file is being updated. Continuing to investigate.

-- Ian Holmes - 2016-12-30

OK, I might be misunderstanding how the CryptToken is being passed in. It looks like it is being inserted into the HTML for the edit page (set as a hidden input field on the form)...

-- Ian Holmes - 2016-12-30

I think I understand now - it's passed in the form but it's also stored in the CGI session and they're supposed to match. Except, it's NOT getting stored in the CGI session. It's there in the CGI::Session object in LoginManager::createCryptToken, but by the time execution flow reaches LoginManager::complete, it's been forgotten about.

If I add a CGI:Session flush to LoginManager::createCryptToken, it seems to fix the problem, though I still don't understand why it was working before and then stopped.

Old code:

<pre> $session->param( 'CryptToken', $currentCrypt );

return $cryptid; </pre>

Amended code:

<pre> $session->param( 'CryptToken', $currentCrypt ); $this->{_cgisession}->flush(); # IH fix for CryptToken not being saved to CGI::Session database - see http://twiki.org/cgi-bin/view/Support/SID-01031

return $cryptid; </pre>

-- Ian Holmes - 2016-12-30

dammit, the pre tag doesn't work in comments. well, you get the idea.

-- Ian Holmes - 2016-12-30

re-opening to increase chance that this gets attention...

-- Ian Holmes - 2016-12-30

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.