@avif2016

Either the session expired, is invalid, or doesn’t match. You can see it starts here with checkCsrfToken():

This calls validateCSRFToken():

This function gets the token and calls validateToken():

In validateToken() it checks to see if the token you provided matches and if it has expired or not. I would do some var_dump()ing there to see if it’s not matching or if it expired.

Cheers.

So you want me to compare our code against the page from gitub.com? Can you please give me very specific direction on the tasks you suggested?

@avif2016

Go to your osTicket files, open include/class.csrf.php in any text editor, find the function function validateToken($token) (should be line 73), and change it to the following:

    function validateToken($token) {
        var_dump('Token: ', trim($token), 'This Token: ', $this->getToken(), 'Not Expired: ', !$this->isExpired());die;
        return ($token && trim($token)==$this->getToken() && !$this->isExpired());
    }

Once you make and save those changes go to the /scp login page and pull up the browser's DevTools (Right Click the login page and select the option Inspect). Once you have the developer tools pulled up go to the Network Tab. Now you can attempt to login which should trigger the code. At this point you should see the modal spinning and spinning (this is good in this case). In the Network tab you should see a new entry called login.php that has a Method of POST. Click this entry, click Preview, copy the content, and post it here.

Cheers.

    KevinTheJedi
    Instead of seeing the modal spinning, I get this message
    string(7) "Token: " string(40) "2ff536a069b9ce0d7277235378192455c9afcb37" string(12) "This Token: " string(40) "d68f9675b20bef6db6421fe5042cbd5371c4b31d" string(13) "Not Expired: " bool(true)

    I see 200K Status in the Network Tab and a new entry login.php

      @avif2016

      Okay so as you can see the two tokens don't match which is why you get Valid CSRF Token Required. I would suggest opening the DevTools in the browser, go to the Application tab, click Cookies in the sidebar, find OSTSESSID/PHPSESSID and delete them, login to the database, truncate the ost_session table (this will log everyone out of course), Force Refresh the login page (Mac: Shift + Command + R / Windows: Shift + Ctrl + R), and retest. Sometimes even a full browser close and reopen works or Incognito windows.

      If it's still not working after that then something is obviously messing with the sessions causing them to be different. This could be browser extensions, the way PHP sessions are configured on your server, etc.

      Cheers.

        KevinTheJedi truncate the ost_session

        I am not an expert in PHP. I saw the table in the admin, but how do you truncate?

        You didn't answer my early question about the IP Address. Our guys disable osTicket, and a new business hosting at Go Daddy. Does it have anything with a new IP address? Before the upgrade, osTicket was working fine, and now it is not.

          KevinTheJedi

          I raised the IP address issue, and this Go Daddy agent thinks this could be possible, and you said the same thing. The whole site seems to work fine, except the osTicket. Can you tell me where I should update the Go Daddy hosting and Security panel?

          In the meantime, I read the article further.

            @avif2016

            Can you tell me where I should update the Go Daddy hosting and Security panel?

            I don’t have the slightest idea. That would be a question for the Go Daddy agent.

            Cheers.

              KevinTheJedi
              I asked the agent back with my first call, but he does not know where to update the new IP address.
              Can you come up with some questions so I could ask Go Daddy agent specifically?

                @avif2016

                I’m not fully convinced the IP change is causing the issue just yet. I would first try truncating the session table as described above. Then I would clear all cache and cookies in the browser and force refresh the page. This is usually what works in these cases.

                In some cases the session table needed repairing. You can run ‘REPAIR TABLE ost_session; in MySQL to repair the table.

                Also quick question, what version of PHP is the site running?

                Cheers.

                  KevinTheJedi

                  I am very concerned about the truncate directive. If I perform this directive, it will log everyone out. What about those data? Is it okay to lose? Some video suggested this cannot be rollback?

                    @avif2016

                    Thats just the easy way to clear the sessions from the database. You can try to delete just your sessions by going to the ost_staff table, finding your account and grab the id, go to the ost_session table, and delete all records that match user_id = id_you_copied.

                    Cheers.

                    a month later

                    Hi Kevin, we fixed the session thing last time. Now, we received another problem:

                    OSticket still isn’t working properly. And I’m not sure why.
                    Today, I received a ticket. I tried to log in and it didn’t recognize my password. So I clicked ‘Forgot Password’. I rec’d a link to enter my new password. When I did, I get the following message.
                    ``
                    Warning: "Continue" targeting switch is equivalent to "break" Did you mean to use 'continue2? in/home/water2099/public_html/flowpointsytem.com/support/include/class.osticket.php on line 442'"

                    Any idea what it means?

                    I don’t know anything about the DB Error you rec’d below.
                    Any ideas how we can get this working properly?

                    [INSERT INTOost_sessionSETsession_id= 'shbav3av3mcr3a16alnjqimd22',session_data= 'csrf|N;',session_expire= NOW() + INTERVAL 86400 SECOND,user_ip= '185.93.231.39',user_agent` = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36']

                    Duplicate entry 'shbav3av3mcr3a16alnjqimd22' for key 'PRIMARY'<br /> <br />
                    ---- Backtrace ----<br />
                    #0 (root)/include/mysqli.php(204): osTicket->logDBError('DB Error #1062', '[INSERT INTO o...')<br />
                    #1 (root)/include/class.orm.php(3133): db_query('INSERT INTO                    os...', true, true)<br />
                    #2 (root)/include/class.orm.php(597): MySqlExecutor->execute()<br />
                    #3 (root)/include/class.ostsession.php(217): VerySimpleModel->save()<br />
                    #4 (root)/include/class.ostsession.php(158): DbSessionBackend->update('shbav3av3mcr3a1...', 'csrf|N;')<br />
                    #5 [internal function]: SessionBackend->write('shbav3av3mcr3a1...', 'csrf|N;')<br />
                    #6 [internal function]: session_write_close()<br />
                    #7 {main}
                    `

                    ntozier
                    I solved the problem by manually installing the latest version, and the osticket is running, but there was a glitch when my coworker first signed in; he saw my profile. Is this common?
                    In this installation, I started fresh, and I used a new database with php 7.4 this time.

                    (Updated)
                    My coworker assigned roles and the people never got any emails from osticket.
                    My other coworker cannot create a ticket.

                        avif2016 coworker first signed in; he saw my profile. Is this common?

                        No sure what you mean. Screen shots or anything? Did you / He clear your web cache before going to the new old site?

                          Write a Reply...