• Welcome to the Chevereto user community!

    Here users from all over the world gather around to learn the latest about Chevereto and contribute with ideas to improve the software.

    Please keep in mind:

    • 😌 This community is user driven. Be polite with other users.
    • 👉 Is required to purchase a Chevereto license to participate in this community (doesn't apply to Pre-sales).
    • 💸 Purchase a Pro Subscription to get access to active software support and faster ticket response times.

Help! Request denied You either don't have permission to access this page...

Status
Not open for further replies.
D

dotch

Chevereto Member
Website URL
<private>

Chevereto version
3.10.10

Description of the issue
Config

chevereto_3.10.10
OS ‪CentOS 6.9 (Final)‬
Plesk version 12.5.30
php 5.4.45-14.el6.remi
mysql 5.5.59-1.el6.remi
The system is up-to-date; last checked at Mar 4, 2018 03:58 AM


This morning i suddenly could not login to both my Chevereto sites, not as a user, not as admin. I get this error:
Code: 
Request denied

You either don't have permission to access this page or the link has expired.

Also when I try to upload images as a guest, I get:

Code: 
No image have been uploaded
Some errors have occured and the system couldn't process your request.

I did not change anything, but my CentOS might have been updated by yum-cron.

I tried a server reboot and start/stop
I also tried re-uploading the Chevereto files, followed by a reboot, but no success.

I've had this problem at least three times now. I've never really found the solution. The last time was over a year ago. https://chevereto.com/community/thr...ccess-this-page-or-the-link-has-expired.8288/

The problem has been described by others too: https://chevereto.com/community/thr...e-permission-to-access-this-page-v3-3-0.4754/
Enabling session.cookie_secure=1 in php.ini did not work for me
 
1. Open your website
2. Open the browser console (F12)
3. Paste this in the console and hit enter
Code: 
PF.obj.config.auth_token
(You will get a random alphanumeric string)
4. Reload the page (F5) and do all over again.

If you notice two different strings then the problem is that your server is not dealing properly with sessions. Chevereto uses sessions to label each visitor under an auth token. If on webpage refresh that values changes, then the system will believe that it is a CSRF attack and it will deny the request.

It is not a script issue, it is a server issue that is exposing wrong session data to PHP. The script can't detect these bad configurations.

You have to ways to deal with this:
A. Make that sessions works the way it is supposed to (fix your server)
B. Force another session save path as is described here, at the bottom: https://chevereto.com/docs/server-issues

Hope it helps.
 
The PF.obj.config.auth_token method doesn't work for me: ReferenceError: PF is not defined

However if I apply the Session Hack in index.php, which you secribed in an other topic, my 2 sites work again. So it's repaired for now.

Now I have to find a good solution for the sever fault.

Thanks for now.

Code: 
// Session Hack here
ini_set('session.save_path', realpath('app/content/SESSIONS'));
 
I think I found a solution by changing the permissions of the session.save_path directory. There's however a discussion on the Internet, whether this is save.... Anyhow, my sites are accessible again and this topic can be closed.
Thanks!
 
Status
Not open for further replies.
Back
Top