Invalid token: direct access to this link may lead …. (PS 1.7)

When navigating in the backoffice, the error Invalid token: direct access to this link may lead to a potential security breach pops up.

This problem has been widely discussed and there are several possible solutions:

  • change the php version (possibly to php 7.1 or higher)
  • upgrade all php packages
  • remove unused php packages
  • disable the session IP checking in prestashop backoffice

Recently a client encountered the invalid token problem on Prestashop 1.7.5 – in the products page only. Unfortunately, neither of the approaches mentioned above worked, even the complete upgrade of php libraries had no effect. This error seemed as a nightmare to debug, but luckily enough, I have noticed that the problem disseapears after turning the https off. Thus the cause is clean, at least in this case:

Cause: This server used nginx as reverse proxy to apache. The standard setting does not pass the $_SERVER[‘HTTPS’] variable to php. Prestashop 1.7 (comparing to previous versions) improved the https detection by adding $_SERVER[‘HTTP_X_FORWARDED_PROTO’] in Tools:: usingSecureMode . But this is apearently not sufficient.

Solution: Pass the $_SERVER[‘HTTPS’] into php. It can be done by modifiing nginx configuration, but I have opted for a less direct approach – prepending a file in php.ini. The content of the file is

<?php
if(isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https'){
$_SERVER['HTTPS']='on';
$_SERVER['SERVER_PORT'] = 443;
}
if(isset($_SERVER['HTTP_X_REAL_IP'])) {
$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_REAL_IP'];
}

the added bonus of this approach is fixing the remote address issue (Add my IP in the Maintenance section).

Summary

  • switch off the https protocol: set the Use SSL to No in the backoffice (Configuration / Main), if not possible, set PS_SSL_ENABLED to 0 in the ps_configuration database table)
  • check if the invalid token problem disappears
  • switch the https back
  • alternatively to the steps above, inspect the output of phpinfo() function. Open the page with phpinfo(); function over https protocol. Look for $_SERVER[‘HTTPS’] . If not present, this is your problem.
  • if https is really the culprit, edit the php.ini file and use the auto_prepend_file directive to prepend the file containing the code above and reload apache…. or on a shared hosting, ask your provider

Leave a Reply

Your email address will not be published. Required fields are marked *