Akeeba Solo

#28106 500 - Application Error - Invalid security token

Posted in ‘Akeeba Solo (standalone)’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

PHP version
Akeeba Solo version

Latest post by on Friday, 11 August 2017 17:17 CDT

When I try and create a new user or change a password, I get

500 - Application Error - Invalid security token

As a work around I created a 2nd user in the database directly but I can not work out how to set the password. MD5 does not seem to work.

I am not too concerned about resolving the error if I can be shown how to manually create a user.

Akeeba Staff
I cannot reproduce this issue but I know what can cause this. Akeeba Solo requires that session support is correctly set up in your PHP. The security token is saved in the session when you access the edit page. When you submit the new user form it includes a token. That token is compared to the one in the session. If the tokens do not match an error is issued. If the PHP session doesn't work correctly then the tokens will, indeed, not match as a new session will be opened on every page load. This means that a new token will be generated in each page load, hence the issue.

Check your php.ini to determine where there PHP session save path points to. This path must exist and must be writable by the user under which PHP runs. Moreover, the contents of that folder should not be periodically deleted (as is typically the case with /tmp and its subfolders).

Other issues which might also cause this problem is having a caching proxy or CDN in front of your Akeeba Solo installation. In this case you are served an old copy of the edit form. The old copy of the form also includes an old token which is no longer valid. Therefore the token check will fail. Since this depends on your server setup I can't tell you how to check for it.

If all else fails and you want to go the manual route, please note that the password in the table is stored hashed using bcrypt. If you search for "bcrypt online" you will find several pages. I haven't found one which doesn't need to send the password to the server to hash it, therefore I cannot trust them with real world passwords. If you're comfortable with CLI I'd recommend using this instead: It's worth noting that every time you create a hash of the same password you get a different result. This is by design of bCrypt. It creates a new, truly random salt on every invocation. Also, if you are wondering about the number of rounds: use 10. The more rounds you use the harder it is for someone to "break" the hash and find a password which collides with it. With modern hardware a value of 5 is enough, whereas a value of 10 should be just about right for the next decade (barring any unforeseen breakthrough in computing).

I hope this information helps!

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

System Task
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!