Getting invalidsesskey and home page redirects to login page

Getting invalidsesskey and home page redirects to login page

by Bill Plumstead -
Number of replies: 13

Details of my Moodle installation:

Moodle URL: http://www.pqt.net/learning
Moodle version: 3.6.10
OS: linux
Apache version: 2.4.43
MySQL: 10.2.33-MariaDB
Server PHP: 7.4
Domain PHP: 7.2 (using MultiPHP Manager with PHP-FPM turned on)
Moodle was installed via download from Moodle.org (moodle-3.6.10.zip)

Background: Upgraded Moodle 3.6.3 to 3.6.10 on Aug 3, 2020 after NGINX and PHP-FPM changes on the server. Everything running ok after upgrade. On Aug 10, 2020, a user reported problems with the site. When I entered the URL to my Moodle site, the home page redirected me to the login page. I clicked the "Home" link and the home page displayed briefly, then redirected to the login page again. When I tried logging in, I couldn't login. Upon 1st login attempt, no message, 2nd attempt received error "invalid login", 3rd attempt got logged in but the home page showed a different user logged in which was the user reporting a problem with the site.

Searching forums and trying to fix the problem, I found https://moodle.org/mod/forum/discuss.php?d=385516. I have purged browser cache and purged all caches using the command line:
php admin/cli/purge_caches.php.

The home page will not display and redirects to the login page. I have the following config settings:

alternateloginurl=''
forcelogin=0

I turned debug on and I'm getting the following upon logging in (which takes 3 attempts as described above):

Error code: invalidsesskey
* line 494 of /lib/setuplib.php: moodle_exception thrown
* line 85 of /lib/sessionlib.php: call to print_error()
* line 216 of /lib/externallib.php: call to require_sesskey()
* line 59 of /lib/ajax/service.php: call to external_api::call_external_function()

I captured a recording using Screencast-O-Matic but the file is too large to upload. Is 
there another way to share the recording (11.8 MB)?
Any assistance is greatly appreciated.
Average of ratings: -
In reply to Bill Plumstead

Re: Getting invalidsesskey and home page redirects to login page

by Conn Warwicker -
Picture of Core developers Picture of Plugin developers
Hi,

The part about seeing someone else's profile is concerning. I can replicate that by visiting your site with Javascript disabled and I am able to see your profile, though clicking anything redirects me to the login page, so clearly it's not actually logged in as you.

I've never heard of this issue before. How exactly did you upgrade your Moodle? Did you do anything fancy with versioning, or literally just delete the whole web directory and upload the new one with the 3.6.10 code?

My first suggestion would be to see if there is anything wonky going on with the moodle sessions. These might be stored in a folder or it might be in the database, depending on how you configured it. If it's the folder, then you can go to your sitedata directory (by default on linux /var/www/moodledata, unless you changed it) and delete the 'sessions' folder. While you're at it, might as well delete the 'cache' and 'localcache' folders, just to see if it helps at all.

If that doesn't help, my next suggestion would be to rollback the upgrade, if you can, and see if the problem is still happening on the older 3.6 version. If not, then try the upgrade again and see if maybe something went wrong last time.

Beyond that, a setting you could check to stop it trying to load the page before login, is the 'forceuserstologin' (I think it's called that, or something similar anyway) setting, which will mean users are taken straight to the login page without trying to load the main page first. Though that doesn't actually help with the underlying issue, which sounds like a session problem to me.
Average of ratings: -
In reply to Conn Warwicker

Re: Getting invalidsesskey and home page redirects to login page

by Conn Warwicker -
Picture of Core developers Picture of Plugin developers
If you don't want users to be redirected to login but instead should be able to see the homepage, perhaps something is going wrong with the guest access.
Average of ratings: -
In reply to Conn Warwicker

Re: Getting invalidsesskey and home page redirects to login page

by Bill Plumstead -
Thanks for your reply. I've been a Moodle user for about 15 years and have done many upgrades over the years. I always upgrade by backing up the DB and upload the new Moodle version by unzipping the Moodle zip file. I rename the original folder (for rollback purposes) and unzip the zip file to my "moodle" (i.e. /learning/) location and copy over the config file, themes and plugins (only use 1 additional plugin). So nothing fancy during the install.

I definitely think there's something going on with my sessions and cache. Session data is configured to store in my moodledata folder.

I have the site configure to land on the home page by configuring 'alternateloginurl' to an empty string and 'forcelogin' set to 0.

I did as suggested: deleted cache, localecache and sessions folders from the moodledata folder.

I went to the home page and got redirected again to the login page. I had to login 3 times (carefully typing my correct password). Upon 1st login attempt, no message, 2nd attempt received error "invalid login", 3rd attempt got logged in and landed on the home page with my login profile showing. However, I also got the following:

Error code: invalidsesskey
* line 494 of /lib/setuplib.php: moodle_exception thrown
* line 85 of /lib/sessionlib.php: call to print_error()
* line 216 of /lib/externallib.php: call to require_sesskey()
* line 59 of /lib/ajax/service.php: call to external_api::call_external_function()

I haven't tried rolling back to the previous version as I'd like to do that ONLY as a last resort.
Average of ratings: -
In reply to Bill Plumstead

Re: Getting invalidsesskey and home page redirects to login page

by Ken Task -
Picture of Particularly helpful Moodlers

Just took a quick look at your front page and login ... uhhhh, Conn is right ... I've never been to your site and on the login page I see what looks to be your login credentials already filled in the username box.

Also ... site doesn't appear to have https ... highly recommend getting a cert and running moodle under https ... not just for login.   Not running https could allow session hijacking and other undesirable behaviors.   Uhhhh ... you are running an older version of Moodle no longer supported for fixes nor security fixes.

In  Dashboard
    Site administration
    Server
    System paths

Do you have Path to PHP CLI set correctly for your system?

In  Dashboard
    Site administration
    Security
    Site security settings

Do you have Allow 'Run now' for scheduled tasks checked.

In  Dashboard
    Site administration
    Server
    Scheduled tasks

When was the last time Cleanup old sessions \core\task\session_cleanup_task ran?
With 'run now' above one should see a 'run now' link.   Run it.

'SoS', Ken

Average of ratings: -
In reply to Ken Task

Re: Getting invalidsesskey and home page redirects to login page

by Bill Plumstead -
Interesting. Now that you mention seeing "what looks to be your login credentials already filled in the username box", I remember seeing login credentials of one of my users when I went to login yesterday. That's never happened before. Something strange is happening with sessions.

I do not have an https certificate for the site but will look into it. Any recommendations? Can or does Moodle provide it? I'll do some research. I know I'm on an older version of Moodle and working to upgrade to 3.8 or 3.9. However, I'm using the "More" theme which does not work on 3.7 or later of Moodle. I've been playing around with the "Adaptable" theme but haven't got all the settings nailed down yet. Hope to migrate to the newer version and theme in the next few weeks.

So, for the settings you ask about, they are:
pathtophp is empty
tool_task | enablerunnow is checked
\core\task\session_cleanup_task last ran less than an hour ago (next run set to ASAP)

I tried to specify the path for pathtophp but the setting doesn't save because of invalidsesskey (I'm guessing).
Average of ratings: -
In reply to Bill Plumstead

Re: Getting invalidsesskey and home page redirects to login page

by Ken Task -
Picture of Particularly helpful Moodlers

There will be theme changes upgrading from 3.6 -> latest and greatest ... and 3.6 themes no longer compat with higher versions.   This to say, until you reach destination version I wouldn't begin to rely on plugin themes running now.   Wait until you get to destination version and then look for compat theme.

Certs ... sometimes providers have them for customers ... check with provider.   Do you use a panel? (like cPanel) ... some of those now have icons/links to LetsEncrypt ... free certs.

Otherwise, do your own shopping for a cert.  smile

'SoS', Ken

Average of ratings: -
In reply to Ken Task

Re: Getting invalidsesskey and home page redirects to login page

by Bill Plumstead -
Thanks Ken! I'm playing with Moodle 3.8.3 in development and have the Adaptable theme set. I think I upgraded my 3.6.3 version to 3.8.3 and then installed Adaptable. I'm glad to know I should upgrade to my destination version before installing / changing themes.

I'll check with my provider, LetsEncrypt and others.
Average of ratings: -
In reply to Bill Plumstead

Re: Getting invalidsesskey and home page redirects to login page

by Leon Stringer -
Picture of Core developers Picture of Particularly helpful Moodlers

Is server-side caching treating the home page as static content, caching it and serving the cached page? But the cached copy is one when you've logged in? I'm seeing X-Proxy-Cache: HIT in the HTTP response for the home page which suggests this could be the case.

The server looks like it's hosted with a third party, hopefully you can configure caching for the site. I think I'm right in saying Moodle shouldn't have any additional caching. It's designed to rely on PHP OPcache for performance, any caching on top of that could cause problems such as the one in this case.

+1 to Ken's suggestion of using HTTPS and moving to a Moodle version that's in support.

Average of ratings: Useful (1)
In reply to Leon Stringer

Re: Getting invalidsesskey and home page redirects to login page

by Bill Plumstead -
That was it! I'm using a Virtual Private Server (VPS) from a 3rd party provider and have control over site caching. I found and turned the setting off and BINGO! Problem resolved.

Thanks Leon!
Average of ratings: -
In reply to Bill Plumstead

Re: Getting invalidsesskey and different logged in user in the dashboard

by James Quinones -
Hello, anybody from this forum can help me find solution to our problem? We are also experiencing the same issues above. And Aside from invalidsesskey we are also experiencing different user logged in on the user's dashboard. We noticed that this problem will mostly trigger when users logged in goes higher than 65. To give us a temporary use of the moodle without experiencing the error we are doing a manual run CRON from time to time in the server and purge caches in the Server Admininistration. We tried the suggestions given on this forum but our server is not a VPS.

We are trying to find the one causing the problem and hopfully solutions. I hope someone can give us their suggestions.

Here are my moodle details:
Moodle URL: https://mmfc.qbeeph.com
version: Moodle 3.9.1 (Build: 20200713)
OS: Red Hat Enterprise Linux (Hosted in a Hosting Company)
using MySQL Database - MariaDB
Server PHP: 7.4
Theme: Boost
Installation: Moodle installed using the downloaded zip from moodle site and ugraded and updated using the moodle platform via install plugin.
We have BigBlueButton and Jitsi Plugin installed as additional.

Error Notification:
Error code: invalidsesskey
* line 498 of /lib/setuplib.php: moodle_exception thrown
* line 85 of /lib/sessionlib.php: call to print_error()
* line 233 of /lib/externallib.php: call to require_sesskey()
* line 81 of /lib/ajax/service.php: call to external_api::call_external_function()

Your session has most likely timed out. Please log in again.
File: /lib/setuplib.php
Line: 498
Average of ratings: -
In reply to James Quinones

Re: Getting invalidsesskey and different logged in user in the dashboard

by Leon Stringer -
Picture of Core developers Picture of Particularly helpful Moodlers

"We tried the suggestions given on this forum but our server is not a VPS" – the type of server doesn't matter, it's the site being behind a cache that's important and it looks like yours is too: I see an x-cdn-cache-status field in the HTTP response. If you can configure caching for your site try turning it off, alternatively your hosting provider should be able to provide support for this.

Average of ratings: -
In reply to Leon Stringer

Re: Getting invalidsesskey and different logged in user in the dashboard

by James Quinones -
Thanks for your reply Leon, I will try to work on that.
Average of ratings: -
In reply to Leon Stringer

Re: Getting invalidsesskey and different logged in user in the dashboard

by James Quinones -
Hello Leon,

I had my hosting provider turned off the server caching, it help with the problem but today it occured again. I noticed that the site goes very slow when logged in users reaches around 95. I don't know what could be causing this problem. Are there any more ways that you can suggest for me to check? On our setting for the sessioncookiepath is '/'. Is that ok? our moodledata and moodle folder are in the same root folder but not in the public_html.

Also I have this on the logs alot of times on different users error ID 3 mostly:
User login failed Login failed for user 'gggg.'. User does not exist (error ID '1').
Login failed for user 'xxxxx'. Most likely the password did not match (error ID '3').

I was thinking maybe moodle session cache and localcache are not cleared properly? Though I already set CRON to run in the host server every minute.

I hope there are somebody also that can contribute their solutions. Thanks in advance.
Average of ratings: -