Moodle in English: Message at error log - Invalid Login Token

Our Moodle is version 3.8, Apache 2.4.8, PHP 7.2 and MySQL 5.7, We use rotating disc HDD only.

I encountered the same problem with a large number of error message "Invalid Login Token" at error log file as below:

[Mon Jul 12 23:36:16 2021] [notice] [client M] moodle.yyyy.xxx [client M] https://moodle.yyyy.xxx Invalid Login Token: 180020 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36

I have already rise the MaxRequestWorkers in MPM directive to 800 but it is unfortunate that the error message of "Invalid Login Token" persists for less than 100 online users.

<IfModule mpm_worker_module>
ServerLimit 25
StartServers 3
MinSpareThreads 25
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 32
MaxRequestWorkers 800
MaxConnectionsPerChild 10000
</IfModule>

The apache2buddy result is listed as below:
[ OK ] Current Apache Process Count is 3, including the parent PID.
Your server's physical RAM: 105588 MB
Remaining Memory after other services considered: 92033 MB
MySQL Detected => Using 13490.16 MB of memory
Largest Apache process (by memory): 525 MB

[root@moodle ~]# ps -ylC httpd --sort:rss

S UID PID PPID C PRI NI RSS SZ WCHAN TTY TIME CMD
S 0 14455 1 0 80 0 20432 137436 poll_s ? 00:00:24 httpd
S 2 1239 14455 0 80 0 277820 826450 pipe_w ? 00:00:53 httpd
S 2 339 14455 0 80 0 305512 832082 pipe_w ? 00:00:53 httpd

It is strange that the Apache process is as large as 525MB and the apache process count is so small. This makes the calculated MaxRequestWorkers value becomes very small.

Please advise what causes the error message "Invalid Login Token". How can I minimize the apache process size and increase the Apache Process Count? Thank you very much.

PartErrorLog.txt

Average of ratings: -

Re: Message at error log - Invalid Login Token

by Alex Rowe - Wednesday, 21 July 2021, 7:39 AM

The "invalid login token" comes from the login page when it doesn't detect the correct token being used as part of the login POST request.

It could be either of two options:
1) users are somehow submitting to your login page without the correct token, or
2) there are issues with your site that means when a user is trying to log in and it times out, the existing session or data to track that token no longer exists.

Given you believe it's due to being over 100 users, I'll expect it to be 2.

Apache2buddy really only works for the preform MPM of Apache and if you're using your site with HTTPS you should really be using the Event MPM instead of the worker.

When you're not using the preform MPM with the Apache PHP module, you will need to instead be using PHP FPM and proxying connections to PHP instead.

The default PHP config is only good for about 100 users so this might be your issue.

I would suggest looking into properly configuring your PHP FPM pool settings with the remaining RAM you have available once taking OS and MySQL into account, but it looks like you have a lot of RAM available still.

I would suggest reading the MPM Worker documentation before making any of these changes to make sure you know what you're doing: https://httpd.apache.org/docs/2.4/mod/worker.html

For example, you are already at the limit of 800 request worker before having to make changes to your ServerLimit values and others. You could also adjust your StartServers value but there is very little reason to do this as Apache adjusts the servers automatically (see https://httpd.apache.org/docs/2.4/mod/mpm_common.html#startservers)

Average of ratings: -

Re: Message at error log - Invalid Login Token

by Ariden Lei - Thursday, 5 August 2021, 4:33 PM

We should be using MPM worker mode.
[root@moodle ~]# /usr/local/apache2/bin/httpd -l
Compiled in modules:
core.c
mod_so.c
http_core.c
worker.c

We should have not used the FastCGI.
[root@moodle ~]# ps aux |grep php-fpm
root 30981 0.0 0.0 112660 976 pts/1 S+ 16:07 0:00 grep --color=auto php-fpm

[root@moodle ~]# systemctl status php-fpm
Unit php-fpm.service could not be found.

Although it is known that event MPM is better, we don't know how to change from Worker to Event. We can just keep using Worker mode.

If the issue is that the session is timeout after the user login, how can I set a longer value of timeout setting?

We are using popular theme - Moove for Moodle 3.8. I think it should support login tokens.

Average of ratings: -

Re: Message at error log - Invalid Login Token

by Alex Rowe - Friday, 6 August 2021, 7:35 AM

To move to the event mpm, you need to install the right modules, for Ubuntu you can use "apt-get install apache2-mpm-event".

Once installed, you need to make sure the configs for MPM Event are enabled with "a2enmod mpm_event", I'm not 100% sure if you need to manually a2dismod the worker mpm though.

Worker and Event MPMs work the same except Event has a separate queue/process for handling SSL rather than taking up a connection like it does in Worker (may not be remembering that 100% though).

You would then need to install FPM by using "apt-get install php7.[version]-fpm" and configure Apache proxy_fcgi and enable the Apache config php7.[version]-fpm.conf

There are a lot of guides online on how to set up Apache and PHP-FPM as you'll also need to configure your PHP FPM values to make use of your infrastructure. The defaults are only good for about 100 or so users.

What are you using as your session store? is it DB, files, Redis etc?

Also is the login token happing for everyone or is it only happening for users at a specific time?

Average of ratings: Useful (1)