Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error trying to change password #3224

Closed
kmmartinez opened this issue Aug 21, 2018 · 18 comments
Closed

Error trying to change password #3224

kmmartinez opened this issue Aug 21, 2018 · 18 comments

Comments

@kmmartinez
Copy link

kmmartinez commented Aug 21, 2018
edited by brandonkelly
Loading

Description

I receive this error when trying to change my password.

yii\web\BadRequestHttpException: Request missing required param in /app/vendor/craftcms/cms/src/web/Request.php:758
Stack trace:
#0 /app/vendor/craftcms/cms/src/controllers/UsersController.php(1736): craft\web\Request->getRequiredParam('password')
#1 /app/vendor/craftcms/cms/src/controllers/UsersController.php(1719): craft\controllers\UsersController->_verifyExistingPassword()
#2 /app/vendor/craftcms/cms/src/controllers/UsersController.php(980): craft\controllers\UsersController->_verifyElevatedSession()
#3 [internal function]: craft\controllers\UsersController->actionSaveUser()
#4 /app/vendor/yiisoft/yii2/base/InlineAction.php(57): call_user_func_array(Array, Array)
#5 /app/vendor/yiisoft/yii2/base/Controller.php(157): yii\base\InlineAction->runWithParams(Array)
#6 /app/vendor/craftcms/cms/src/web/Controller.php(103): yii\base\Controller->runAction('save-user', Array)
#7 /app/vendor/yiisoft/yii2/base/Module.php(528): craft\web\Controller->runAction('save-user', Array)
#8 /app/vendor/craftcms/cms/src/web/Application.php(282): yii\base\Module->runAction('users/save-user', Array)
#9 /app/vendor/craftcms/cms/src/web/Application.php(538): craft\web\Application->runAction('users/save-user', Array)
#10 /app/vendor/craftcms/cms/src/web/Application.php(266): craft\web\Application->_processActionRequest(Object(craft\web\Request))
#11 /app/vendor/yiisoft/yii2/base/Application.php(386): craft\web\Application->handleRequest(Object(craft\web\Request))
#12 /app/web/index.php(21): yii\base\Application->run()
#13 {main}

Steps to reproduce

  1. Go to users
  2. Click on Site Admin
  3. Change password, save
  4. Enter in current password, save

Additional info

  • Craft version: Pro 3.0.21
  • PHP version: 7.1.2
  • Database driver & version: MySQL 5.6.10
  • Plugins & versions:
@brandonkelly
Copy link
Member

I’m not able to reproduce this. Are you getting it consistently? Maybe try clearing your browser’s cache?

@echantigny
Copy link
Contributor

@brandonkelly I'm getting this exact same error consistently trying to "Copy password reset URL" for a user I just created. Getting the "An error occured" message and "/index.php?p=admin/actions/users/get-password-reset-url 400 (Bad Request)".

I'm sending you an email through support with some logs and composer files.

@kmmartinez
Copy link
Author

kmmartinez commented Aug 27, 2018 via email

@echantigny
Copy link
Contributor

After a lot of back and forth with my service provider, we finally found out that the issue came down to the session.auto_start setting in PHP. If it is set to 1, Craft 3 seems to be creating a second session cookie and those 2 get confused.

So that setting needs to be set to 0.

@brandonkelly I think that's something you might want to look into to make sure you are not creating a second session if it already exists ? Checking the "Keep me logged in" box mitigated the issue, letting me log in, but I still had issues trying anything that required an elevated session or even adding stuff to the Commerce Cart was not possible.

@angrybrad
Copy link
Member

we finally found out that the issue came down to the session.auto_start setting in PHP. If it is set to 1, Craft 3 seems to be creating a second session cookie and those 2 get confused.

Does that happen to be the case for you too, @kmmartinez?

@brandonkelly
Copy link
Member

@echantigny Huh, interesting. I’m wondering where/how exactly the second session could be created, though, as Yii’s session handler does ensure that there is no active session before calling session_start().

https://github.com/yiisoft/yii2/blob/ecb8f33d1e339831e0505772f06d67f726b903f5/framework/web/Session.php#L127-L131

https://github.com/yiisoft/yii2/blob/ecb8f33d1e339831e0505772f06d67f726b903f5/framework/web/Session.php#L220-L223

So in theory, if session.auto_start is enabled, session_status() will return PHP_SESSION_ACTIVE, which will prevent Yii from double-starting it.

And even if session_start() did manage to get called somehow, per its docs,

As of PHP 4.3.3, calling session_start() after the session was previously started will result in an error of level E_NOTICE. Also, the second session start will simply be ignored.

In other words, there’s no real harm in calling it when there’s already an active session; it won’t create a second session.

So I’m a little skeptical that this is the culprit.

Is this on a load-balanced environment? If it is, then it seems more likely that each server is only getting a single session, but perhaps they are not sharing session data (e.g. using a shared Redis server), in which case you’d only be able to maintain a session on one server at a time (as each server will be setting its own session ID cookie values.). If this is the case you should be having other session-related issues as well, like getting logged out unexpectedly.

@echantigny
Copy link
Contributor

echantigny commented Aug 28, 2018
edited
Loading

@brandonkelly Well, I'm just speaking with the experience I went through yesterday. The server is not behind any load balancing.

session.auto_start = 1:

  • Unable to login to CP unless Keep me signed in is checked
  • When in the CP, unable to do an elevated action (getting the original post's Request missing required param on the password)
  • In the front-end, adding items to the cart would work, but right after, the cart would be empty
  • Each call had a TWO set-cookie: CraftSessionId in the request headers

session.auto_start = 0:

  • After this was changed, everything above went back to normal, and I played around A LOT in it to ensure that it was not just a fluke.

If you can't reproduce any of this, well, I really don't know what to tell you. I'd love to help more on this, but it would need to involve the IT team where the site is hosted as I don't have access to the configs.

EDIT: I sent an email to IT to see if they did anything else on the server. The answer is no. The only thing they changed to get rid of the issue is session.auto_start. Also, they confirmed it is not behing any load balancer.

@kmmartinez
Copy link
Author

kmmartinez commented Aug 28, 2018 via email

@rachelrine
Copy link

rachelrine commented Sep 25, 2018
edited
Loading

I'm having this issue as well, looks like perhaps has something to do with the url from the email?

The ampersand before the id param is not getting encoded/decoded correctly:

/admin/actions/users/set-password?code=UScZdBbUjarXXqifLUsxflro9reKbPH4&id=2e340bb6-7d3c-486f-adcf-26c952463a5e

I'm seeing the error related to a missing required param, "id" which would make sense.

@rachelrine
Copy link

I'm having the same issue with the activation emails. Please let me know if I can provide any additional details.

@brandonkelly
Copy link
Member

This might be related to #3288, which was fixed in Craft 3.0.24. @rachelrine are you running at least that version?

If so and this is still an issue, can you check your systemmessages database table and see if there’s any rows in there? If so, go into Settings > Email > Messages, and for any messages that you’ve customized, edit them and change {{link}} to <{{link}}>.

@rachelrine
Copy link

rachelrine commented Sep 26, 2018
edited
Loading

Running 3.0.25.

I checked out #3288, to be clear, what I'm experiencing isn't a line break, the &amp; isn't decoding, and appears to be preventing the id param from being parsed.

No rows in my systemmessages table either.

screencapture-staging-grossepointelibrary-org-admin-actions-users-set-password-2018-09-25-10_00_15

@angrybrad
Copy link
Member

@rachelrine if you create a phpinfo.php and put it in your public web folder with these contents:

<?php phpinfo();

Save it then load yoursite.com/phpinfo.php, then search for arg_separator.input and arg_separator.output what values do they have?

@rachelrine
Copy link

Both directives are & for both local and master.

@rachelrine
Copy link

It may have something to do with Sendgrid, which I'm using to send emails via SMTP. If I change my email settings to Gmail, everything works as expected.

@brandonkelly
Copy link
Member

@rachelrine Ah interesting. Can you please compare the raw emails sent by both Sendgrid and Gmail? For example, you can view that in Gmail by clicking the “Show Original” menu item when viewing an email.

You should see a section like this at the bottom of the message:

--_=_swift_1535388970_f21fac2d7ca08136d5d4f09132ae3554_=_
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html>
<body>
    <div style=3D"max-width: 500px; font-size: 13px; line-height: 18px; fon=
t-family: HelveticaNeue, sans-serif; color: #29323d; background: #fff;">
        <p>Hey Brandon,</p>
<p>Thanks for creating an account with Craft CMS! To activate your account,=
 click the following link:</p>
<p><a href="https://craft3.test/admin/actions/users/set-password?code=eYx-kFlYtf8kpAwiSZTCk4vQGFMqDUGW&amp;id=b66b2bfe-badb-478a-81ff-1fceb638a019">https://craft3.test/admin/actions/users/set-password?code=eYx-kFlYtf8kpAwiSZTCk4vQGFMqDUGW&amp;id=b66b2bfe-badb-478a-81ff-1fceb638a019</a></p>
<p>If you were not expecting this email, just ignore it.</p>

    </div>
</body>
</html>

It sounds like maybe somehow if the email was sent using Sendgrid, the URL of that <a> tag is going to have a double-encoded & (e.g. &amp;amp;id=... instead of &amp;id=...). Is that the case?

@rachelrine
Copy link

Looks like SendGrid is intercepting the link, presumably to track link clicks. Here's what it looks like ing the original:

<a href=3D"https://u2501353.ct.sendgrid.net/wf/click?upn=3DwDYhnwJngdvsS= rwk2x3OtKvOgNTQtn21G4z-2Bh609rfylj-2Fs-2Br3aruC-2F0i4nnAKv3m7eW3RYCaGAe3iVT= IkK-2F7fR3gWFsPJYSl5vHxo47LZxgOfVnVczOiZk1tLjMjM4YEdgbD6qKIihltpZEzEO0QtkMS= H6yXEJGkzzCRB2ouOV7zrMdEaeulZPPDmZI-2FY0xIPIkG9jFedmu6Kxu229gSw2l7Bs-2FwUto= iNT9VFyCB38-3D_z2wbd-2F4FYRQK0ogB7tG2MvXJTWT6YfSqiO-2FmY8QZN6F0G5-2FelNqVU0= CrMHqTqU27IkFckvrvsqML4OswMlZzDF9geOmApHKJvoa9U24-2FIhnrQC-2B-2B53PGmaLrRTA= 1cruIsxuOhCRY9ViPc4ljiJE4g5Je1NBAXxxlkjy1KDDpFTiOTs1NK4xJnmxlzr0cZmigsQOGva= M9NP8-2FvMyKVUuusd2q8rs9KJK0MIF1OS65Vfs-3D">https://staging.grossepointelib= rary.org/admin/actions/users/set-password?code=3Dg1cGCAGrx3Ih0TNIUwqZ9qtDBy= P9BSzm&amp;id=3Db24209be-0bce-4242-b5dd-552138485d74</a>

Gmail sent links look fine, obviously.

@brandonkelly
Copy link
Member

Hm ok, so sounds like a SendGrid bug then.

@keyurshah keyurshah mentioned this issue May 28, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@brandonkelly @angrybrad @echantigny @rachelrine @kmmartinez