Can not log in via http (https works)

[nekr0z]

While trying to do this:

Log in into my known instance via http.

I encountered this error:

Something went wrong.
Invalid token.

Click here to try again or click here to go back to the homepage.

Some other notes:

If I try the same with https (same password, same everything), it works.

Give us some context:

• It'd also be really handy if you could tell us the contents of your version.known file

  version = '0.12.5'
  build = '2019061901'

• What database are you using? (e.g. mongo, mysql, postgres) MySQL

• Any warnings or errors in your admin/diagnostics page? No. But here are server logs:

  [Fri Jun 21 22:42:14 2019] [warn] [client 128.72.157.101] mod_fcgid: stderr: Known (evgenykuznetsov.org): debug - DEPRECATION WARNING: Use \\Idno\\Core\\Idno::site()->routes()->addRoute(), referer: http://www.evgenykuznetsov.org/
  [Fri Jun 21 22:42:14 2019] [warn] [client 128.72.157.101] mod_fcgid: stderr: Known (evgenykuznetsov.org): debug - DEPRECATION WARNING: Use \\Idno\\Core\\Idno::site()->events()->addListener(), referer: http://www.evgenykuznetsov.org/
  [Fri Jun 21 22:42:14 2019] [warn] [client 128.72.157.101] mod_fcgid: stderr: Known (evgenykuznetsov.org): debug - DEPRECATION WARNING: Use \\Idno\\Core\\Idno::site()->routes()->addRoute(), referer: http://www.evgenykuznetsov.org/
  [Fri Jun 21 22:42:18 2019] [warn] [client 128.72.157.101] mod_fcgid: stderr: Known (evgenykuznetsov.org): debug - DEPRECATION WARNING: Use \\Idno\\Core\\Idno::site()->routes()->addRoute(), referer: http://www.evgenykuznetsov.org/session/login
  [Fri Jun 21 22:42:18 2019] [warn] [client 128.72.157.101] mod_fcgid: stderr: Known (evgenykuznetsov.org): debug - DEPRECATION WARNING: Use \\Idno\\Core\\Idno::site()->events()->addListener(), referer: http://www.evgenykuznetsov.org/session/login
  [Fri Jun 21 22:42:18 2019] [warn] [client 128.72.157.101] mod_fcgid: stderr: Known (evgenykuznetsov.org): debug - DEPRECATION WARNING: Use \\Idno\\Core\\Idno::site()->routes()->addRoute(), referer: http://www.evgenykuznetsov.org/session/login
  [Fri Jun 21 22:42:18 2019] [warn] [client 128.72.157.101] mod_fcgid: stderr: Known (evgenykuznetsov.org): error - Token was not valid:, referer: http://www.evgenykuznetsov.org/session/login
  [Fri Jun 21 22:42:18 2019] [warn] [client 128.72.157.101] mod_fcgid: stderr: Known (evgenykuznetsov.org): error - , referer: http://www.evgenykuznetsov.org/session/login
  [Fri Jun 21 22:42:18 2019] [warn] [client 128.72.157.101] mod_fcgid: stderr: Known (evgenykuznetsov.org): error - Debug:Array, referer: http://www.evgenykuznetsov.org/session/login
  [Fri Jun 21 22:42:18 2019] [warn] [client 128.72.157.101] mod_fcgid: stderr: Known (evgenykuznetsov.org): error - (, referer: http://www.evgenykuznetsov.org/session/login
  [Fri Jun 21 22:42:18 2019] [warn] [client 128.72.157.101] mod_fcgid: stderr: Known (evgenykuznetsov.org): error -     [time] => 1561182134, referer: http://www.evgenykuznetsov.org/session/login
  [Fri Jun 21 22:42:18 2019] [warn] [client 128.72.157.101] mod_fcgid: stderr: Known (evgenykuznetsov.org): error -     [token] => bbf[...]019a0, referer: http://www.evgenykuznetsov.org/session/login
  [Fri Jun 21 22:42:18 2019] [warn] [client 128.72.157.101] mod_fcgid: stderr: Known (evgenykuznetsov.org): error -     [action] => /session/login, referer: http://www.evgenykuznetsov.org/session/login
  [Fri Jun 21 22:42:18 2019] [warn] [client 128.72.157.101] mod_fcgid: stderr: Known (evgenykuznetsov.org): error -     [site_secret] => 88e[...]1f3d9, referer: http://www.evgenykuznetsov.org/session/login
  [Fri Jun 21 22:42:18 2019] [warn] [client 128.72.157.101] mod_fcgid: stderr: Known (evgenykuznetsov.org): error -     [session_id] => 957[...]02a23, referer: http://www.evgenykuznetsov.org/session/login
  [Fri Jun 21 22:42:18 2019] [warn] [client 128.72.157.101] mod_fcgid: stderr: Known (evgenykuznetsov.org): error -     [expected-token] => d3f[...]c9003, referer: http://www.evgenykuznetsov.org/session/login
  [Fri Jun 21 22:42:18 2019] [warn] [client 128.72.157.101] mod_fcgid: stderr: Known (evgenykuznetsov.org): error -     [expected-token-no-action] => fa2[...]735ac, referer: http://www.evgenykuznetsov.org/session/login
  [Fri Jun 21 22:42:18 2019] [warn] [client 128.72.157.101] mod_fcgid: stderr: Known (evgenykuznetsov.org): error - ), referer: http://www.evgenykuznetsov.org/session/login
  [Fri Jun 21 22:42:18 2019] [warn] [client 128.72.157.101] mod_fcgid: stderr: Known (evgenykuznetsov.org): error - , referer: http://www.evgenykuznetsov.org/session/login
  [Fri Jun 21 22:42:18 2019] [warn] [client 128.72.157.101] mod_fcgid: stderr: Known (evgenykuznetsov.org): critical - Invalid token. [/home/nekr0z/known/Idno/Common/Page.php:386], referer: http://www.evgenykuznetsov.org/session/login

• If this is a programming bug, can you include examples of any Micropub / API calls / webhook pings you make? Otherwise please don't worry about what this means!

• Bonus points - are you able to illustrate the issue with a unit test? If so, submit it as a pull request!

[mapkyca]

What's your default url? token is generated across site secret, time and session id, and I believe switching between http and https will cause the session id to be regenerated owing to the secure flag on the session token.

So, if your domain is configured as https but you're trying to log in from http (but the form target is the https endpoint) you're likely not going to get anywhere

[nekr0z]

What's your default url?

I'm really not sure these days. Looks like https is my default (well, at least it works, doesn't it?), but I see the browser always complaining that pictures get served via http despite the page being https, so maybe it's http by default after all. How do I really check?

I don't really mind logging in using https only (it's supposed to be more secure that way after all), but today I bumped into a site that was trying to get me to IndieAuth via http, and I couldn't log in, hence the issue here.

I really hope that one of these days Known allows me to make it https for everything, including redirecting http request to https like the big boys do all over the web, but I got to understand @benwerd had some valid points against it, and fixing all legacy posts would require a major database overhaul, so I'm not counting on it that much either. But seeing as how for now Known allows both http and https and doesn't seem to mind either way, I thought it would be reasonable to expect login being possible both ways.