Security Token conflict

I have several instances of PHPList running on various servers.
They are all installed in the same path (/public_html/phplist/).
When I use one dashboard and leave it open (let’s call it Dash A), then Login to another instance (Dash B) and do some work all is fine… until I return to Dash A and I get a “Incorrect Security Token” error and have to log in again.

Some days, I need to work within 3 or 4 instances and bounce back and forth… Logging in and out over and over again becomes very annoying pretty quick.

Is there any way to make the security tokens uniquely belong only to the domain it’s issued to?
And logging out shouldn’t clear every PHPList security token. Only the instance you’re logging out of.
As it stands, I could easily see this becoming exploitable.

I’ve also noticed this when working with SugarCRM CE and PHPList, they keep logging each other out, so I need to use 2 different browsers (or normal & incognito mode).
Add to that I only have one instance of PHPList but need to log on as SuperAdmin every now and then which completely messes up any other logins to PHPList using the same browser session as it keeps logging my normal admin out thereafter, again I’ve learnt to deal with this by using different browsers / incognito mode, but this doesn’t scale well, as in your case and probably is exploitable if one is so inclined.

1 Like

@NYChris Chris, are you getting the error message 'Invalid security token, please reload the page and try again’ ?
That particular message relates to an admin token that is used only on a few pages and has a time-out of one hour. Does that sound like a likely explanation?

But all the token processing should be specific to each server. If you had more than one phplist installation on the same server then there can be problems unless you create a unique session name.

It’s not a timing-out thing. It could be less than a minute. I’ll go back to Dash A, click any link, and get the login page.

Most servers host several websites.
Some companies will go so far as to put over 1,000 on one server.
I have clients with servers that host several of their own websites. A good example is one parent company that has several restaurants. Each restaurant website has their own installation of PHPList.
Another is a parent company that has several music venues.
On Thursdays they all want to send their happy hour and concert events… so in this case Ill be bouncing between many instances on 2 servers in order to orchestrate the whole shebang.

If you are having interactions between several phplist’s on the same domain then you could try setting a unique session name for each phplist installation. Adding this to your config file will do that

session_name('SESSION' . substr(md5(__FILE__), 0, 8));

@digit this may well solve your problem with Sugar CRM.
Browsers, Firefox at least, share cookies across all tabs and windows so logging in as a second phplist admin in a new tab is going to affect the existing tabs. If you need to do that then you can open a private window.

Just one instance per domain. Multiple domains per server.

  1. - puplic_html/phplist/
  2. - puplic_html/phplist/
  4. - puplic_html/phplist/

  2. - puplic_html/phplist/
  3. - puplic_html/phplist/
  4. - puplic_html/phplist/

My problem might be because I’ve used the same login/pass as well as all being in the same directories across the board.
I’m thinking that I’ll just have to deal with the problem by using multiple browsers.