Search The ForumSearch   RegisterRegister  LoginLogin

AfterLogic WebMail Pro
 AfterLogic Forum : AfterLogic WebMail Pro
Subject Topic: InvalidToken [Error 101] Post ReplyPost New Topic
Author
Message << Prev Topic | Next Topic >>
MAlly
Newbie
Newbie
Avatar

Joined: 16 March 2017
Location: United States
Online Status: Offline
Posts: 11
Posted: 17 May 2017 at 5:46am | IP Logged Quote MAlly
I have a dedicated landing page to log in to the webamil (ex. https://webmail.somedomain.com) which points to the /login folder but I'm not able to login from that location - getting InvalidToken[101] error https://webmail.somedomain.com or https://www.somedomain.com/login

AL itself is installed on somedomain.com in the /webmail folder and it works fine when I move my login code from /login to the root of the web (/var/www)

Any clue what is wrong with that setup and why I can log from www.somedomain.com but not from webmail.somedomain.com neither www.somedomain.com/login?

Thanks
Back to Top View MAlly's Profile Search for other posts by MAlly
 
Igor
AfterLogic Support
AfterLogic Support


Joined: 24 June 2008
Location: United States
Online Status: Offline
Posts: 6104
Posted: 17 May 2017 at 6:21am | IP Logged Quote Igor
It happens when CSRF protection is turned on and there is no CSRF token in AJAX request for some reason. Please turn the protection off and see if it helps. Open data/settings/config.php file and change value of labs.webmail.csrftoken-protection setting to false or add line

Code:
'labs.webmail.csrftoken-protection' => false,


if it is absent.

--
Regards,
Igor, AfterLogic Support
Back to Top View Igor's Profile Search for other posts by Igor
 
MAlly
Newbie
Newbie
Avatar

Joined: 16 March 2017
Location: United States
Online Status: Offline
Posts: 11
Posted: 17 May 2017 at 7:37am | IP Logged Quote MAlly
Igor wrote:

Code:
'labs.webmail.csrftoken-protection' => false,



That does the trick.

Anyhow, few question:
- Token and AuthToken are the same? SystemLogin section in https://afterlogic.com/docs/webmail-pro/integration-and-development/web-api is not clear (example vs table above)

- not sure (yet) how a token is generated but I think it contains an URL referrer from where was logged in vs where AL is installed. If so shouldn't be this a case to trigger CSRF when domain where is installed AL is the same where login page is just different subdomain? I see code is passing a token but in my case are different when I will go straight from /var/www/html as www.somdedomain.com compared to login landing page from /var/www/html/login served as webmail.somedomain.com When front-end is sending a token to what other token is compared by the back-end to get logged in then?


Thanks for your help!
Back to Top View MAlly's Profile Search for other posts by MAlly
 

If you wish to post a reply to this topic you must first login
If you are not already registered you must first register

  Post ReplyPost New Topic
Printable version Printable version

Forum Jump

Powered by Web Wiz Forums version 7.9
Copyright ©2001-2004 Web Wiz Guide