Backend thumbnail generation causing invalid security token - a bit urgent :(

I am using October 3.5.5 and have a problem related to thumbnail generation in the backend.

When using a backend form with mediafinder:

label: ‘Main Image’
mode: image
span: auto
type: mediafinder

The thumb does not load (just shows blank white space). Whatever is causing this is also triggering an Invalid security token which prevents the item from being edited or saved.

My only solution at the moment is to switch the mediafinder to ‘File’ mode so that the thumb is not generated, and then I can save items in the backend.

I hope someone can help soon as this is a critical issue for me.

Some other information that may be relevant:

  • the thumbnail does display on the initial addition of an image. But not after a save and refresh or reload.
  • I have had webp turned on on this server recently, not sure if that’s relevant or not

Normally I wouldnt reply, but since you told it’s urgent I guess you like every hint which might be related to the problem.

BTW: What do you mean with “turned on webp on the server”?

I had my website configured so the uploads go to a different disc. However, this disc was missconfigured, the files were written with the wrong permission and could not be seen anymore. This thread shows the solution. Maybe check it out, just in case…

Thanks so much for replying!

I have tried resetting permissions but that hasn’t helped unfortunately.

When I say “turned on webp” I mean installed the cwebp library for webp image generation. I don’t think its related,

I have another installation of October with much the same configuration and also 3.5.5 and I cannot recreate the issue.

It just seems that October generates a thumb at [URL]/storage/app/resources/resize/190_190_0_0_crop/img_cecb3290eb607d746ab726db6860ac86.jpeg

but for this site, no image is created

The missing image seems to cause an error that resets the security token

I managed to fix this by adding this line into my .htaccess (white listed folders)

RewriteCond %{REQUEST_FILENAME} !/storage/app/resources/.*

No idea why I suddenly needed to add this, but its resolved now

1 Like

I tripped over this once too. I think this is a change in some OCMS version, but I’m not sure which one.
The only mention of the resources storage I found after a quick google search was here: Release Note 32: October CMS 3.1 - Stable Release - October CMS

So this issue probably occurs if you upgrade an OCMS installation withouth creating a new composer project, which means basic files like .htaccess won’t get the updates.
You can compare the files in your installation root with the github repo to see if something is missing: