Unauthorized action or expired link ERROR

[Frale288]

Hello! I ran into a problem when I wanted to use the "Random Redirect Manager" plugin.

I can't create a link: after clicking the "Save all settings" button, the error "Unauthorized action or expired link" pops up.

Please help me! I have not found a similar problem in any forum.

YOURLS - 1.10.1
MySQL - 8.0.25
PHP - PHP FastCGI (Apache) 8.4.6 (alt)

I tried to install the plugin on an absolutely clean YOURLS without any changes except for the basic settings (database, Website address) - the error did not disappear

Also, when the "save all settings" button is pressed, the error "403 (Forbidden)" appears in the browser console. I tried changing the browser, but it didn't help

[Frale288]

[dgw]

There is at least one other report of the same error with this plugin in its own issue tracker.

That said, I couldn't reproduce it on my 1.10.1 install using PHP 8.2 with Apache. Shared hosting, so I'm unsure of the exact setup, but the process runs as php82.cgi. And since it's shared hosting, switching to PHP 8.4 took just a few minutes… but I still couldn't reproduce.

Also because this is shared hosting, I can't get more specific with the MySQL version than "8" (it's all they tell us in the knowledge base). Since nonces shouldn't involve the database anyway, I don't think the specific DB server version matters.

---

The best next step I can suggest is therefore checking what your browser actually receives and sends using network monitoring. These screenshots are from Chrome's DevTools, but Edge and Firefox (etc.) should be similar enough.

When loading plugins.php?page=random_redirect_settings, you want to check the Response for something like this (I used Ctrl+F to search the HTML response for nonce"):

Assuming that nonce value is present, when you try to save, verify it's also sent correctly by inspecting the POST request Payload after clicking "Save All Settings":

Anything weird in that flow could give a hint where to look next.

[dgw]

Basic shared hosting, DreamHost in my case.

[Frale288]

Basic shared hosting, DreamHost in my case.

I just tried installing yourls on another hosting, but I still get the same error.

If it's not difficult for you, can you please tell me which settings and in which files you are changing?

I think I'm definitely doing something wrong, despite reading the documentation a lot of times. All I'm changing is:

1. db name, user and password
2. YOURLS_SITE
3. YOURLS_COOKIEKEY

[dgw]

That's most of it. The config is pretty short (obvious parts redacted):

Just your average config.php

<?php
/* This is a sample config file.
 * Edit this file with your own settings and save it as "config.php"
 *
 * IMPORTANT: edit and save this file as plain ASCII text, using a text editor, for instance TextEdit on Mac OS or
 * Notepad on Windows. Make sure there is no character before the opening <?php at the beginning of this file.
 */

/*
 ** MySQL settings - You can get this info from your web host
 */

/** MySQL database username */
define( 'YOURLS_DB_USER', 'our_db_user' );

/** MySQL database password */
define( 'YOURLS_DB_PASS', 'ourDBPassw0rd' );

/** The name of the database for YOURLS
 ** Use lower case letters [a-z], digits [0-9] and underscores [_] only */
define( 'YOURLS_DB_NAME', 'the_db_name' );

/** MySQL hostname.
 ** If using a non standard port, specify it like 'hostname:port', e.g. 'localhost:9999' or '127.0.0.1:666' */
define( 'YOURLS_DB_HOST', 'our.db.server.host' );

/** MySQL tables prefix
 ** YOURLS will create tables using this prefix (eg `yourls_url`, `yourls_options`, ...)
 ** Use lower case letters [a-z], digits [0-9] and underscores [_] only */
define( 'YOURLS_DB_PREFIX', 'yourls_' );

/*
 ** Site options
 */

/** YOURLS installation URL
 ** All lowercase, no trailing slash at the end.
 ** If you define it to "http://sho.rt", don't use "http://www.sho.rt" in your browser (and vice-versa)
 ** To use an IDN domain (eg http://héhé.com), write its ascii form here (eg http://xn--hh-bjab.com) */
define( 'YOURLS_SITE', 'https://<site_domain>' );

/** YOURLS language
 ** Change this setting to use a translation file for your language, instead of the default English.
 ** That translation file (a .mo file) must be installed in the user/language directory.
 ** See http://yourls.org/translations for more information */
define( 'YOURLS_LANG', '' );

/** Allow multiple short URLs for a same long URL
 ** Set to true to have only one pair of shortURL/longURL (default YOURLS behavior)
 ** Set to false to allow multiple short URLs pointing to the same long URL (bit.ly behavior) */
define( 'YOURLS_UNIQUE_URLS', true );

/** Private means the Admin area will be protected with login/pass as defined below.
 ** Set to false for public usage (eg on a restricted intranet or for test setups)
 ** Read http://yourls.org/privatepublic for more details if you're unsure */
define( 'YOURLS_PRIVATE', true );

/** Stats pages can be public even if the install is private **/
define( 'YOURLS_PRIVATE_INFOS', true );

/** A random secret hash used to encrypt cookies. You don't have to remember it, make it long and complicated
 ** Hint: copy from http://yourls.org/cookie */
define( 'YOURLS_COOKIEKEY', '[nope]' );

/** Username(s) and password(s) allowed to access the site. Passwords either in plain text or as encrypted hashes
 ** YOURLS will auto encrypt plain text passwords in this file
 ** Read http://yourls.org/userpassword for more information */
$yourls_user_passwords = [
        'some' => 'phpass:!2y!10!xxxx' /* Password encrypted by YOURLS */ ,
        'users' => 'phpass:!2y!10!xxxx' /* Password encrypted by YOURLS */ ,
        // You can have one or more 'login'=>'password' lines
];

/** URL shortening method: either 36 or 62
 ** 36: generates all lowercase keywords (ie: 13jkm)
 ** 62: generates mixed case keywords (ie: 13jKm or 13JKm)
 ** For more information, see https://yourls.org/urlconvert */
define( 'YOURLS_URL_CONVERT', 62 );

/** Debug mode to output some internal information
 ** Default is false for live site. Enable when coding or before submitting a new issue */
define( 'YOURLS_DEBUG', false );

/**
* Reserved keywords (so that generated URLs won't match them)
* Define here negative, unwanted or potentially misleading keywords.
*/
$yourls_reserved_URL = [
        // removed in case GitHub would flag it; not relevant to this problem anyway
];

/*
 ** Personal settings would go after here.
 */
// this is actually EOF

Very basic, nothing weird at all.

[Frale288]

That's most of it. The config is pretty short (obvious parts redacted):

Just your average config.php
Very basic, nothing weird at all.

hello! can you send yourls files in an archive format? I tried 3 different hosting services, reinstalled many times, no result

I think this is the last option I have left.

[dgw]

I honestly don't know what that would accomplish; my install is exactly the .zip from https://github.com/YOURLS/YOURLS/releases/tag/1.10.1 uploaded to the server with my user/config.php as previously shared and a couple of custom plugins. 🤷‍♂️

[Frale288]

@lammersbjorn help me please(