EA117 wrote: ↑
Tue Jun 18, 2019 5:32 am
A potential workaround would be to change the "Tie forms to guest sessions:"
setting to "No"
in the ACP General, Server Configuration, Security Settings
section. This would make it so that even if the session ID is "wrong" on the submitted phpBB 3.2.7 login form, phpBB would accept the login form anyway instead of declaring "invalid form."
If it works, that's still not "the right answer", and is just a workaround. There is apparently still something about the nginx proxy configuration which is apparently causing an older or wrong session ID to be used. Maybe that's because it's caching the page with the login form and serving an "old" copy to other users who should have had a page based on their own session ID. Or maybe it's because the proxy is somehow interfering with the cookie value that should have successfully persisted the session ID. I know nothing of nginx proxy behavior or configuration to comment further on that.
1、The workaround works;
2、Actually the problem was caused by wrong nginx proxy configuration:
A、In proxy configuration, here a line "proxy_set_header referer " set to wrong url, mismatch to actual pbpBB url;
B、Problem only occurred when this browser first time access phpBB or after clear cache;
C、Change "proxy_set_header referer " to actual phpBB url, then problem solved.
Thanks a lot.