Bug #23746 See Comments

Disallowed Key Characters / exp_last_visit

Version: 4.3.5 Reporter: lydie_t

I wanted to move an EE 4.3.5 website from a development server to a production server.

When I tried to access pages or Control Panel on the production server, the browser displayed a “Disallowed Key Characters” error.

To have more info about the error, at line 997 of system/ee/legacy/core/input.php, I have added the $str variable into the $error variable. The message was then : “Disallowed Key Characters exp_last_visit”. It appears that the error comes frome the “exp_last_visit” value, which is a cookie.

I posted on EE StackExchange : a member suggested to add the cookie_domain and cookie_prefix overrides in my config.php file. But, there is still no result. You can read the discussion here : https://expressionengine.stackexchange.com/questions/40750/disallowed-key-characters-error-when-moving-ee-website-to-another-server

I have migrated several EE2 websites until then and never got this big issue. I suppose something should be done in order to avoid such a blocking error.

  • Hi lydie_t, can you remove the modification you made to the file, and set $debug to 1 in your admin.php and index.php files? It should include the errant key along with the error message, and might reveal what’s going on. The cookie value is immaterial, this routine checks the cookie keys, their names. And exp_last_visit is definitely valid, so I’m wondering if you have some invisible characters or something there.

    Lastly, if you spin up an incognito browser session, which would contain no stale cookies, do you still get this error?

    Derek Jones
    04th October, 2018 at 12:36pm
  • Reply came in via email (screenshots omitted for privacy):


    Thank you for helping.

    Here are screenshots after setting $debug to 1 in main main index.php and login.php files (I have renamed the main admin.php) :

    • home-page
    • CP login page
    • a view of the line 993 of input.php file

    The Disallowed Key Characters error happens in incognito browser sessions too. To be more precise : after cleaning cookies or in an incognito session, the home page displays once. But at each reload after that, the error appears. The CP login page always displays the DKC error, even at first load.

    Derek Jones
    08th October, 2018 at 8:37pm
  • Your screenshots do indicate null byte characters in the regex pattern, and an error that shouldn’t be possible with the constant REQ being undefined. I think that in the move to the production server, some or many files didn’t make it, made it only partially, or made it with unreadable permissions. I would perform the server move again from scratch, and make sure the deployment has no errors. If that doesn’t help you narrow it down, feel free to put in a support ticket and we can help you troubleshoot the problem directly on your server, but it does look like it’s most likely due to file corruption / permissions issues.

    Derek Jones
    08th October, 2018 at 8:47pm
  • You might be right concerning corrupted files or permission issues.

    I managed to copy and paste the whole website folder from test directory to production directory through plesk panel. In this case, I don’t have the Disallowed Key Character error.

    On the contrary, downloading test files by FTP then reuploading them to production by FTP generates the error.

    lydie_t
    09th October, 2018 at 4:06pm
  • Ok that definitely sounds like the issue then. You might try a different FTP app (I use Transmit when I need to FTP), as well as make sure that your files deployed by FTP have the correct owner/group that is needed by the web server (Apache/PHP for instance) to be able to read and write to those files itself.

    Derek Jones
    09th October, 2018 at 4:09pm

You must be signed in to comment on a bug report.

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases