Excessive "invalid csrf token" on Login and Register

yariplus

It looks like your config.json url is incorrect. You have ssl configured, so it should be https://www.moefi.com

genesisx

@yariplus thanks! I thought that is only referenced locally. I've changed to https and will see if it fix the issue.

genesisx

@yariplus The issue still presents after changing the settings...could you advice where I can put some print statement so that there will be more information to find the exact issue?

23/6 10:11:20 [3644] - ^[[32minfo^[[39m: NodeBB is now listening on: 0.0.0.0:4567
23/6 12:40:34 [3644] - ^[[31merror^[[39m: /login                              invalid csrf token
23/6 12:40:43 [3644] - ^[[31merror^[[39m: /login
 invalid csrf token
23/6 12:40:54 [3644] - ^[[31merror^[[39m: /login
 invalid csrf token
23/6 12:41:01 [3644] - ^[[31merror^[[39m: /login                              invalid csrf token
23/6 12:41:17 [3644] - ^[[31merror^[[39m: /login
 invalid csrf token
23/6 12:41:26 [3644] - ^[[31merror^[[39m: /login
 invalid csrf token
23/6 12:43:14 [3644] - ^[[31merror^[[39m: /login
 invalid csrf token                                                          23/6 17:32:37 [3644] - ^[[31merror^[[39m: /login
 invalid csrf token                                                          23/6 17:33:46 [3644] - ^[[31merror^[[39m: /login
23/6 17:33:46 [3644] - ^[[31merror^[[39m: /login                              invalid csrf token
23/6 17:34:09 [3644] - ^[[31merror^[[39m: /login                              invalid csrf token
23/6 17:34:24 [3644] - ^[[31merror^[[39m: /login
 invalid csrf token
23/6 17:34:34 [3644] - ^[[31merror^[[39m: /login
 invalid csrf token
23/6 17:34:53 [3644] - ^[[31merror^[[39m: /login
 invalid csrf token
24/6 01:33:46 [3644] - ^[[31merror^[[39m: /login
 invalid csrf token
24/6 01:33:55 [3644] - ^[[31merror^[[39m: /login
 invalid csrf token
24/6 01:34:34 [3644] - ^[[31merror^[[39m: /login
 invalid csrf token
24/6 01:34:36 [3644] - ^[[31merror^[[39m: /login
 invalid csrf token
24/6 01:35:32 [3644] - ^[[31merror^[[39m: /login
 invalid csrf token
24/6 05:42:10 [3644] - ^[[31merror^[[39m: /register
 invalid csrf token
24/6 07:55:34 [3644] - ^[[31merror^[[39m: /register
 invalid csrf token
24/6 09:27:22 [3644] - ^[[31merror^[[39m: /register
 invalid csrf token
24/6 09:27:48 [3644] - ^[[31merror^[[39m: /register
 invalid csrf token
24/6 09:35:00 [3644] - ^[[31merror^[[39m: /register
 invalid csrf token 

phit

Just to make sure, in Settings > Cookies is the Session cookie domain field blank or did you set your own value?

genesisx

@phit Hi, thanks for reply, I've actually tried both, right now it is set to www.moefi.com, before it was blank, having errors in both case.

baris

Are your users having this issue or are you just seeing it in the logs? The error happens when someone tries to login/register with javascript disabled since the csrf_token isn't submitted in that case.

genesisx

@baris Hi, users were seeing a "Forbidden" plain text page while log shows "invalid csrf token".

Actually I think this could be the issue, I just reproduced the error with JavaScript turned off in Chrome...the "no script" warning template is not using translation syntax, which is something could be easily fixed.

Thank you so much baris! I've been scratching my head to reproduce the issue, just didn't really come to me that someone would have js turned off in their browser...(and geez there are quite a lot of them)

HARIOM VASHISTH

@genesisx

Nginx default config:

server {
    listen 80 default_server;
    listen [::]:80 default_server ipv6only=on;
    server_name domain.com  www.domain.com;
    return 301 https://$server_name$request_uri;
}

NodeBB config.json

{
    "url": "https://domain.com",
    "secret": "your_secret",
        "bindaddress": "localhost",
    "port": "4567",
    "use_port":false,
    "database": "mongo",
    "mongo": {
        "host": "127.0.0.1",
        "port": "27017",
        "username": "nodebb",
        "password": "your_mongo_pwd",
        "database": "nodebb"
    }
}

Note: clone stable branch of NodeBB for deployment.

genesisx

@hariom-vashisth thanks for reply, I will try your settings

genesisx

@genesisx said in Excessive "invalid csrf token" on Login and Register:

@baris Hi, users were seeing a "Forbidden" plain text page while log shows "invalid csrf token".

Actually I think this could be the issue, I just reproduced the error with JavaScript turned off in Chrome...the "no script" warning template is not using translation syntax, which is something could be easily fixed.

Thank you so much baris! I've been scratching my head to reproduce the issue, just didn't really come to me that someone would have js turned off in their browser...(and geez there are quite a lot of them)

@baris not so easy I guess...some users with js turned on still seeing the "Forbidden" page upon registration, I will need to get a hold on someone who can reproduce the error and report on this. It's just so abnormally often that I start to suspect it could be GFW..

Niinetan

@baris @genesisx
It's seemed nginx to be blamed.

nginx config

server {
    server_name balabala.com;
    balabala
    balbalba
}

If url of Nodebb config is set to your server ip

"url": "http://111.111.111.111",

and nginx conf stay the same.

Visit http://111.111.111.111, everything works well.

However, if url of Nodebb config is set to your domian

"url": "http://balabala.com",

and nginx conf stay the same.

Visit http://balabala.com, then "forbidden" comes out when register, "invalid csrf token" in ACP log.