Login session error popup loop

phenomlab

@mattdjuk Thanks. For clarity, the trailing backslash should not be there. Does the site function as desired when using Edge with no issues from the user perspective ? Does anything appear in the logs when the CSRF error is being generated ?

mattdjuk

@phenomlab I tried both, but its currently without the /

Edge works fine. I can use the site without issue. Its just Chrome.

The only thing I can see in the admin logs on /admin is this

022-05-24T15:16:43.080Z [4567/165874] - error: POST /logout
invalid csrf token

in the inspect tools in Chrome I see...

nodebb.min.js?v=eau0luijpea:2 POST https://forum.**********.co.uk/logout 403 (Forbidden)

phenomlab

@mattdjuk Can you contact me via PM and share your site URL ? I want to see if I can reproduce the issue in Chrome.

mattdjuk

@phenomlab Sure, will do. thanks

phenomlab

@mattdjuk Just checked. This is exactly the same issue I encountered in this post

https://sudonix.com/topic/249/invalid-csrf-on-dev-install?_=1653382858005

When you tried this the first time, are you sure you selected the right database ?

mattdjuk

@phenomlab I've just run this again. The first refresh, I actually got the screen without the session warning, but then the next time I refreshed, it was back.

Same error in the logs, and everything working fine in Edge.

phenomlab

@mattdjuk Bizarre. I actually get the same issue in Edge when accessing your site.

mattdjuk

@phenomlab You're right - as soon as I logged out from Edge, it started doing the same thing.

phenomlab

@mattdjuk There's something else going on here. Happy to help, but will likely need direct access to your site, and the VPS hosting it.

mattdjuk

@phenomlab

I've just noticed this in when I run the site as dev...

info: NodeBB is now listening on: 0.0.0.0:4567

In the Nginx config, it has

proxy_pass http://127.0.0.1:4567

Any connection do you think?

phenomlab

@mattdjuk No. Mine is the same.

mattdjuk

@phenomlab

I've now set up a completely fresh install on another VM. I have removed the domain for now and I'm running it on the IP address only and its not having similar issues. Once the dns resolves to the new location, I'll try and get it working with the domain.

mattdjuk

@mattdjuk And now with the domain name, it doesn't work.

Trying to login, I see /login?error=csrf-invalid

phenomlab

@mattdjuk If the domain name does not resolve to the correct IP address, then yes, I'd expect the CSRF issue to be prevalent.

mattdjuk

@phenomlab It seems to have resolved for me but I'll set it aside until tomorrow and see what happens. So far I have managed to get it logged in using an incog browser, but not through Chrome in a regular way.

mattdjuk

@mattdjuk Unfortunately the problem remains - a constant loop of session error warning messages. This is across all browsers - I did originally believe Edge was unaffected.

I've tried clearing cache
I've run though the list of things in this thread
I've rebuild completely on a new VM

None of these things resolve this problem.

Further, I have now removed the SSL and am accessing it on http. I no longer see the session error message on a loop, but I am unable to login, getting...

http://forum.************.co.uk/login?error=csrf-invalid

Does anyone have any suggestions that I haven't tried? This is running on V2.0

cagatay

@mattdjuk the system does not give permission to try and enter for a while by banning your ip adress in wrong attempts. Could your problem be caused by this?

mattdjuk

@cagatay My colleague is having the same issue too, on a different IP

cagatay

@mattdjuk if you are using ssl pls correct confing.js http to https

mattdjuk

@cagatay Done that. config.json is...

{
"url": "https://forum..co.uk",
"secret": "",
"database": "mongo",
"mongo": {
"host": "127.0.0.1",
"port": "27017",
"username": "nodebb",
"password": "********",
"database": "nodebb",
"uri": ""
},
"port": "4567"
}