https SSL issue invalid csrf token

santoshkumarr

I'm using AWS EC2 instance with Apache2, my config.json looks like below
{
"url": "https://app.mysite.com:4567",
"secret": "b75e7387-3d2a-487b-8b14-2c2c0c01c6fe",
"database": "mongo",
"mongo": {
"host": "127.0.0.1",
"port": "27017",
"username": "careerwaze",
"password": "careerwaze",
"database": "forums"
}
}
When i'm running with this configuration using "https://", getting "Login Unsuccessful We were unable to log you in, likely due to an expired session. Please try again" ie. invalid-csrf-token error. Here no of sessions are creating for one login.

26/7 09:31 [26144] - error: /login
invalid csrf token

When accessing with the below config.json i.e with "http://"
{
"url": "http://app.mysite.com:4567",
"secret": "b75e7387-3d2a-487b-8b14-2c2c0c01c6fe",
"database": "mongo",
"mongo": {
"host": "127.0.0.1",
"port": "27017",
"username": "careerwaze",
"password": "careerwaze",
"database": "forums"
}
}
Its logging correctly only one session object is creating. When logout the application it logging out successfully.
But when i'm using session sharing plugin to login from other application using "JWT" its logging in correctly, but when trying to logout its not working. Here session is deleting but immediately when i'm clicking refresh it again showing the same user.

I have tried all the possible combination while setting the cookie domain in session sharing plugin.
.mysite.com
*.mysite.com
mysite.com
app.mysite.com

Any help @julian @baris

teh_g

@santoshkumarr You need to change the URL to https://app.mysite.com if that is the URL you are using in the browser.

santoshkumarr

@teh_g As explained above we tried that one too, by adding https in config.json.
In this case unable to login getting Login Unsuccessful We were unable to log you in, likely due to an expired session. Please try again" ie. invalid-csrf-token error.

Same time no of sessions are creating in sessions model

https://app.mysite.com:4567

Adam Poniatowski

try removing the port (:4567)

santoshkumarr

@adam-poniatowski this is not working, if i remove 4567 then it will access my parent web application, from where i'm accessing forum applicaiton

julian

Ensure that if you're using https in config.json, that all http urls are redirecting to their https equivalents.

santoshkumarr

@julian how can we check whether it is passing to https equivalents or not. Any where i need to configure that?

julian

You configure this in nginx

santoshkumarr

@julian we are using apache2 to host nodebb

julian

You can configure it in apache as well