Fresh install worked once, now everyone gets invalid csrf token

  • My setup is on two VMs:

    1. nginx with ssl enabled listening on my domain and port 44301 and proxying to second VM
    2. clean install of nodebb

    Initial setup was fine, got to the admin console, disabled user registration and setup email server. After logout, no one can log in. Not the invited users, not even the administrator. Everyone gets an error message:

    Login Unsuccessful
    We were unable to log you in, likely due to an expired session. Please try again

    We have tried from different machines, with private/incognito, nothing helps.

    The nginx config is from the install instructions:

    # Upstream
    upstream nodebb_backend {
    # HTTPS Server
    server {
        listen 44301 ssl;
        server_name my.domain;
        ssl_certificate ....; # managed by Certbot
        ssl_certificate_key .....; # managed by Certbot
        client_max_body_size 200M;
        location / {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forward-Proto $scheme;
            proxy_set_header Host $http_host;
            proxy_set_header X-Nginx-Proxy true;
            proxy_pass http://nodebb_backend/;
            proxy_redirect off;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";

    And here is the nodebb config:

        "url": "https://my.domain:44301/",
        "secret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxx",
        "database": "mongo",
        "port": "4567",
        "bind_address": "",
        "mongo": {
            "host": "",
            "port": 27017,
            "database": "nodebb",
            "uri": "mongodb://nodebb:[email protected]:27017/nodebb"

    Even tried running it on standard port 443, nothing, still the same error.
    Btw, there is a bug in the command ./nodebb setup, if ran again, it will quietly overwrite the "port" and replace it with port from the URL which will start it on different port next time and you will be wondering why the heck you are getting 502 error from your proxy.

  • Have you tried removing the trailing slash after http://nodebb_backend in the nginx config file and at the end of the "url" value in config.json?

  • Yup, no difference whether the slash is there or not.

  • Can you try either removing the uri property, or removing all of the other properties under database?

  • GNU/Linux Admin

    Did you test your nginx config and reload it after changing? Sorry if this seems to be a silly question but we do have to ask.

  • Yes, tried all that. Noticed one thing though. The only cookie that is being set is named "io" and is set to expire at 1969-12-31T23:59:59.000Z.
    My suspicion is that nodebb is not setting its cookies.

  • Problem solved

    Thank you everyone who responded.
    I have tried everything I could think of, and when nothing worked, I decided to go over the setup, line by line, word by word and that's when I found it!
    It was a typo in configuration of my nginx, i.e., my own mistake.
    The following entries were wrong:

      proxy_set_header X-Forward-For ...
      proxy_set_header X-Forward-Proto ...

    They should be X-Forwarded-For and X-Forwarded-Proto, notice they were missing ed in the word forward !

Suggested Topics

| | | |