Invalid CSRF Token, again
-
I'm using the latest NodeBB v1.16 via Cloudron.
An error that must be related to one of the more recent NodeBB updates is that forum users report strange errors where they only get the single word "Error" in some situations when they use the forum.
These situations seem to coincide with log entries in the server log that look like this:
Dec 22 19:42:18 2020-12-22T18:42:18.963Z [4567/289] - error: /api/v3/topics/6185
Dec 22 19:42:18 invalid csrf tokenI have seen that "Invalid csrf token" has been discussed in this forum before, but those discussions were many years ago. Could this strange behavior be related to this recent addition to NodeBB, maybe? Any other idea?
-
@klaus6 said in Invalid CSRF Token, again:
Could this strange behavior be related to this recent addition to NodeBB, maybe? Any other idea?
Probably, yes. That said, it is exceeding difficult to debug because it just doesn't reproduce for the majority of users.
You're the first I've heard reporting this issue, so I'd need to know what's special about your users, how many are affected, etc.
Perhaps it is related to long-lived browser windows... if in a different tab they've logged out and back in, then the CSRF token is indeed expired. That would cause the error you see.
-
@julian I have the same issue
NodeBB v1.17.1
error: /login invalid csrf tokenNothing more in the nodebb dev log. Works in incognito mode but not in normal browser mode.
Had this issue with my live site to but it solved it self somehow. Now I have the same issue on my local dev site that does not work in my browser in normal mode but only in incognito. I have tried to clear the cache but it does not help.
The front responds with
Login Unsuccessful We were unable to log you in, likely due to an expired session. Please try againFunky stuff
-
It started to work now again on my dev.
If someone have the same problem
- Try to clear cache
- Use inspect element and check clear cache option
- login with incognito mode from the browser.
That is all i did, I think
-
This also happens to us as well. We have some users, and it's happened to me as well only a couple of times, where you get error when trying to post. When it has happened to me, my window was up on desktop and then I went to post later on and error. I had to restart forum for it to stop. Other users report that they have been logged on the whole time but in a different tab, then come back to post and error.
For us, this started happening when we upgraded to 1.16.2 about two months ago.
-
@torn2 @Jenkler The only related functionality that I added would be logic that automatically generates a new session on login. It means that every time you log in, your cookie is updated, and any other browser tabs would no longer be valid.
There is logic on the client-side to handle that, so if you do use multiple tabs, you will just see a modal pop up telling you to refresh the page (or hitting "OK" will do that also).
By any chance are either of you using multiple tabs to browse your forum?
-
@julian said in Invalid CSRF Token, again:
@torn2 @Jenkler The only related functionality that I added would be logic that automatically generates a new session on login. It means that every time you log in, your cookie is updated, and any other browser tabs would no longer be valid.
There is logic on the client-side to handle that, so if you do use multiple tabs, you will just see a modal pop up telling you to refresh the page (or hitting "OK" will do that also).
By any chance are either of you using multiple tabs to browse your forum?
Not really, I mainly only use one tab for my forum but will have other tabs open to different sites that I may switch between. I'm going to leave two tabs open for a while and come back to one to see if it reproduces. I honestly do not get it this way very often. The other way is when posting images and have the imgur plugin. And I never actually log out.
