invalid CSRF token during registration

crazycells

We got some complaints from new users that right after registration, they get an error and see a blank "forbidden" page with a link like this:

register/complete/?_csrf=XXXXXX

however when one person deleted the part ?_csrf=XXXXXX... and click the link, he was able to log in... After looking at the logs, I can see these mistakes happening frequently...

we are currently using 1.18.6, should we upgrade to 1.19 to eliminate these errors?

2022-01-17T14:48:29.084Z [4567/26963] - [31merror[39m: /forum/register/complete/
invalid csrf token
2022-01-17T16:30:54.666Z [4569/26966] - [31merror[39m: /forum/logout
invalid csrf token
2022-01-17T16:31:59.605Z [4567/26963] - [31merror[39m: /assets/uploads/files/119/1503486526413eyalet-di%C5%9F-okulu-bilgisi.png
Error: Login sessions require session support. Did you forget to use `express-session` middleware?
    at SessionStrategy.authenticate (/home/fsuzer/nodebb/node_modules/passport/lib/strategies/session.js:46:41)
    at attempt (/home/fsuzer/nodebb/node_modules/passport/lib/middleware/authenticate.js:369:16)
    at authenticate (/home/fsuzer/nodebb/node_modules/passport/lib/middleware/authenticate.js:370:7)
    at Layer.handle [as handle_request] (/home/fsuzer/nodebb/node_modules/express/lib/router/layer.js:95:5)
    at trim_prefix (/home/fsuzer/nodebb/node_modules/express/lib/router/index.js:323:13)
    at /home/fsuzer/nodebb/node_modules/express/lib/router/index.js:284:7
    at Function.process_params (/home/fsuzer/nodebb/node_modules/express/lib/router/index.js:341:12)
    at next (/home/fsuzer/nodebb/node_modules/express/lib/router/index.js:275:10)
    at initialize (/home/fsuzer/nodebb/node_modules/passport/lib/middleware/initialize.js:89:5)
    at Layer.handle [as handle_request] (/home/fsuzer/nodebb/node_modules/express/lib/router/layer.js:95:5)
2022-01-17T16:36:01.474Z [4567/26963] - [31merror[39m: /forum/api/v3/users/14305/follow
invalid csrf token
2022-01-17T16:48:11.040Z [4568/26964] - [31merror[39m: notifications.getCount
Error: revalidate-failure
    at validateSession (/home/fsuzer/nodebb/src/socket.io/index.js:208:9)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at onMessage (/home/fsuzer/nodebb/src/socket.io/index.js:153:3)
2022-01-17T16:53:59.303Z [4568/26964] - [31merror[39m: /forum/register/complete/
invalid csrf token
2022-01-17T17:00:00.011Z [4568/26964] - [32minfo[39m: [user/jobs] Did not send digests (day) because subscription system is disabled.
2022-01-17T17:00:00.024Z [4567/26963] - [32minfo[39m: [user/jobs] Did not send digests (day) because subscription system is disabled.
2022-01-17T17:00:43.621Z [4568/26964] - [33mwarn[39m: [deprecated]
     at SocketTopics.getTopic (/home/fsuzer/nodebb/src/socket.io/topics.js:99:10)
    at wrapperCallback (/home/fsuzer/nodebb/src/promisify.js:46:11)
    at onMessage (/home/fsuzer/nodebb/src/socket.io/index.js:160:25)
     use GET /api/v3/topics/:tid
2022-01-17T17:00:45.320Z [4568/26964] - [33mwarn[39m: [deprecated]
     at SocketTopics.getTopic (/home/fsuzer/nodebb/src/socket.io/topics.js:99:10)
    at wrapperCallback (/home/fsuzer/nodebb/src/promisify.js:46:11)
    at onMessage (/home/fsuzer/nodebb/src/socket.io/index.js:160:25)
     use GET /api/v3/topics/:tid
2022-01-17T17:59:34.773Z [4568/26964] - [31merror[39m: /forum/logout
invalid csrf token
2022-01-17T17:59:37.207Z [4568/26964] - [31merror[39m: /forum/logout
invalid csrf token
2022-01-17T18:01:04.641Z [4568/26964] - [31merror[39m: /forum/logout
invalid csrf token
2022-01-17T18:04:22.743Z [4570/26972] - [31merror[39m: /assets/uploads/files/207/1546969176845e868e8b4-0b1b-4cee-9aef-c3b6b1ecdf3b-image.png
Error: Login sessions require session support. Did you forget to use `express-session` middleware?
    at SessionStrategy.authenticate (/home/fsuzer/nodebb/node_modules/passport/lib/strategies/session.js:46:41)
    at attempt (/home/fsuzer/nodebb/node_modules/passport/lib/middleware/authenticate.js:369:16)
    at authenticate (/home/fsuzer/nodebb/node_modules/passport/lib/middleware/authenticate.js:370:7)
    at Layer.handle [as handle_request] (/home/fsuzer/nodebb/node_modules/express/lib/router/layer.js:95:5)
    at trim_prefix (/home/fsuzer/nodebb/node_modules/express/lib/router/index.js:323:13)
    at /home/fsuzer/nodebb/node_modules/express/lib/router/index.js:284:7
    at Function.process_params (/home/fsuzer/nodebb/node_modules/express/lib/router/index.js:341:12)
    at next (/home/fsuzer/nodebb/node_modules/express/lib/router/index.js:275:10)
    at initialize (/home/fsuzer/nodebb/node_modules/passport/lib/middleware/initialize.js:89:5)
    at Layer.handle [as handle_request] (/home/fsuzer/nodebb/node_modules/express/lib/router/layer.js:95:5)
2022-01-17T18:05:04.276Z [4567/26963] - [31merror[39m: meta.rooms.leaveCurrent
Error: revalidate-failure
    at validateSession (/home/fsuzer/nodebb/src/socket.io/index.js:208:9)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at onMessage (/home/fsuzer/nodebb/src/socket.io/index.js:153:3)
2022-01-17T18:06:06.006Z [4568/26964] - [31merror[39m: /forum/register/complete/
invalid csrf token
2022-01-17T18:07:48.857Z [4568/26964] - [31merror[39m: plugins.browsingUsers.getBrowsingUsers
Error: revalidate-failure
    at validateSession (/home/fsuzer/nodebb/src/socket.io/index.js:208:9)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at onMessage (/home/fsuzer/nodebb/src/socket.io/index.js:153:3)
2022-01-17T18:08:15.486Z [4568/26964] - [31merror[39m: /forum/register/complete/
invalid csrf token
2022-01-17T18:08:46.586Z [4568/26964] - [31merror[39m: meta.rooms.leaveCurrent
Error: revalidate-failure
    at validateSession (/home/fsuzer/nodebb/src/socket.io/index.js:208:9)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at onMessage (/home/fsuzer/nodebb/src/socket.io/index.js:153:3)

crazycells

this is our nginx config file:

this is our nodebb config file:

crazycells

additionally, the main site is WordPress, and NodeBB is installed at /forum

<baris>

I suggest updating to 1.19.0 and applying this change as well https://github.com/NodeBB/NodeBB/commit/e9ee843b274b1e1f38b992650f3f74f940a20a49.

After that users might have to clear their cookies and refresh their browsers. Let us know if they still experience csrf errors after those changes.

Community

invalid CSRF token during registration

Suggested Topics

email address requirement during registration

Error when generating a master token on 1.15.5

Registration Form Bug

Invalid email error when trying to reset password

/trackback/ csrf token error