invalid CSRF token during registration


  • We got some complaints from new users that right after registration, they get an error and see a blank "forbidden" page with a link like this:

    register/complete/?_csrf=XXXXXX

    however when one person deleted the part ?_csrf=XXXXXX... and click the link, he was able to log in... After looking at the logs, I can see these mistakes happening frequently...

    we are currently using 1.18.6, should we upgrade to 1.19 to eliminate these errors?

    2022-01-17T14:48:29.084Z [4567/26963] - error: /forum/register/complete/
    invalid csrf token
    2022-01-17T16:30:54.666Z [4569/26966] - error: /forum/logout
    invalid csrf token
    2022-01-17T16:31:59.605Z [4567/26963] - error: /assets/uploads/files/119/1503486526413eyalet-di%C5%9F-okulu-bilgisi.png
    Error: Login sessions require session support. Did you forget to use `express-session` middleware?
        at SessionStrategy.authenticate (/home/fsuzer/nodebb/node_modules/passport/lib/strategies/session.js:46:41)
        at attempt (/home/fsuzer/nodebb/node_modules/passport/lib/middleware/authenticate.js:369:16)
        at authenticate (/home/fsuzer/nodebb/node_modules/passport/lib/middleware/authenticate.js:370:7)
        at Layer.handle [as handle_request] (/home/fsuzer/nodebb/node_modules/express/lib/router/layer.js:95:5)
        at trim_prefix (/home/fsuzer/nodebb/node_modules/express/lib/router/index.js:323:13)
        at /home/fsuzer/nodebb/node_modules/express/lib/router/index.js:284:7
        at Function.process_params (/home/fsuzer/nodebb/node_modules/express/lib/router/index.js:341:12)
        at next (/home/fsuzer/nodebb/node_modules/express/lib/router/index.js:275:10)
        at initialize (/home/fsuzer/nodebb/node_modules/passport/lib/middleware/initialize.js:89:5)
        at Layer.handle [as handle_request] (/home/fsuzer/nodebb/node_modules/express/lib/router/layer.js:95:5)
    2022-01-17T16:36:01.474Z [4567/26963] - error: /forum/api/v3/users/14305/follow
    invalid csrf token
    2022-01-17T16:48:11.040Z [4568/26964] - error: notifications.getCount
    Error: revalidate-failure
        at validateSession (/home/fsuzer/nodebb/src/socket.io/index.js:208:9)
        at runMicrotasks (<anonymous>)
        at processTicksAndRejections (node:internal/process/task_queues:96:5)
        at onMessage (/home/fsuzer/nodebb/src/socket.io/index.js:153:3)
    2022-01-17T16:53:59.303Z [4568/26964] - error: /forum/register/complete/
    invalid csrf token
    2022-01-17T17:00:00.011Z [4568/26964] - info: [user/jobs] Did not send digests (day) because subscription system is disabled.
    2022-01-17T17:00:00.024Z [4567/26963] - info: [user/jobs] Did not send digests (day) because subscription system is disabled.
    2022-01-17T17:00:43.621Z [4568/26964] - warn: [deprecated]
         at SocketTopics.getTopic (/home/fsuzer/nodebb/src/socket.io/topics.js:99:10)
        at wrapperCallback (/home/fsuzer/nodebb/src/promisify.js:46:11)
        at onMessage (/home/fsuzer/nodebb/src/socket.io/index.js:160:25)
         use GET /api/v3/topics/:tid
    2022-01-17T17:00:45.320Z [4568/26964] - warn: [deprecated]
         at SocketTopics.getTopic (/home/fsuzer/nodebb/src/socket.io/topics.js:99:10)
        at wrapperCallback (/home/fsuzer/nodebb/src/promisify.js:46:11)
        at onMessage (/home/fsuzer/nodebb/src/socket.io/index.js:160:25)
         use GET /api/v3/topics/:tid
    2022-01-17T17:59:34.773Z [4568/26964] - error: /forum/logout
    invalid csrf token
    2022-01-17T17:59:37.207Z [4568/26964] - error: /forum/logout
    invalid csrf token
    2022-01-17T18:01:04.641Z [4568/26964] - error: /forum/logout
    invalid csrf token
    2022-01-17T18:04:22.743Z [4570/26972] - error: /assets/uploads/files/207/1546969176845e868e8b4-0b1b-4cee-9aef-c3b6b1ecdf3b-image.png
    Error: Login sessions require session support. Did you forget to use `express-session` middleware?
        at SessionStrategy.authenticate (/home/fsuzer/nodebb/node_modules/passport/lib/strategies/session.js:46:41)
        at attempt (/home/fsuzer/nodebb/node_modules/passport/lib/middleware/authenticate.js:369:16)
        at authenticate (/home/fsuzer/nodebb/node_modules/passport/lib/middleware/authenticate.js:370:7)
        at Layer.handle [as handle_request] (/home/fsuzer/nodebb/node_modules/express/lib/router/layer.js:95:5)
        at trim_prefix (/home/fsuzer/nodebb/node_modules/express/lib/router/index.js:323:13)
        at /home/fsuzer/nodebb/node_modules/express/lib/router/index.js:284:7
        at Function.process_params (/home/fsuzer/nodebb/node_modules/express/lib/router/index.js:341:12)
        at next (/home/fsuzer/nodebb/node_modules/express/lib/router/index.js:275:10)
        at initialize (/home/fsuzer/nodebb/node_modules/passport/lib/middleware/initialize.js:89:5)
        at Layer.handle [as handle_request] (/home/fsuzer/nodebb/node_modules/express/lib/router/layer.js:95:5)
    2022-01-17T18:05:04.276Z [4567/26963] - error: meta.rooms.leaveCurrent
    Error: revalidate-failure
        at validateSession (/home/fsuzer/nodebb/src/socket.io/index.js:208:9)
        at runMicrotasks (<anonymous>)
        at processTicksAndRejections (node:internal/process/task_queues:96:5)
        at onMessage (/home/fsuzer/nodebb/src/socket.io/index.js:153:3)
    2022-01-17T18:06:06.006Z [4568/26964] - error: /forum/register/complete/
    invalid csrf token
    2022-01-17T18:07:48.857Z [4568/26964] - error: plugins.browsingUsers.getBrowsingUsers
    Error: revalidate-failure
        at validateSession (/home/fsuzer/nodebb/src/socket.io/index.js:208:9)
        at runMicrotasks (<anonymous>)
        at processTicksAndRejections (node:internal/process/task_queues:96:5)
        at onMessage (/home/fsuzer/nodebb/src/socket.io/index.js:153:3)
    2022-01-17T18:08:15.486Z [4568/26964] - error: /forum/register/complete/
    invalid csrf token
    2022-01-17T18:08:46.586Z [4568/26964] - error: meta.rooms.leaveCurrent
    Error: revalidate-failure
        at validateSession (/home/fsuzer/nodebb/src/socket.io/index.js:208:9)
        at runMicrotasks (<anonymous>)
        at processTicksAndRejections (node:internal/process/task_queues:96:5)
        at onMessage (/home/fsuzer/nodebb/src/socket.io/index.js:153:3)
    

  • this is our nginx config file:

    this is our nodebb config file:


  • additionally, the main site is WordPress, and NodeBB is installed at /forum

  • NodeBB

    I suggest updating to 1.19.0 and applying this change as well https://github.com/NodeBB/NodeBB/commit/e9ee843b274b1e1f38b992650f3f74f940a20a49.

    After that users might have to clear their cookies and refresh their browsers. Let us know if they still experience csrf errors after those changes.


Suggested Topics

| |