Unsolved Login session error popup loop


  • I have just set up a new instance on my Ubuntu server and I see the following error pop up continuously

    nodebberror.png

    the config.json is set up to point to the correct url

    {
    "url": "http://forum..co.uk",
    "port": "4567",
    "use_port": false,
    "secret": "
    ",
    "database": "mongo",
    "mongo": {
    "host": "127.0.0.1",
    "port": "27017",
    "username": "forum",
    "password": "
    ********************",
    "database": "forumdb",
    "uri": ""
    }
    }

    My Nginx config is also set up correctly

    {

    listen 80;
    ssl_certificate    /etc/ssl/certs/forumcert.pem;
    ssl_certificate_key    /etc/ssl/certs/bmansi.key;
    
    server_name forum.*****.co.uk;
    
    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
    
        proxy_pass http://127.0.0.1:4567;
        proxy_redirect off;
    
        # Socket.IO Support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    
        auth_basic "Restricted Content";
        auth_basic_user_file /etc/nginx/.htpasswd;
    
    }
    

    }

    I've restarted, rebooted, tried with SSL without SSL and so far have been completely unable to remove the popup loop when browsing to my site in Chrome or Edge.

    Does anyone have any suggestions?


  • @mattdjuk Can you try to change proxy_set_header X-Forwarded-Proto $scheme; with proxy_set_header X-Forwarded-Proto https; in your NGINX config and try after an NGINX restart ?


  • @mattdjuk Incidentally, I have v2.0 installed


  • @phenomlab hi, I get an error when I try to restart nginx with this approach.

    I've now changed the config to the suggested one for SSL (with relevant server name updates etc)...

    server {
    listen 80;
    server_name forum.example.org;
    return 302 https://$server_name$request_uri;
    }

    server {
    # listen on ssl, deliver with speedy if possible
    listen 443 ssl spdy;
    server_name forum.example.org;
    # change these paths!
    ssl_certificate /path/to/cert/bundle.crt;
    ssl_certificate_key /path/to/cert/forum.example.org.key;
    # enables all versions of TLS, but not SSLv2 or 3 which are weak and now deprecated.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    # disables all weak ciphers
    ssl_ciphers 'AES128+EECDH:AES128+EDH';
    ssl_prefer_server_ciphers on;
    location / {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $http_host;
    proxy_set_header X-NginX-Proxy true;
    proxy_pass http://127.0.0.1:4567; # no trailing slash
    proxy_redirect off;
    # Socket.IO Support
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    }
    }

    But the error remains - although it does redirect from http -- https


  • @mattdjuk Odd - what's the error message ?


  • Ok, got NGINX to update - missed the semi colon!

    However, its made no difference to the website, I still get the error message "invalid session..."

    I've managed to get from the logs...

    POST /logout
    invalid csrf token

    This is appearing every time I try to get to the site in Chrome. I'm not logged in, its a new site, I can't see any cookies have been created or anything like that.


  • @mattdjuk said in Login session error popup loop:

    invalid csrf token

    Yep. I've had this also. Try this


  • @phenomlab Thanks. Tried

    I can now get an incognito window to work without the constant prompting. My main Chrome window still shows it constantly though but I think that's cache. Edge is now working too.

    I'll clear out the cache in chrome and see if that helps.

    Really helpful! Thanks again.


  • @mattdjuk No problems.


  • Further to this - I can now get the site to show without the session error popup, but only when I use an incognito window. So far Chrome remains stuck with the pop up when I use it normally.


  • @mattdjuk I've had this exact same issue with Chrome. Does it still happen if you clear the cache completely, or if you press F12, then select the Network tab and select "Disable cache" (as shown below) and then reload the page ?

    c12a77fd-f2ca-4b43-9f39-9679265e7bf6-image.png


  • @phenomlab Unfortunately it doesn't help. I can use Edge to log in to the admin area and it has a load of these errors:

    POST /logout
    invalid csrf token

    Edge is fine, Chrome (normal, incognito) doesn't work and keeps prompting.


  • @mattdjuk Is the URL specified in config.json correct, and does it contain any trailing backslashes ?


  • @phenomlab

    Tried both in the config - with and without a trailing slash, e.g.

    url": "http://forum.*******.co.uk"

    and

    url": "http://forum.*******.co.uk/"

    Makes no difference


  • @mattdjuk Thanks. For clarity, the trailing backslash should not be there. Does the site function as desired when using Edge with no issues from the user perspective ? Does anything appear in the logs when the CSRF error is being generated ?


  • @phenomlab I tried both, but its currently without the /

    Edge works fine. I can use the site without issue. Its just Chrome.

    The only thing I can see in the admin logs on /admin is this

    022-05-24T15:16:43.080Z [4567/165874] - error: POST /logout
    invalid csrf token

    in the inspect tools in Chrome I see...

    nodebb.min.js?v=eau0luijpea:2 POST https://forum.**********.co.uk/logout 403 (Forbidden)


  • @mattdjuk Can you contact me via PM and share your site URL ? I want to see if I can reproduce the issue in Chrome.


  • @phenomlab Sure, will do. thanks


  • @mattdjuk Just checked. This is exactly the same issue I encountered in this post

    When you tried this the first time, are you sure you selected the right database ?


  • @phenomlab I've just run this again. The first refresh, I actually got the screen without the session warning, but then the next time I refreshed, it was back.

    Same error in the logs, and everything working fine in Edge.


Suggested Topics

| | |

© 2014 – 2022 NodeBB, Inc. — Made in Canada.