Invalid CSRF Token

  • Our old friend, invalid CSRF token is back.

    NodeBB v1.1.0
    Git commit: 296dc77c7bb2bbf92f711089d77e4f32f729951f
    Redis 3.0.7

    So far, I've tried 1) different browsers and 2) clearing out the individual cookies related to the domain.


    	 - nodebb-theme-persona
    	 - nodebb-plugin-markdown
    	 - nodebb-plugin-mentions
    	 - nodebb-plugin-spam-be-gone
    	 - nodebb-widget-essentials
    	 - nodebb-rewards-essentials
    	 - nodebb-plugin-reddit
    	 - nodebb-plugin-soundpack-default
    	 - nodebb-plugin-emoji-extended
    	 - nodebb-plugin-rss
    	 - nodebb-plugin-twitter
    	 - nodebb-plugin-desktop-notifications
    	 - nodebb-plugin-question-and-answer
    	 - nodebb-plugin-sso-google-confirmed
    	 - nodebb-plugin-dbsearch
    	 - nodebb-plugin-sso-dropbox
    	 - nodebb-plugin-custom-pages
    	 - nodebb-plugin-twitch
    	 - nodebb-plugin-write-api
    	 - nodebb-plugin-youtube-lite
    	 - nodebb-plugin-emailer-mandrill
    	 - nodebb-plugin-vimeo
    	 - nodebb-plugin-newuser-invitation
    	 - nodebb-plugin-gravatar
    	 - nodebb-plugin-imgur
    	 - nodebb-plugin-codeinput
    	 - nodebb-plugin-composer-redactor
    	 - nodebb-plugin-header-extend
    	 - nodebb-plugin-poll
    	 - nodebb-plugin-soundcloud
    	 - nodebb-plugin-sso-github
    	 - nodebb-plugin-sso-google

    I've tried resetting all the plugins as well, but this error persists:

    0_1468890215658_Screen Shot 2016-07-18 at 7.59.08 PM.png

    Any ideas??

  • Plugin & Theme Dev

  • Hi, I have the same issue as you, it started a few weeks ago.

    Yesterday I have a reported case of "Invalid-session"

    - nodebb-plugin-asset-manager
    - nodebb-plugin-composer-embedly
    - nodebb-plugin-emailer-sendgrid
    - nodebb-plugin-embed-videos
    - nodebb-plugin-emoji-extended
    - nodebb-plugin-emoji-one
    - nodebb-plugin-iframely
    - nodebb-plugin-markdown
    - nodebb-plugin-mentions
    - nodebb-plugin-newsletter
    - nodebb-plugin-newuser-invitation
    - nodebb-plugin-ns-awards
    - nodebb-plugin-poll
    - nodebb-plugin-rss
    - nodebb-plugin-s3-uploads-updated
    - nodebb-plugin-slack-extended
    - nodebb-plugin-soundpack-default
    - nodebb-plugin-videoplayer
    - nodebb-rewards-essentials
    - nodebb-theme-persona
    - nodebb-widget-essentials
    - nodebb-widget-ns-stats

    We have the same:

    • nodebb-theme-persona

    • nodebb-plugin-markdown

    • nodebb-plugin-mentions

    • nodebb-widget-essentials

    • nodebb-rewards-essentials

    • nodebb-plugin-soundpack-default

    • nodebb-plugin-emoji-extended

    • nodebb-plugin-rss

    • nodebb-plugin-newuser-invitation

  • @pichalite

    I have met the same problem!

    "csrf-invalid": "We were unable to log you in, likely due to an expired session. Please try again"

    I tried to clean all the cache and cookies of the chrome, but still happened!

    NodeBB: V1.1.0 in github tag
    Mongodb: 3.2.7
    SSL: no
    Upgraded from: fresh installed

  • @Jam said in Invalid CSRF Token:

    SSL: no

    Although you have SSL set to no, have you tried to resolve this problem by adding proxy_set_header X-Forwarded-Proto $scheme; to your Nginx configuration?

  • @rod thanks, i have added it~

    I thought it was no necessary to add proxy_set_header X-Forwarded-Proto $scheme when we did not use SSL with nginx~

  • @Jam Has adding that line resolved your problem?

  • @rod It seems that working ok till right now~

  • where do we set SSL:no. Can you paste your config.json?

  • @pichalite

    where do we set SSL:no. Can you paste your config.json?

  • Plugin & Theme Dev

    @codecowboy don't think there is a setting like that. Where did you get that from?

  • Admin

    @codecowboy As @pichalite has mentioned in the other thread, you'll want to reset the cookieDomain config in your NodeBB.

  • @pichalite SSL:No is mentioned higher up in this thread

  • Plugin & Theme Dev

    @codecowboy he just said that he is not using SSL. There is no such setting.

  • @pichalite aha. My bad. I am stupid. Its a curse.

  • I had the exact same issue, I ended up going back to v1.0.3. Lucky me that there was no change in the database so I could just use git checkout v1.0.3 and then run npm install followed by ./nodebb upgrade and everything went back to a working state.

  • I'm using nginx with SSL, had the same issue with login/CSRF Token when migrated from 1.0.3 to 1.1.2, and, as described before but always good to remain, adding this to my nginx config (/etc/nginx/sites-enabled/default in my case) saved my life, thank

    proxy_set_header X-Forwarded-Proto $scheme;

  • for the record for people finding this via search, for apache2 you have to set this somewhere in your nodebb vhost configuration
    with ssl

    RequestHeader set X-Forwarded-Proto "https"

    without ssl

    RequestHeader set X-Forwarded-Proto "http"

    you might have to enable mod_headers to do so!

Log in to reply

Looks like your connection to NodeBB was lost, please wait while we try to reconnect.