Invalid CSRF Token

Guiri

Our old friend, invalid CSRF token is back.

NodeBB v1.1.0
Git commit: 296dc77c7bb2bbf92f711089d77e4f32f729951f
Redis 3.0.7

So far, I've tried 1) different browsers and 2) clearing out the individual cookies related to the domain.

Plugins:

	 - nodebb-theme-persona
	 - nodebb-plugin-markdown
	 - nodebb-plugin-mentions
	 - nodebb-plugin-spam-be-gone
	 - nodebb-widget-essentials
	 - nodebb-rewards-essentials
	 - nodebb-plugin-reddit
	 - nodebb-plugin-soundpack-default
	 - nodebb-plugin-emoji-extended
	 - nodebb-plugin-rss
	 - nodebb-plugin-twitter
	 - nodebb-plugin-desktop-notifications
	 - nodebb-plugin-question-and-answer
	 - nodebb-plugin-sso-google-confirmed
	 - nodebb-plugin-dbsearch
	 - nodebb-plugin-sso-dropbox
	 - nodebb-plugin-custom-pages
	 - nodebb-plugin-twitch
	 - nodebb-plugin-write-api
	 - nodebb-plugin-youtube-lite
	 - nodebb-plugin-emailer-mandrill
	 - nodebb-plugin-vimeo
	 - nodebb-plugin-newuser-invitation
	 - nodebb-plugin-gravatar
	 - nodebb-plugin-imgur
	 - nodebb-plugin-codeinput
	 - nodebb-plugin-composer-redactor
	 - nodebb-plugin-header-extend
	 - nodebb-plugin-poll
	 - nodebb-plugin-soundcloud
	 - nodebb-plugin-sso-github
	 - nodebb-plugin-sso-google

I've tried resetting all the plugins as well, but this error persists:

Any ideas??

pichalite

@Guiri follow the instructions here... https://github.com/NodeBB/NodeBB/issues/4734

julianlam created this issue in NodeBB/NodeBB

closed Ensure cookie is secure even if NodeBB does not handle the SSL certificate #4734

Guiri

@pichalite TY

sohpingting

Hi, I have the same issue as you, it started a few weeks ago.

Yesterday I have a reported case of "Invalid-session"

- nodebb-plugin-asset-manager
- nodebb-plugin-composer-embedly
- nodebb-plugin-emailer-sendgrid
- nodebb-plugin-embed-videos
- nodebb-plugin-emoji-extended
- nodebb-plugin-emoji-one
- nodebb-plugin-iframely
- nodebb-plugin-markdown
- nodebb-plugin-mentions
- nodebb-plugin-newsletter
- nodebb-plugin-newuser-invitation
- nodebb-plugin-ns-awards
- nodebb-plugin-poll
- nodebb-plugin-rss
- nodebb-plugin-s3-uploads-updated
- nodebb-plugin-slack-extended
- nodebb-plugin-soundpack-default
- nodebb-plugin-videoplayer
- nodebb-rewards-essentials
- nodebb-theme-persona
- nodebb-widget-essentials
- nodebb-widget-ns-stats

We have the same:

• nodebb-theme-persona
• nodebb-plugin-markdown
  
- nodebb-plugin-mentions
• nodebb-widget-essentials
• nodebb-rewards-essentials
• nodebb-plugin-soundpack-default
• nodebb-plugin-emoji-extended
• nodebb-plugin-rss
• nodebb-plugin-newuser-invitation

Jam

@pichalite

I have met the same problem!

"csrf-invalid": "We were unable to log you in, likely due to an expired session. Please try again"

I tried to clean all the cache and cookies of the chrome, but still happened!

NodeBB: V1.1.0 in github tag
Mongodb: 3.2.7
SSL: no
Upgraded from: fresh installed

rod

@Jam said in Invalid CSRF Token:

SSL: no

Although you have SSL set to no, have you tried to resolve this problem by adding proxy_set_header X-Forwarded-Proto $scheme; to your Nginx configuration?

Jam

@rod thanks, i have added it~

I thought it was no necessary to add proxy_set_header X-Forwarded-Proto $scheme when we did not use SSL with nginx~

rod

@Jam Has adding that line resolved your problem?

Jam

@rod It seems that working ok till right now~

codecowboy

where do we set SSL:no. Can you paste your config.json?

codecowboy

@pichalite

where do we set SSL:no. Can you paste your config.json?

pichalite

@codecowboy don't think there is a setting like that. Where did you get that from?

julian

@codecowboy As @pichalite has mentioned in the other thread, you'll want to reset the cookieDomain config in your NodeBB.

codecowboy

@pichalite SSL:No is mentioned higher up in this thread

pichalite

@codecowboy he just said that he is not using SSL. There is no such setting.

codecowboy

@pichalite aha. My bad. I am stupid. Its a curse.

Peter-Zoltan Keresztes

I had the exact same issue, I ended up going back to v1.0.3. Lucky me that there was no change in the database so I could just use git checkout v1.0.3 and then run npm install followed by ./nodebb upgrade and everything went back to a working state.

Charly86

I'm using nginx with SSL, had the same issue with login/CSRF Token when migrated from 1.0.3 to 1.1.2, and, as described before but always good to remain, adding this to my nginx config (/etc/nginx/sites-enabled/default in my case) saved my life, thank

proxy_set_header X-Forwarded-Proto $scheme;

phit

for the record for people finding this via search, for apache2 you have to set this somewhere in your nodebb vhost configuration
with ssl

RequestHeader set X-Forwarded-Proto "https"

without ssl

RequestHeader set X-Forwarded-Proto "http"

you might have to enable mod_headers to do so!

Hans

@phit said in Invalid CSRF Token:

for the record for people finding this via search, for apache2 you have to set this somewhere in your nodebb vhost configuration

Thank you very much. This really made my day !!!