I'm getting a 403 response header from Apache when a user tries to log in:
403 Forbidden
Connection: Keep-Alive
Content-Length: 9
Content-Type: text/plain; charset=utf-8
Date: Tue, 26 Jul 2016 08:34:17 GMT
Etag: W/"9-cilpV3qWyjlT6E49lJ3ugQ"
Keep-Alive: timeout=5, max=100
Server: Apache
Set-Cookie: express.sid=s%3AK71RmAAIHxT272nf0UmW0VjrVspvtzjb.z%2BNP27jVVBPjm7IGebypmqLqKlWNQuOpVQY6lKat2RA; Domain=domain.deleted.com; Path=/; Expires=Tue, 09 Aug 2016 08:34:17 GMT; HttpOnly
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
X-Powered-By: Express
access-control-allow-origin: null
NodeBB version is 1.0.3
The user facing login screen shows:
Failed login attempt, please try again.
Forbidden
The NodeBB log shows:
26/7 09:31 [26144] - error: /login
invalid csrf token
I have tried:
Restarting nodebb & apache
Adding the following to apache config:
RequestHeader set X-Forwarded-Proto 'https'
In my particular case, this seems to have been caused by one or all of:
<VirtualHost *:80>
RequestHeader set X-Forwarded-Proto "http"
…
</VirtualHost>
I added the above apache directive and restarted apache..
2.Having the cookieDomain set in the admin panel
If you cannot log into your forum, the only way to do remove this cookieDomain value is to manually run a DB query to remove it. In my case this was Mongo and I used a GUI client to remove the value.
A raw query would look something like this:
db.objects.update({_key: "config"}, {$set: {cookieDomain: ""}});
More info here - https://community.nodebb.org/topic/9196/invalid-session?_=1470286431609&page=1
