CSRF token mismatch in Chrome

[masterwishx]

Version

lasted

Details & Steps to reproduce

Using docker in Unraid Using in Chrome some time get this issue some time no issue , in Firefox all fine also when open Chrome incognito

Expectation

..

Error & Logs

....

Execution environment

...

Containerization

• [X] Docker

Additional information

[PeopleInside]

I have the same issue also on Firefox. New install, I'm unable to register.

I used composer not docker but I'm unable to use this app. Never let me register because after insert all my data CSF token error is showed as in this discussion screenshots

[masterwishx]

I have the same issue also on Firefox. New install, I'm unable to register.

I used composer not docker but I'm unable to use this app. Never let me register because after insert all my data CSF token error is showed as in this discussion screenshots

Try to open incognito page in chrome or firefox ,its working for me in chrome , also you can try to clear cookie and cache maybe ...

[masterwishx]

i hope @Bubka can fix this soon

[PeopleInside]

For me nothing work. I'm unable also to use the demo https://demo.2fauth.app/register

I lost many time on try to install this on my server and now I'm discovered I just miss to try to register in the demo. Every browser I try, even in incognito I'm unable to register. I tried to install on my server also the previous version of December 2023 but is the same.

I need leave for now. I cannot use :(

I'm able to login in the demo but I'm unable to register:

[Bubka]

Sorry for that, but I'm sure it can be fixed. Regarding the demo, it is the expected behavior.

How did you configure the APP_URL and ASSET_URL vars in your env file? They should reflect your instance url. Also, in addition to cookie clearing, please run those command in a terminal:

php artisan cache:clear
php artisan config:clear
php artisan view:clear

[PeopleInside]

@Bubka I'm trying again to install but is a very strange process.

1. I download the latest version here: https://github.com/Bubka/2FAuth/releases/tag/v5.0.3
2. I upload and extract on my server.
3. I create the htaccess rule

RewriteEngine On
RewriteCond %{REQUEST_URI} !^/public/
RewriteRule ^(.*)$ /public/$1 [L,QSA]

4. I run the composer command composer install --prefer-dist --no-scripts --no-dev
5. I run the command php artisan 2fauth:install choosing mysql
6. Now when I get success message and I load my URL I see the URL try to load resources from http://localhost.
7. I check the .env file

Nothing still unable also with that three SSH command. I get

And in developer console:

[Bubka]

Why did you change the htaccess definition? There is no need to edit this file. Pointing to the public directory has to be set in your web server configuration. What server are you using?

[PeopleInside]

Why did you change the htaccess definition? There is no need to edit this file. Pointing to the public directory has to be set in your web server configuration. What server are you using?

Plesk Apache and PHP

I see there is a cookie error in developer console.

Is safe share my installation URL here or can I share in private?

[Bubka]

Please rollback the .access definition to default and post your apache conf here (with redacted host address)

[PeopleInside]

Please rollback the .access definition to default and post your apache conf here (with redacted host address)

The .htaccess has created by me and is in the domain root and point to the public folder. In this case I'm able to load the interface, if I delete it the interface will not load.

I cannot edit the Apache config, is a Plesk Panel. I don't know how to edit, other domains are running on it :S

UPDATE:

You may have cookie issues. My server had the following directive:

Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

Removing this your app work. I dont know if you can have a weakness in cookies.

[masterwishx]

php artisan cache:clear php artisan config:clear php artisan view:clear

After this i have server error , but then after reboot container working again , but still same issue , cleared cookies also ...

[Bubka]

Please rollback the .access definition to default and post your apache conf here (with redacted host address)

The .htaccess has created by me and is in the domain root and point to the public folder. In this case I'm able to load the interface, if I delete it the interface will not load.

I cannot edit the Apache config, is a Plesk Panel. I don't know how to edit, other domains are running on it :S

UPDATE:

You may have cookie issues. My server had the following directive:

Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

Removing this your app work. I dont know if you can have a weakness in cookies.

Again, there is no need to add a custom .htaccess in the root folder. 2FAuth has its own .htaccess in the public folder. You need to configure plesk to point to the public folder in the host setup.

[masterwishx]

APP_URL and ASSET_URL is http://192.168.0.199:8000 in Unraid env in docker :

[masterwishx]

[PeopleInside]

The issue was caused by this:

Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

My server is configured to accept http and secure cookie only. Removing this security directive your app is working.

I'm asking why.. this directive must be removed. Now is working and I also set plesk to point to the public folder but with the cookie rule above wont work

[masterwishx]

@Bubka also have this in log :

but i have app_key :

[masterwishx]

Found strange behavior, when CSRF token error after page refresh one time entered to program.... In Firefox still no problems. But using mostly chrome for now

[Bubka]

@masterwishx please run php artisan config:cache

[masterwishx]

php artisan config:cache

not sure whats going on but now its working fine , also runned php artisan config:cache:

[masterwishx]

i will try to enter for some days , if will be OK i will close issue if you dont mind ...

[masterwishx]

today again issue in chrome

[masterwishx]

php artisan config:cache

php artisan config:cache not helping

[Bubka]

You're talking about the CSRF issue, right? what device are you on? desktop, mobile? If mobile, did you add the app to your home-screen?

[masterwishx]

You're talking about the CSRF issue, right? what device are you on? desktop, mobile? If mobile, did you add the app to your home-screen?

desktop win 11 chrome

[masterwishx]

Using latest app in docker in Unraid

[masterwishx]

You're talking about the CSRF issue, right? what device are you on? desktop, mobile? If mobile, did you add the app to your home-screen?

The strange thing , that no problem on firefox also no issue when open incognito page in chrome

[Bubka]

Yep, Chrome behaves strangely. CSRF token is pushed to the server with a cookie on each request. On top of that, 2FAuth has a refresh mecanism to prevent such a situation (the call to /refresh-csrf between the two failed requests to /login) so even if the first login attempt fails with a 419 code, the second is made with a band new csrf cookie so it shouldn't fail.

Do you have any cookie rule/restriction/policy applied?

[masterwishx]

Do you have any cookie rule/restriction/policy applied?

not sure , i wasnt had problems in 2fAuth versions befor with chrome ....

standart security if you mean this :

[masterwishx]

@Bubka it seems the issue is fixed with latest update , i will close the issue for now ... if will have the problem again i will post here ...