419 - Page Expired CSRF token mismatch

Kovah / LinkAce

LinkAce is a self-hosted archive to collect links of your favorite websites.

https://www.linkace.org

GNU General Public License v3.0

2.63k stars 163 forks source link

419 - Page Expired CSRF token mismatch #827

Closed rwario closed 2 months ago

rwario commented 3 months ago

Bug Description

I installed the linke ace docker for my unraid server and it was working very well and i imported all my bookmarks. This morning i was logged out and tried to log in again getting this error:

419 - Page Expired CSRF token mismatch

And cant login anymore (tried different browsers, cleaned cache etc.). How do i fix this problem? If not how can i save my bookmarks?

How to reproduce

Go to Browser ex. Brave, Firefox etc.
Open Server Linke Ace IP
Enter Login Credentials
Get the 419 Page Expired error (CSRF Token mismatch)

Expected behavior

Working login into the bookmark page.

Logs

No response

Screenshots

LinkAce Login error

LinkAce version

v1.15.0

Setup Method

Docker

Operating System

other (please specify in description)

Client details

Unraid 6.12.10, Browser Brave

Kovah commented 3 months ago

Please try to run php artisan config:clear and php artisan cache:clear in the LinkAce Docker container.

Also, did you modify any variables in the .env file besides database passwords?

rwario commented 3 months ago

Nope the commands did not change anything still showing the same mismatch error. I have not changed anything besides the needed database data in the .env file.

But i have found in Maria DB LOG following info :

An upgrade is required on your databases.
Stop any services that are accessing databases
in this container, and then run the command
mariadb-upgrade -u root -p PASSWORD

I will try to run this command and report back if this fixed the issue.

Update: The Database Upgrade did not change anything, still showing the same error.

Kovah commented 3 months ago

Could you please share more details about your setup:

the URL you use to access LinkAce
which web server is in front of LinkAce, how does the configuration look like?
are you using any browser extension that might interfere with LinkAce? In Brave, make sure that the website protection is turned off to test this.
when opening linkace, what exactly happens, where are you redirected to?
if you try to login, please check if said CSRF token is present and generated. Your login form should look similar to this:

imloic commented 3 months ago

I had the same problem myself. I solved the problem by editing the .env file in this way:

SESSION_SECURE_COOKIE=false

rwario commented 3 months ago

SESSION_SECURE_COOKIE=false

Thanks imloic! That did the trick its working again. Danke auch Kovah!

ani-6 commented 3 months ago

I am facing same issue with version v1.15.1. Using firefox. I am able to see CSRF token generated.

Kovah commented 3 months ago

@ani-6 have you tried the suggested fix?

ani-6 commented 3 months ago

Yup its working fine with SESSION_SECURE_COOKIE=false

BamButz commented 3 months ago

It seems that everything is working fine. Maybe it should be documented, that if you access the app via HTTP (and not HTTPS) you have to set that environment variable.

Daivy03 commented 3 months ago

Same issue, resolved adding the nginx config to my reverse proxy: https://www.linkace.org/docs/v1/setup/setup-with-docker/advanced-configuration/

Kovah commented 2 months ago

This should basically be fixed with the latest version 1.15.2. The latest change causing this issue was reverted.