search

apxltd / what-bugs

What bugs?
3 stars 0 forks source link

Invalid CSRF token, unable to log in #138

Closed LB-- closed 8 years ago

LB-- commented 8 years ago

On my Windows 10 computer I use Google Chrome Version 50.0.2661.102 m (64-bit) without issues. I also just updated it to Version 51.0.2704.84 m (64-bit) and the forums still work. Can log out and back in again with no issues.

On my Chromebook running Version 50.0.2661.1.103 (64-bit) I am unable to login to the forum at all. I'm using the same extensions and settings on both machines, to the best of my knowledge. (Though I remember a while back I had to disable experimental javascript on the Chromebook, but not the Win10, in order for the forum JavaScript to work).

When I navigate to the login page, a toaster in the bottom right informs me of an "invalid-session". When I try to login with username and password, I get redirected to the login url with ?error=csrf-invalid at the end, and a message saying "We were unable to log you in, likely due to an expired session. Please try again". In the JavaScript console I only see errors from the emoji plugin and the shortcuts plugin complaining about the invalid session.

When I log in via GitHub, I get taken back to the main forums still logged out, no error message in sight. Still only plugin error messages complaining about the invalid session.

LB-- commented 8 years ago

See also: https://what.thedailywtf.com/topic/20138/unable-to-login-csrf-invalid

BenLubar commented 8 years ago

You have cookies disabled in your browser.

LB-- commented 8 years ago

You have cookies disabled in your browser.

Not to my knowledge. I can log in and stay logged in to other sites, and in the settings cookies are explicitly enabled with no exceptions.

BenLubar commented 8 years ago

Ok, for anyone coming here in the future, you need to add an X-Forwarded-Proto header to nginx's reverse proxy.

https://github.com/NodeBB/NodeBB/commit/08cdfd2d601bbc77028ae634fb53fd2e7b8e0b70 https://github.com/expressjs/session/issues/165#issuecomment-108749788

LB-- commented 8 years ago

Ok, I added X-Forwarded-Proto as per expressjs/session#165. I can log in now when I test. Can you?

Yes, and after I logged in I got redirected to an invalid URL:
https://what.thedailywtf.com/login,https://what.thedailywtf.com/login?loggedin
screenshot 2016-06-07 at 12 14 08 am

Can't reproduce. Probably a fluke.

EDIT: Reproduced and moved to https://github.com/NodeBB/NodeBB/issues/4727