Forbidden - CSRF token invalid

Sto · May 12, 2021, 11:56am

After installing the docker image and starting Corteza , then logging in, when I try to access any of the applications, ( Low Code, CRM Suite, etc ) I see an error message Forbidden - CSRF token invalid.

Any clues ?

darh · May 12, 2021, 2:53pm

Hi @Sto

What version are you using there?
Dod you change any settings (AUTH_*)?
Do you maybe have some kind of aggressive anti-cookie plugin in your browser?

cheers

Sto · May 12, 2021, 3:41pm

Hello there @darh , thank you for responding.

My docker image describes itself as corteza-server:2021.3

I changed no settings, just an initial install of docker, then corteza.

I’m running MS Edge, with no extensions at all.

darh · May 12, 2021, 3:43pm

How about if you use a different browser?
Does CSRF error show right away or after you do/click something?

Sto · May 12, 2021, 4:01pm

Sadly, same response with Google Chrome.

It appears after clicking on an app, such as Low Code, and then entering my login credentials when prompted.

URL is: http://localhost:18080/?state=gkb2v2yqfsb

darh · May 13, 2021, 4:52am

URL is: http://localhost:18080/?state=gkb2v2yqfsb

Unfortunately, this is your private system and I can not access it.

Can you open your developer’s console in Chrome and go to network tab.
Seek GET request for login page (not css, javascript, image, but the one with the login form).
Click on the request and copy the entire line with set-cookie header here.

Thank you

Flogerbe · May 14, 2021, 3:57pm

Hello, I encountered the same problem during my installation: here is the screenshot attached with the console.

Sto · May 15, 2021, 12:22am

As far as I can tell it seems to be a problem with the same site cookie property:

Because a cookie’s SameSite attribute was not set or is invalid, it defaults to SameSite=Lax , which prevents the cookie from being set in a cross-site context. This behavior protects user data from accidentally leaking to third parties and cross-site request forgery.

CFC · May 24, 2021, 6:45am

I experienced the same. But as soon you go to your profile and back to open a tab new, then it will work.

Sto · May 24, 2021, 10:45am

That’s good to hear, going to my profile and returning to open a new tab doesn’t seem to solve the problem for me though

matthew · June 9, 2021, 10:24am

Having the same issue here.

I create an account and log in but on clicking any of the modules;

matthew · June 9, 2021, 10:52am

You need to select the top right icon in the module to open a new window to the module.

tjerman · June 9, 2021, 3:41pm

I was now also able to run into this locally while spinning up a 2021.3.6 container.
It went away after refreshing the page, so please use this workaround until we resolve it.

bigtimepie · June 10, 2021, 1:40pm

I have also run into this sometimes when loading a corteza application in an iframe on another domain.

Some combination of refreshing the page and logging in/out on another browser tab seems to resolve it.

niels.aertsnv · August 18, 2021, 8:14am

Has this issue ever been resolved?

I have the exact same problem and I have absolutely no clue how to fix it

Just refreshing the page won’t seem to do it for me.

thanh051083 · September 21, 2021, 4:19pm

It worked for me too, thank you

alscheuring · September 28, 2021, 12:44pm

Try this url instead of 127.0.0.1

http://local.cortezaproject.org:18080/

Zapp · April 5, 2022, 4:28am

Try to comment out line “LETSENCRYPT_HOST: ${DOMAIN}” in docker-compose.yaml of corteza server. Then access server using http, not https.