Forbidden - CSRF token invalid

After installing the docker image and starting Corteza , then logging in, when I try to access any of the applications, ( Low Code, CRM Suite, etc ) I see an error message Forbidden - CSRF token invalid.

Any clues ?

Hi @Sto

What version are you using there?
Dod you change any settings (AUTH_*)?
Do you maybe have some kind of aggressive anti-cookie plugin in your browser?


Hello there @darh , thank you for responding.

My docker image describes itself as corteza-server:2021.3

I changed no settings, just an initial install of docker, then corteza.

I’m running MS Edge, with no extensions at all.

How about if you use a different browser?
Does CSRF error show right away or after you do/click something?

Sadly, same response with Google Chrome.

It appears after clicking on an app, such as Low Code, and then entering my login credentials when prompted.

URL is: http://localhost:18080/?state=gkb2v2yqfsb

URL is: http://localhost:18080/?state=gkb2v2yqfsb

Unfortunately, this is your private system and I can not access it.

Can you open your developer’s console in Chrome and go to network tab.
Seek GET request for login page (not css, javascript, image, but the one with the login form).
Click on the request and copy the entire line with set-cookie header here.

Thank you

Hello, I encountered the same problem during my installation: here is the screenshot attached with the console.

As far as I can tell it seems to be a problem with the same site cookie property:

Because a cookie’s SameSite attribute was not set or is invalid, it defaults to SameSite=Lax , which prevents the cookie from being set in a cross-site context. This behavior protects user data from accidentally leaking to third parties and cross-site request forgery.

I experienced the same. But as soon you go to your profile and back to open a tab new, then it will work.

1 Like

That’s good to hear, going to my profile and returning to open a new tab doesn’t seem to solve the problem for me though :frowning:

Having the same issue here.

I create an account and log in but on clicking any of the modules;


You need to select the top right icon in the module to open a new window to the module.

I was now also able to run into this locally while spinning up a 2021.3.6 container.
It went away after refreshing the page, so please use this workaround until we resolve it.

I have also run into this sometimes when loading a corteza application in an iframe on another domain.

Some combination of refreshing the page and logging in/out on another browser tab seems to resolve it.

Has this issue ever been resolved?

I have the exact same problem and I have absolutely no clue how to fix it :frowning:

Just refreshing the page won’t seem to do it for me.

It worked for me too, thank you

Try this url instead of

Try to comment out line “LETSENCRYPT_HOST: ${DOMAIN}” in docker-compose.yaml of corteza server. Then access server using http, not https.