CSRF Token invalid

  • Used Zammad version: 3.2.x (cant login so i locked in VERSION file)
  • Used Zammad installation source: package
  • Operating system: Ubuntu 16.04 (latest)
  • Browser + version: FF and Chrome

Expected behavior:

Login to Zammad

Actual behavior:


I, [2020-01-07T15:26:11.795163 #922-47258254810500]  INFO -- : Processing by SessionsController#create as JSON
I, [2020-01-07T15:26:11.795239 #922-47258254810500]  INFO -- :   Parameters: {"username"=>"XXXXXXX, "password"=>"[FILTERED]", "fingerprint"=>"-2082337767"}
I, [2020-01-07T15:26:11.799663 #922-47258254810500]  INFO -- : CSRF token verification failed
I, [2020-01-07T15:26:11.800279 #922-47258254810500]  INFO -- : Completed 401 Unauthorized in 5ms (Views: 0.2ms | ActiveRecord: 1.5ms)

# this is the apache config for zammad

<VirtualHost *:80>
    # replace 'localhost' with your fqdn if you want to use zammad from remote
    ServerName XXXXXX

    ## don't loose time with IP address lookups
    HostnameLookups Off

    ## needed for named virtual hosts
    UseCanonicalName Off

    ## configures the footer on server-generated documents
    ServerSignature Off

    ProxyRequests Off
    ProxyPreserveHost On

    <Proxy localhost:3000>
        Require local

RequestHeader set X-Forwarded-Proto https
RequestHeader set X-Forwarded-Ssl on

    ProxyPass /assets !
    ProxyPass /favicon.ico !
    ProxyPass /robots.txt !
    ProxyPass /ws ws://localhost:6042/
    ProxyPass / http://localhost:3000/

    DocumentRoot "/opt/zammad/public"

    <Directory />
        Options FollowSymLinks
        AllowOverride None

    <Directory "/opt/zammad/public">
        Options FollowSymLinks
        Require all granted


Steps to reproduce the behavior:

Login into Zammd with diffrent users on diffrent PCs.
Also added the lines to appache from: Fresh install 3.2.x: CSRF token verification failed

RequestHeader set X-Forwarded-Proto https
RequestHeader set X-Forwarded-Ssl on

needs to to to default-ssl.conf and not to zammad.conf

works again

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.