CSRF token verification failed trying to login

Infos:

  • Used Zammad version: 6.4.0-1732617118.25f54743.bookworm
  • Used Zammad installation type: (source, package, docker-compose, …) package
  • Operating system: Debian 12
  • Browser + version: Any browser or version

Expected behavior:

Login

Actual behavior:

Trying to login with any account, admin or user, results in CSRF token verification failed! error

Steps to reproduce the behavior:

New install, went through initial setup, created another admin account that is also an agent, log out and unable to log back in. Did a reset of Zammad and went through initial setup again, but got the same result.
Zammad is setup with the LetsEncrypt SSL setup, http redirects to https and I’ve made the config change “RequestHeader set X-FORWARDED-PROTO ‘https’” and Ssl on.

EDIT: I can go through the process of resetting Zammad back to a clean install, go back through the initial setup and even create my admin account. As soon as I log out, I get the CSRF error when I try to log back in.

Exactly my problem, too.

Does the login work after reloading the page after you had the CSRF error?

In my case:

Reloading, Private Mode, using Firefox:
No, it doesn’t.

See here:

Then it is not the same problem as I had. I solved mine by fixing the reverse proxy (Caddy).

could you elaborate on this, maybe provide a link?

Likewise. Reloading or using private mode in Firefox, Chrome or Edge still results in CSRF token verification failed.

I don’t have access to our productive instance right now, but it is something like this:
https://tilseiffert.de/posts/2407-zammad-behind-caddy-reverse-proxy/

I did set this up as a VM in Microsoft Azure. I am wondering if MS365 has their own proxy in place that I’m unaware of.

MS Azure does include a firewall by default, but I’ve already opened ports 80 and 443 as part of the initial setup. No proxy, though.

Does anyone know how to fix this issue? Nothing has worked so far.

I found the following and it got my Zammad install working:

Solution 1 is to rename /etc/apache2/sites-available/zammad-le-ssl.conf to something other than a .conf file. I changed it to .bak and restarted zammad and now I can login.

I hope this helps anyone else that might be having this issue.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.