Fresh install 3.2.x: CSRF token verification failed

on a fresh install of Zammad 3.2.x (source installation on ubuntu 18.04 lts) I get

“CSRF token verification failed!”

on all logins after the initial configuration step (initial setup of an admin user was successful). I can not find any documentation/FAQ with infos on this and the logfile is also not very informative.

Any ideas how to debug?
Thx, Thommie

Note beforehand: Zammad 3.2 is the development state of Zammad and thus for testing only.
Supporting this is very limited.

Please also provide the used Browser.
Did you try reloading the page and simply to try again?

Did all migrations run through cleanly?

Oh, sorry, I thought this is a productive version. The VERSION and CHANGELOG files did not contain infos about the dev status :wink:

Browser is latest Firefox, but the same issue appears with Chromium/Chrome, also after refresh and bypassing browser cache.

As this is a empty installation right now, what would be best: re- install a stable version or continue with 3.2 and debug it? If it is ore or less “alpha” I would prefer an older version but if its more “beta” or close to release we can do some debugging on it …

Bye., Thommie

Honestly, I’d prefer a stable instance on your end without any betaing ;D

However, I do run 3.2 instances which are working without any trouble, so if you’re using any specific addons, those might be at fault as well. Also ensure that your migrations are fine ( rake db:migrate ) .

same problem here. Now 3.2 is a stable release:
I did a upgrade from 3.1 CentOS Linux release 7.7.1908 (Core)

  • LDAP user sync. no special addons

After yum upgrade to zammad 3.2:
Name : zammad
Architektur : x86_64
Version : 3.2.0
Ausgabe : 1575357814.e0ff35cb.centos7
Größe : 655 M
Quelle : installed

I cannot login anymore. No agent and also local zammadadmin user. Same response:

I, [2019-12-03T14:40:06.502395 #25840-47147295467000] INFO – : Scheduler started.
I, [2019-12-03T14:40:06.513684 #25840-47147295467000] INFO – : Cleanup of left over locked delayed jobs 2019-12-03 13:40:06 UTC started.
I, [2019-12-03T14:40:06.518793 #25840-47147295467000] INFO – : Cleanup of left over locked delayed jobs 2019-12-03 13:40:06 UTC finished.
I, [2019-12-03T14:40:06.518834 #25840-47147295467000] INFO – : Cleanup of left over import jobs 2019-12-03 13:40:06 UTC started.
I, [2019-12-03T14:40:06.528833 #25840-47147295467000] INFO – : Cleanup of left over import jobs 2019-12-03 13:40:06 UTC finished.
I, [2019-12-03T14:40:06.528952 #25840-47147295467000] INFO – : Scheduler running…
I, [2019-12-03T14:40:06.548211 #25840-47147349406500] INFO – : execute Channel.fetch (try_count 0)…
I, [2019-12-03T14:40:06.550661 #25840-47147349406500] INFO – : fetching pop3 ( port=995,ssl=true)
I, [2019-12-03T14:40:06.706351 #25843-47443369821680] INFO – : Setting.set(‘models_searchable’, [“Chat::Session”, “User”, “Organization”, “Ticket”, “KnowledgeBase::Answer::Translation”])
I, [2019-12-03T14:40:07.311882 #25838-47295364613620] INFO – : Setting.set(‘models_searchable’, [“Chat::Session”, “User”, “Organization”, “Ticket”, “KnowledgeBase::Answer::Translation”])
I, [2019-12-03T14:40:10.554218 #25840-47147350265320] INFO – : Starting worker thread Delayed::Backend::ActiveRecord::Job
I, [2019-12-03T14:40:11.695242 #25840-47147349406500] INFO – : - no message
I, [2019-12-03T14:40:11.695458 #25840-47147349406500] INFO – : done
I, [2019-12-03T14:40:11.720314 #25840-47147349406500] INFO – : fetching pop3 ( port=995,ssl=true)
I, [2019-12-03T14:40:11.856433 #25840-47147349406500] INFO – : - no message
I, [2019-12-03T14:40:11.856575 #25840-47147349406500] INFO – : done
I, [2019-12-03T14:40:11.879031 #25840-47147349406500] INFO – : ended Channel.fetch took: 5.343160165 seconds.
I, [2019-12-03T14:40:12.132327 #25843-47443387556740] INFO – : Started POST “/api/v1/message_send” for at 2019-12-03 14:40:12 +0100
I, [2019-12-03T14:40:12.163808 #25843-47443387556740] INFO – : Processing by LongPollingController#message_send as JSON
I, [2019-12-03T14:40:12.163884 #25843-47443387556740] INFO – : Parameters: {“data”=>{“event”=>“login”}}
I, [2019-12-03T14:40:12.164378 #25843-47443387556740] INFO – : CSRF token verification failed

also checked: rake db:migrate.

I can login successfully, if i use a seperate proxy/firewall and no direct-connection to the zammad server.

I got the same Problem here. Did you find a way to login?
I’m close to panic right now :slight_smile:

Same problem here on debian after update to 3.2.
My Zammad is behind an apache reverse proxy which does ssl handling.
Quickfix: I downgraded back to 3.1

The relevant parts I have in my apache2 zammad.conf:

ProxyRequests Off
ProxyPreserveHost On
ProxyPass /ws ws://localhost:6042/
ProxyPass / http://localhost:3001/
<Proxy localhost:3001>
    Require local

Did I miss something for the update?

Hello astrastudio
please don’t laugh, because I ask this. But how I can downgrade back to 3.1?
Is it possible to install back to 3.1 with Debian?
I’m also running Zammad on Debian with Apache server and postgreSQL database.

Thanks a lot in advance!

You can use:

apt-cache showpkg zammad

to see all available package versions.
Then use the most recent 3.1 version available and complete the command with the version in it:

apt-get install zammad=3.1.0-complete-version-string-here

Good luck!

I wouldn’t suggest downgrading, because the database schemes might no longer be fitting. So it’s a bit… well… risky. :smiley:

Safest way to downgrade is always having a snapshot / backup.

Anyway, I can’t reproduce this issue.
Please try cleaning your cache and reloading the login page.

If the issue persists, run /opt/zammad/contrib/ just for safety.
Again, reload the WebApp.

If it still does not work, let me know. This normally should fix it, if it appears.

Cleared the complete browser cache, did run script again.
The problem persists. Back on 3.1 again.

How did CSRF validation change from 3.1 to 3.2.?

As far as I’m aware it didn’t.
This issue appears from time to time after an upgrade, however, above described steps always fixed it (normally ^^")

I just cloned the VM and did 2 upgrades and downgrades in a row.
3.2 throws a “CSRF token verification failed” while trying to logon. 3.1 does not. Everything else did not change during the upgrade.

Ditto. We’re using nginx as proxy on Plesk (current version).

One of my two systems striked me with this error as well.
Both systems are apache based, I added the following two lines to my vHost configuration of Zammad:

RequestHeader set X_FORWARDED_PROTO 'https' 
RequestHeader set X-Forwarded-Ssl on

Followed by
a2enmod headers
systemctl restart apache2

This post helped me here:

Friendly reload of the WebApp and try again.
Can’t speak for the nginx users right now :frowning:


I also run an update on Ubuntu from 3.1 to 3.2 and experience the same issue.
With nginx adding

        proxy_set_header X-Forwarded-Proto https;

in the location / worked out for me.


Thank you very much—that worked for me as well.

I have changed

proxy_set_header X-Forwarded-Proto $scheme;


proxy_set_header X-Forwarded-Proto https;

and that did it. Also, I wanted to share with the community the nginx config from the Plesk host (which is used only to forward the hostname/subdomain to the internal/NAT ip)—maybe it’ll be of any help for someone else…

location ~ ^/(?!(.well-known)) {
	proxy_pass http://<ip>:80;
	proxy_set_header Host $http_host;
	proxy_set_header CLIENT_IP $remote_addr;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;


i have same problem on my Centos 7 + NGINX after update from 3.1 to 3.2.
CSRF token verification failed.

Please have a look at the above commends from other users with nginx. :slight_smile: