I just cloned the VM and did 2 upgrades and downgrades in a row.
3.2 throws a “CSRF token verification failed” while trying to logon. 3.1 does not. Everything else did not change during the upgrade.
One of my two systems striked me with this error as well.
Both systems are apache based, I added the following two lines to my vHost configuration of Zammad:
RequestHeader set X_FORWARDED_PROTO 'https'
RequestHeader set X-Forwarded-Ssl on
Followed by a2enmod headers
and systemctl restart apache2
and that did it. Also, I wanted to share with the community the nginx config from the Plesk host (which is used only to forward the hostname/subdomain to the internal/NAT ip)—maybe it’ll be of any help for someone else…
Thanks so much @MrGeneration !
That worked for me… added the lines and restarted apache… works. I can log in again.
Have to forward that hint to a colleague who also runs a Zammad installation.
edit:PS: Today morning was another stable update available
New version: 3.2.0-1575387475…, Version from yesterday: 3.2.0-1575357814
I installed it, because I thought there will be a quick fix for that issue from yesterday… but there was no change and it still didn’t work… but your solution worked after that…
If the above solutions don’t work for you, please open your own thread and completely fill in the template so that we know what you’re exactly running.
Hey there we heard you. We’re currently investigating the issue and looking for a sustainable solution without you needing to manually change your config. To share some insights: Zammad uses the secure-Flag for cookies when HTTPS connections are present since Version 3.2. Somehow the information is lost that it’s a secure HTTPS connection down the road and Zammad/Rails therefore stops accepting the cookie.
We currently can’t reproduce this in our hosted setup. Do you mind sharing some insights on your setup? What we need exactly is the information where HTTPS gets terminated in your setup: Is it done by NGINX? Other from that: A complete non working config (with the confidential information redacted) would be helpful as well. Thanks in advance!
EDIT: With SSL termination I mean if there is some other server/service before the Zammad NGINX like a loadbalancer, proxy, an application firewall etc.
we’ve had the same problem with one user. The user started initially with a http-url. After changing it to https it worked without changing Nginx configuration. Tested with Firefox and Chrome.