Invalid CSRF on every login since version 4.1.0-1632381317.7e76a535.focal

dna · September 23, 2021, 10:28am

Infos:

Used Zammad version: zammad amd64 4.1.0-1632381317.7e76a535.focal
Installation method (source, package, …): package
Operating system: Ubuntu focal
Browser + version: up2date chrome, firefox and edge

Hello,

i’ve setup a fresh system yesterday and everything was working fine. (Version 4.1.0-1632293252.c9a3fc0d.focal)
Today i’ve updated zammad via apt upgrade to version 4.1.0-1632381317.7e76a535.focal and now on every login i get a:

CSRF token verification failed!

Logs:

I, [2021-09-23T09:48:58.461239 #822-47072168363520]  INFO -- : Started POST "/api/v1/signin" for 192.168.111.107 at 2021-09-23 09:48:58 +0000
I, [2021-09-23T09:48:58.469611 #822-47072168363520]  INFO -- : Processing by SessionsController#create as JSON
I, [2021-09-23T09:48:58.469702 #822-47072168363520]  INFO -- :   Parameters: {"username"=>"my@mail-address.de", "password"=>"[FILTERED]", "fingerprint"=>"-544793918"}
I, [2021-09-23T09:48:58.470170 #822-47072168363520]  INFO -- : CSRF token verification failed
I, [2021-09-23T09:48:58.470269 #822-47072168363520]  INFO -- : CSRF token verification failed! (Exceptions::NotAuthorized)
/opt/zammad/app/controllers/application_controller/prevents_csrf.rb:35:in `verify_csrf_token'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:426:in `block in make_lambda'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:179:in `block (2 levels) in halting_and_conditional'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/abstract_controller/callbacks.rb:34:in `block (2 levels) in <module:Callbacks>'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:180:in `block in halting_and_conditional'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:513:in `block in invoke_before'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:513:in `each'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:513:in `invoke_before'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:107:in `block in run_callbacks'
/opt/zammad/app/controllers/application_controller/handles_transitions.rb:14:in `handle_transaction'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:118:in `block in run_callbacks'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:136:in `run_callbacks'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/abstract_controller/callbacks.rb:41:in `process_action'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_controller/metal/rescue.rb:22:in `process_action'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_controller/metal/instrumentation.rb:34:in `block in process_action'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/notifications.rb:168:in `block in instrument'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/notifications/instrumenter.rb:23:in `instrument'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/notifications.rb:168:in `instrument'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_controller/metal/instrumentation.rb:32:in `process_action'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_controller/metal/params_wrapper.rb:256:in `process_action'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.4.6/lib/active_record/railties/controller_runtime.rb:24:in `process_action'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/abstract_controller/base.rb:134:in `process'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionview-5.2.4.6/lib/action_view/rendering.rb:32:in `process'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_controller/metal.rb:191:in `dispatch'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_controller/metal.rb:252:in `dispatch'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/routing/route_set.rb:52:in `dispatch'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/routing/route_set.rb:34:in `serve'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/journey/router.rb:52:in `block in serve'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/journey/router.rb:35:in `each'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/journey/router.rb:35:in `serve'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/routing/route_set.rb:840:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:420:in `call_app!'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-saml-1.10.1/lib/omniauth/strategies/saml.rb:89:in `other_phase'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:190:in `call!'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/builder.rb:45:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/tempfile_reaper.rb:15:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/etag.rb:27:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/conditional_get.rb:40:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/head.rb:12:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/http/content_security_policy.rb:18:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:266:in `context'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:260:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/cookies.rb:670:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/callbacks.rb:28:in `block in call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:98:in `run_callbacks'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/callbacks.rb:26:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/debug_exceptions.rb:61:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/railties-5.2.4.6/lib/rails/rack/logger.rb:38:in `call_app'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/railties-5.2.4.6/lib/rails/rack/logger.rb:26:in `block in call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/tagged_logging.rb:71:in `block in tagged'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/tagged_logging.rb:28:in `tagged'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/tagged_logging.rb:71:in `tagged'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/railties-5.2.4.6/lib/rails/rack/logger.rb:26:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/remote_ip.rb:81:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/request_id.rb:27:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/method_override.rb:24:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/runtime.rb:22:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/executor.rb:14:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/static.rb:127:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/sendfile.rb:110:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/railties-5.2.4.6/lib/rails/engine.rb:524:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/puma-4.3.8/lib/puma/configuration.rb:228:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/puma-4.3.8/lib/puma/server.rb:718:in `handle_request'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/puma-4.3.8/lib/puma/server.rb:472:in `process_client'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/puma-4.3.8/lib/puma/server.rb:328:in `block in run'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/puma-4.3.8/lib/puma/thread_pool.rb:134:in `block in spawn_thread'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/logging-2.2.2/lib/logging/diagnostic_context.rb:474:in `block in create_with_logging_context'
I, [2021-09-23T09:48:58.470940 #822-47072168363520]  INFO -- : Completed 401 Unauthorized in 1ms (Views: 0.2ms | ActiveRecord: 0.0ms)
I, [2021-09-23T09:49:02.946498 #826-46915606845560]  INFO -- : execute Channel.fetch (try_count 0)...
I, [2021-09-23T09:49:02.947371 #826-46915606845560]  INFO -- : ended Channel.fetch took: 0.007182914 seconds.

dna · September 23, 2021, 11:34am

Switched from https to http in System Base Settings and restarted zammad. Now its working again O_o

OdiseoPY · October 22, 2021, 1:07pm

Hello dna, do you know where in the config files is the “https to http” setting?

I can’t login with the admin user in order to change in the website config area… only by SSH.

Thanks in advance,

Luis M. Prous

MrGeneration · November 6, 2021, 9:52pm

You’re looking for zammad run rails r "Setting.set('http_type', 'https')" expecting you using a package installation. As we know nothing about your installation and where you’re coming from, please note that you may expect different reasons than there were in this thread.

OdiseoPY · November 10, 2021, 1:28pm

Thank you very much… I changed the http to https in the web interface in order to secure the access but after the change the login page began to show the “Invalid CSRF…” message and nobody could login…
It’s fixed but now when someone asks for a password reset, the URL generated is http and not https.

The http:// redirects to https://example.com by default

JDRodriguez · January 3, 2022, 2:26pm

Hey bro, How did you change http to https if you can’t to login? I have the problem because I changed this, and now I can’t to login

MrGeneration · February 2, 2022, 6:25pm

Did you try?

I mean… the information you’re looking for is exactly 2 posts above yours…

JDRodriguez · February 2, 2022, 6:59pm

Yeah MrGeneration, I could see that post and I could to solve the problem, really thank you MrGeneration for your work on this page web.

system · June 2, 2022, 6:59pm

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.