User Login - CSRF token verification failed! ('RequestHeader' fix does not work)

peterdalydickson · February 5, 2020, 6:13am

Infos:

Used Zammad version: Version 3.2.x (3.2.0-1580110414.992e734c.bionic)
Used Zammad installation source: DEB
Operating system: Ubuntu 18.04.4 LTS
Browser + version: Firefox 72.0.2; Brave 1.2.43 Chromium: 79.0.3945.130
DNS is hosted on Cloudflare; traffic is not proxied; SSL/TLS encryption mode is Full (strict) Encrypts end-to-end, but requires a trusted CA or Cloudflare Origin CA certificate on the server; Always Use HTTPS is off
Fix at Fresh install 3.2.x: CSRF token verification failed has been applied to /etc/apache2/sites-available/zammad.conf

Expected behavior:

Users can log on at any time.

Actual behavior:

After the initial config login, users cannot log in at any time
The following error is displayed: “CSRF token verification failed!”

Steps to reproduce the behavior:

Attempt to login with valid user credentials

Apache config

#
# this is the apache config for zammad
#

<VirtualHost *:80>
    # replace 'localhost' with your fqdn if you want to use zammad from remote
    ServerName help.macantacrm.com

    # https://community.zammad.org/t/fresh-install-3-2-x-csrf-token-verification-failed/3080/14
    RequestHeader set X_FORWARDED_PROTO 'https'
    RequestHeader set X-Forwarded-Ssl on

    ## don't loose time with IP address lookups
    HostnameLookups Off

    ## needed for named virtual hosts
    UseCanonicalName Off

    ## configures the footer on server-generated documents
    ServerSignature Off

    ProxyRequests Off
    ProxyPreserveHost On

    <Proxy 127.0.0.1:3000>
	Require local
    </Proxy>

    ProxyPass /assets !
    ProxyPass /favicon.ico !
    ProxyPass /robots.txt !
    ProxyPass /ws ws://127.0.0.1:6042/
    ProxyPass / http://127.0.0.1:3000/

    DocumentRoot "/opt/zammad/public"

    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>

    <Directory "/opt/zammad/public">
        Options FollowSymLinks
	Require all granted
    </Directory>

RewriteEngine on
RewriteCond %{SERVER_NAME} =help.macantacrm.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Log file

I, [2020-02-05T06:10:31.072126 #1095-46924083354600]  INFO -- : Started POST "/api/v1/signin" for [REDACTED] at 2020-02-05 06:10:31 +0000
I, [2020-02-05T06:10:31.099946 #1095-46924083354600]  INFO -- : Processing by SessionsController#create as JSON
I, [2020-02-05T06:10:31.100161 #1095-46924083354600]  INFO -- :   Parameters: {"username"=>"peter@macanta.org", "password"=>"[FILTERED]", "fingerprint"=>"-904905283"}
I, [2020-02-05T06:10:31.101982 #1095-46924083354600]  INFO -- : CSRF token verification failed
I, [2020-02-05T06:10:31.103778 #1095-46924083354600]  INFO -- : Completed 401 Unauthorized in 3ms (Views: 0.7ms | ActiveRecord: 0.0ms)

Request headers

Host: help.macantacrm.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://help.macantacrm.com/
Content-Type: application/json
X-Requested-With: XMLHttpRequest
X-CSRF-Token: kkhiLZJ8Fvz+U4ynUQHEXQN5o8qGL5u2hS2GnriBrcPFnhA4MG1C/FisCB2U9d+PXG5GB1YwBEo0/iFMAkDdLg==
Content-Length: 97
Origin: https://help.macantacrm.com
Connection: keep-alive
Cookie: _zammad_session_a138cfd0f37=8ae515a76e558e071252efb4a117cbbf; __cfduid=d845751f15bbd0201b476ea6aa218cd811580880134

Response headers

HTTP/1.1 401 Unauthorized
Date: Wed, 05 Feb 2020 06:14:46 GMT
Server: Apache/2.4.29 (Ubuntu)
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
X-Failure: CSRF token verification failed!
Content-Type: application/json; charset=utf-8
Cache-Control: no-cache
X-Request-Id: 260e5cc6-c139-46f3-9b7d-6d1677696d7f
X-Runtime: 0.014497
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked

MrGeneration · February 5, 2020, 1:33pm

Can you please provide your https configuration? You only shared your http one which das a redirect to https.

peterdalydickson · February 5, 2020, 2:01pm

Doh!

I forgot that letsencrypt creates a ...-le-ssl.conf file.

All sorted.

Thanks

system · June 4, 2020, 2:01pm

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.