User Login - CSRF token verification failed! ('RequestHeader' fix does not work)


  • Used Zammad version: Version 3.2.x (3.2.0-1580110414.992e734c.bionic)
  • Used Zammad installation source: DEB
  • Operating system: Ubuntu 18.04.4 LTS
  • Browser + version: Firefox 72.0.2; Brave 1.2.43 Chromium: 79.0.3945.130
  • DNS is hosted on Cloudflare; traffic is not proxied; SSL/TLS encryption mode is Full (strict) Encrypts end-to-end, but requires a trusted CA or Cloudflare Origin CA certificate on the server; Always Use HTTPS is off
  • Fix at Fresh install 3.2.x: CSRF token verification failed has been applied to /etc/apache2/sites-available/zammad.conf

Expected behavior:

  • Users can log on at any time.

Actual behavior:

  • After the initial config login, users cannot log in at any time
  • The following error is displayed: “CSRF token verification failed!”

Steps to reproduce the behavior:

  • Attempt to login with valid user credentials

Apache config

# this is the apache config for zammad

<VirtualHost *:80>
    # replace 'localhost' with your fqdn if you want to use zammad from remote

    RequestHeader set X_FORWARDED_PROTO 'https'
    RequestHeader set X-Forwarded-Ssl on

    ## don't loose time with IP address lookups
    HostnameLookups Off

    ## needed for named virtual hosts
    UseCanonicalName Off

    ## configures the footer on server-generated documents
    ServerSignature Off

    ProxyRequests Off
    ProxyPreserveHost On

	Require local

    ProxyPass /assets !
    ProxyPass /favicon.ico !
    ProxyPass /robots.txt !
    ProxyPass /ws ws://
    ProxyPass /

    DocumentRoot "/opt/zammad/public"

    <Directory />
        Options FollowSymLinks
        AllowOverride None

    <Directory "/opt/zammad/public">
        Options FollowSymLinks
	Require all granted

RewriteEngine on
RewriteCond %{SERVER_NAME}
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Log file

I, [2020-02-05T06:10:31.072126 #1095-46924083354600]  INFO -- : Started POST "/api/v1/signin" for [REDACTED] at 2020-02-05 06:10:31 +0000
I, [2020-02-05T06:10:31.099946 #1095-46924083354600]  INFO -- : Processing by SessionsController#create as JSON
I, [2020-02-05T06:10:31.100161 #1095-46924083354600]  INFO -- :   Parameters: {"username"=>"", "password"=>"[FILTERED]", "fingerprint"=>"-904905283"}
I, [2020-02-05T06:10:31.101982 #1095-46924083354600]  INFO -- : CSRF token verification failed
I, [2020-02-05T06:10:31.103778 #1095-46924083354600]  INFO -- : Completed 401 Unauthorized in 3ms (Views: 0.7ms | ActiveRecord: 0.0ms)

Request headers

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
X-Requested-With: XMLHttpRequest
X-CSRF-Token: kkhiLZJ8Fvz+U4ynUQHEXQN5o8qGL5u2hS2GnriBrcPFnhA4MG1C/FisCB2U9d+PXG5GB1YwBEo0/iFMAkDdLg==
Content-Length: 97
Connection: keep-alive
Cookie: _zammad_session_a138cfd0f37=8ae515a76e558e071252efb4a117cbbf; __cfduid=d845751f15bbd0201b476ea6aa218cd811580880134

Response headers

HTTP/1.1 401 Unauthorized
Date: Wed, 05 Feb 2020 06:14:46 GMT
Server: Apache/2.4.29 (Ubuntu)
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
X-Failure: CSRF token verification failed!
Content-Type: application/json; charset=utf-8
Cache-Control: no-cache
X-Request-Id: 260e5cc6-c139-46f3-9b7d-6d1677696d7f
X-Runtime: 0.014497
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked

Can you please provide your https configuration? You only shared your http one which das a redirect to https. :slight_smile:

1 Like


I forgot that letsencrypt creates a ...-le-ssl.conf file.

All sorted.

Thanks :pray:t3:

1 Like

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.