User Login - CSRF token verification failed!

  • Used Zammad version: Version 3.2.x (3.2.0-1576861015.528479ce.bionic)
  • Used Zammad installation source: DEB
  • Operating system: Ubuntu 18.04.3 LTS
  • Browser + version: Chrome, Firefox, Edge
  • Integrations: LDAP with AD (MS Server 2019)
  • 20 Active User - 2 Agents
  • 4 vCores & 8 GB RAM
  • Sophos XG WAF as SSL terminator - Sophos to Zammad with http.

Expected behavior:

Users can log on at any time.

Actual behavior:

Users cannot log in at any time. Applies to LDAP and local users.
The following error is displayed: “CSRF token verification failed!”

After a few seconds, a login is possible. Sometimes it takes longer.

Errors occur externally via https and internally via http.
Sophos XG WAF is used as SSL terminator.

Log File

I, [2020-01-08T16:01:42.040516 #2280-47166696252020] INFO – : Processing by SessionsController#destroy as JSON
I, [2020-01-08T16:01:42.051744 #2280-47166696252020] INFO – : Completed 200 OK in 11ms (Views: 0.2ms | ActiveRecord: 3.0ms)
I, [2020-01-08T16:01:42.117649 #2280-47166696251740] INFO – : Started POST “/api/v1/message_send” for 10.135.000.000 at 2020-01-08 16:01:42 +0000
I, [2020-01-08T16:01:42.124207 #2280-47166696251740] INFO – : Processing by LongPollingController#message_send as JSON
I, [2020-01-08T16:01:42.124273 #2280-47166696251740] INFO – : Parameters: {“client_id”=>“8659359095”, “data”=>{“event”=>“login”, “session_id”=>“8d27b08539df0dfad3ea16a393247a68”, “fingerprint”=>“1331506911”}}
I, [2020-01-08T16:01:42.125001 #2280-47166696251740] INFO – : CSRF token verification failed
I, [2020-01-08T16:01:42.125398 #2280-47166696251740] INFO – : Completed 401 Unauthorized in 1ms (Views: 0.1ms | ActiveRecord: 0.0ms)
I, [2020-01-08T16:01:42.176979 #2280-47166627417480] INFO – : Started POST “/api/v1/message_send” for 10.135.000.000 at 2020-01-08 16:01:42 +0000
I, [2020-01-08T16:01:42.184172 #2280-47166627417480] INFO – : Processing by LongPollingController#message_send as JSON
I, [2020-01-08T16:01:42.184232 #2280-47166627417480] INFO – : Parameters: {“data”=>{“event”=>“login”}}
I, [2020-01-08T16:01:42.184515 #2280-47166627417480] INFO – : client(9219720160) new client connection
I, [2020-01-08T16:01:42.186752 #2280-47166627417480] INFO – : Completed 200 OK in 2ms (Views: 0.7ms | ActiveRecord: 0.3ms)
I, [2020-01-08T16:01:42.942911 #2280-47166631019200] INFO – : Completed 200 OK in 1117ms (Views: 99.6ms | ActiveRecord: 1.3ms)
I, [2020-01-08T16:01:43.123291 #2280-47166619790540] INFO – : Started POST “/api/v1/message_send” for 10.135.000.000 at 2020-01-08 16:01:43 +0000
I, [2020-01-08T16:01:43.123596 #2280-47166696252020] INFO – : Started POST “/api/v1/message_receive” for 10.135.000.000 at 2020-01-08 16:01:43 +0000
I, [2020-01-08T16:01:43.129810 #2280-47166619790540] INFO – : Processing by LongPollingController#message_send as JSON
I, [2020-01-08T16:01:43.131451 #2280-47166619790540] INFO – : Parameters: {“client_id”=>“9219720160”, “data”=>{“event”=>“spool”, “timestamp”=>1578499067}}
I, [2020-01-08T16:01:43.131366 #2280-47166696252020] INFO – : Processing by LongPollingController#message_receive as JSON
I, [2020-01-08T16:01:43.131848 #2280-47166696252020] INFO – : Parameters: {“client_id”=>“9219720160”}
I, [2020-01-08T16:01:43.133623 #2280-47166619790540] INFO – : Completed 200 OK in 2ms (Views: 0.1ms | ActiveRecord: 0.3ms)
I, [2020-01-08T16:01:43.137320 #2280-47166696251740] INFO – : Started POST “/api/v1/signin” for 10.135.000.000 at 2020-01-08 16:01:43 +0000
I, [2020-01-08T16:01:43.141470 #2280-47166696251740] INFO – : Processing by SessionsController#create as JSON
I, [2020-01-08T16:01:43.141532 #2280-47166696251740] INFO – : Parameters: {“username”=>"Frank.Mustermann@company.de", “password”=>"[FILTERED]", “fingerprint”=>“1331506911”}
I, [2020-01-08T16:01:43.141929 #2280-47166696251740] INFO – : CSRF token verification failed
I, [2020-01-08T16:01:43.142457 #2280-47166696251740] INFO – : Completed 401 Unauthorized in 1ms (Views: 0.1ms | ActiveRecord: 0.0ms)
I, [2020-01-08T16:01:43.345532 #2280-47166627417480] INFO – : Started POST “/api/v1/message_send” for 10.135.000.000 at 2020-01-08 16:01:43 +0000
I, [2020-01-08T16:01:43.349566 #2280-47166627417480] INFO – : Processing by LongPollingController#message_send as JSON
I, [2020-01-08T16:01:43.349618 #2280-47166627417480] INFO – : Parameters: {“client_id”=>“9219720160”, “data”=>{“event”=>“login”, “session_id”=>“8d27b08539df0dfad3ea16a393247a68”, “fingerprint”=>“1331506911”}}
I, [2020-01-08T16:01:43.351436 #2280-47166627417480] INFO – : Completed 200 OK in 2ms (Views: 0.1ms | ActiveRecord: 0.2ms)

IP Address masked

Please have a look at point 2.1:

This is a issue with your proxy. If you’re not using apache or nginx, we can’t help you, as this is out of our scope, sorry.

The error also occurs with internal connections without Sophos WAF.

Read the linked announcement, there’s described how to fix the issue.

I’ve already tried that.

Please provide your used webserver software (Nginx|apache) and it’s configuration.

I use Nginx.

Nginx Config:

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

Nginx zammad.conf

#
# this is the nginx config for zammad
#

upstream zammad-railsserver {
    server 127.0.0.1:3000;
}

upstream zammad-websocket {
    server 127.0.0.1:6042;
}

server {
    listen 80;

    # replace 'localhost' with your fqdn if you want to use zammad from remote
    server_name helpdesk.company.de;

    root /opt/zammad/public;

    access_log /var/log/nginx/zammad.access.log;
    error_log  /var/log/nginx/zammad.error.log;

    client_max_body_size 50M;

    location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico) {
        expires max;
    }

    location /ws {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header CLIENT_IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto http;
        proxy_read_timeout 86400;
        proxy_pass http://zammad-websocket;
    }

    location / {
        proxy_set_header Host $http_host;
        proxy_set_header CLIENT_IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto http;
        proxy_read_timeout 300;
        proxy_pass http://zammad-railsserver;

        gzip on;
        gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
        gzip_proxied any;
    }
}

I have also tried:
proxy_set_header X-Forwarded-Proto https;

Sorry now I’m confused.
How are you connecting to Zammad? Via HTTP or HTTPs?

Because your proxy only reacts to HTTP but further above you’re talking about Sophos and HTTPs.

You’re changing protocolls which will cause an issue with your cookies, because Zammad expects an insecure http cookie and you proberbly got an https cookie set.

I’d sudgest sticking with https (or if you must, for whatever reason http).
I cannot reproduce this behaviour with http or https only.

I’m sorry, I can’t help further.

I have this same issue althow SSL was working with version 3.0. After upgrade this problem started. Server is working OK as I receive emial notification when a nuew ticket is created (by email mailbox checking timer). Any help is welcome!

Niggix Config File
user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;
        gzip_disable "msie6";

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

Zammad Config File

upstream zammad {
    server localhost:3000;
}

upstream zammad-websocket {
    server localhost:6042;
}

server {
    listen 80;
    listen [::]:80;

    server_name help.llavemovil.com;

    access_log /var/log/nginx/help.llavemovil.com.access.log;
    error_log  /var/log/nginx/help.llavemovil.com.error.log;

    location /.well-known/ {
        root /var/www/html;
    }

    location / {
        rewrite ^/(.*)$ https://help.llavemovil.com/$1 permanent;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name help.llavemovil.com;

    ssl_certificate /etc/letsencrypt/live/help.llavemovil.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/help.llavemovil.com/privkey.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

    #ssl_dhparam /etc/nginx/ssl/dhparam.pem;

    ssl_prefer_server_ciphers on;

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 180m;

    ssl_stapling on;
    ssl_stapling_verify on;

    #ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;

    resolver 8.8.8.8 8.8.4.4;

    add_header Strict-Transport-Security "max-age=31536000" always;

    location = /robots.txt  {
        access_log off; log_not_found off;
    }

    location = /favicon.ico {
        access_log off; log_not_found off;
    }

    root /opt/zammad/public;

    access_log /var/log/nginx/help.llavemovil.com.access.log;
    error_log  /var/log/nginx/help.llavemovil.com.error.log;

    client_max_body_size 50M;

    location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico) {
        expires max;
    }

    location /ws {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header CLIENT_IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_read_timeout 86400;
        proxy_pass http://zammad-websocket;
    }

    location / {
        proxy_set_header Host $http_host;
        proxy_set_header CLIENT_IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_read_timeout 180;
        proxy_pass http://zammad;

        gzip on;
        gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
        gzip_proxied any;
    }

}

@fbritop please read this post (point 2.1.2) and adjust your nginx vhost configuration accordingly:

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.