User Login: CSRF token verification failed!

Infos:

• Used Zammad version: 3.6.0 (3.6.0-1609411394.587a3197.focal)
• Used Zammad installation source: DEB
• Operating system: Ubuntu 20.04.1 LTS
• Browser + version: Edge 88.0.705.29, Chrome: 87.0.4280.88
• Traffic is not proxied; no SSL/TLS encryption mode; Use HTTP
• Migrate from OTRS 5.x — Zammad documentation

Expected behavior:

• Users can log on at any time.

Actual behavior:

• The following error is displayed: “CSRF token verification failed!”

Steps to reproduce the behavior:

• Clean installation of Zammad and import data from OTRS

Apache config

#
# this is the apache config for zammad
#

<VirtualHost *:80>
   ServerName 192.168.6.9

   # security - prevent information disclosure about server version
   #ServerTokens Prod
   ## don't loose time with IP address lookups
   HostnameLookups Off
   ## needed for named virtual hosts
   UseCanonicalName Off
   ## configures the footer on server-generated documents
   ServerSignature Off
   ProxyRequests Off
   ProxyPreserveHost On
   <Proxy 127.0.0.1:3000>
       Require local
   </Proxy>
   ProxyPass /assets !
   ProxyPass /favicon.ico !
   ProxyPass /apple-touch-icon.png !
   ProxyPass /robots.txt !
   ProxyPass /ws ws://127.0.0.1:6042/
   ProxyPass / http://127.0.0.1:3000/
   #RequestHeader set X_FORWARDED_PROTO 'http'
   #RequestHeader set X-Forwarded-Ssl off
   # change this line in an SSO setup
   #RequestHeader unset X-Forwarded-User
   DocumentRoot "/opt/zammad/public"
   <Directory />
       Options FollowSymLinks
       AllowOverride None
   </Directory>
   <Directory "/opt/zammad/public">
       Options FollowSymLinks
       Require all granted
   </Directory>
</VirtualHost>

Log File

I, [2020-12-31T14:55:14.868882 #3386-47290452778680]  INFO -- : CSRF token verification failed
I, [2020-12-31T14:55:14.869111 #3386-47290452778680]  INFO -- : CSRF token verification failed! (Exceptions::NotAuthorized)
/opt/zammad/app/controllers/application_controller/prevents_csrf.rb:35:in `verify_csrf_token'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:426:in `block in make_lambda'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:179:in `block (2 levels) in halting_and_conditional'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.4/lib/abstract_controller/callbacks.rb:34:in `block (2 levels) in <module:Callbacks>'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:180:in `block in halting_and_conditional'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:513:in `block in invoke_before'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:513:in `each'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:513:in `invoke_before'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:107:in `block in run_callbacks'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:136:in `run_callbacks'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.4/lib/abstract_controller/callbacks.rb:41:in `process_action'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.4/lib/action_controller/metal/rescue.rb:22:in `process_action'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.4/lib/action_controller/metal/instrumentation.rb:34:in `block in process_action'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.4/lib/active_support/notifications.rb:168:in `block in instrument'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.4/lib/active_support/notifications/instrumenter.rb:23:in `instrument'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.4/lib/active_support/notifications.rb:168:in `instrument'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.4/lib/action_controller/metal/instrumentation.rb:32:in `process_action'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.4/lib/action_controller/metal/params_wrapper.rb:256:in `process_action'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.4.4/lib/active_record/railties/controller_runtime.rb:24:in `process_action'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.4/lib/abstract_controller/base.rb:134:in `process'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionview-5.2.4.4/lib/action_view/rendering.rb:32:in `process'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.4/lib/action_controller/metal.rb:191:in `dispatch'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.4/lib/action_controller/metal.rb:252:in `dispatch'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/route_set.rb:52:in `dispatch'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/route_set.rb:34:in `serve'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.4/lib/action_dispatch/journey/router.rb:52:in `block in serve'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.4/lib/action_dispatch/journey/router.rb:35:in `each'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.4/lib/action_dispatch/journey/router.rb:35:in `serve'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/route_set.rb:840:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:420:in `call_app!'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-saml-1.10.1/lib/omniauth/strategies/saml.rb:89:in `other_phase'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:190:in `call!'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/builder.rb:45:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/tempfile_reaper.rb:15:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/etag.rb:27:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/conditional_get.rb:40:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/head.rb:12:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.4/lib/action_dispatch/http/content_security_policy.rb:18:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:266:in `context'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:260:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/cookies.rb:670:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/callbacks.rb:28:in `block in call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:98:in `run_callbacks'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/callbacks.rb:26:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/debug_exceptions.rb:61:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/railties-5.2.4.4/lib/rails/rack/logger.rb:38:in `call_app'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/railties-5.2.4.4/lib/rails/rack/logger.rb:26:in `block in call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.4/lib/active_support/tagged_logging.rb:71:in `block in tagged'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.4/lib/active_support/tagged_logging.rb:28:in `tagged'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.4/lib/active_support/tagged_logging.rb:71:in `tagged'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/railties-5.2.4.4/lib/rails/rack/logger.rb:26:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/remote_ip.rb:81:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/request_id.rb:27:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/method_override.rb:24:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/runtime.rb:22:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.4/lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/executor.rb:14:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/static.rb:127:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/sendfile.rb:110:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/railties-5.2.4.4/lib/rails/engine.rb:524:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/puma-3.12.6/lib/puma/configuration.rb:227:in `call'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/puma-3.12.6/lib/puma/server.rb:706:in `handle_request'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/puma-3.12.6/lib/puma/server.rb:476:in `process_client'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/puma-3.12.6/lib/puma/server.rb:334:in `block in run'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/puma-3.12.6/lib/puma/thread_pool.rb:135:in `block in spawn_thread'
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/logging-2.2.2/lib/logging/diagnostic_context.rb:474:in `block in create_with_logging_context'
I, [2020-12-31T14:55:14.870628 #3386-47290452778680]  INFO -- : Completed 401 Unauthorized in 10ms (Views: 0.4ms | ActiveRecord: 4.2ms)
I, [2020-12-31T14:55:20.038213 #3406-46925171956640]  INFO -- : execute Channel.fetch (try_count 0)...
I, [2020-12-31T14:55:20.041082 #3406-46925171956640]  INFO -- : ended Channel.fetch took: 0.038775662 seconds.

Note
Before trying to import OTRS data I tried to use a clean installation without data to check the system without problems. After I restarting from scratch and import the OTRS data, but when I try to login I get CSRF token verification failed! message.

Hi there!

just do a search for CSFR on the forum and you will find the solution.
There are several posts about it and it is a known issue that can be solved.

Regards,
Martin

Hi Martin,

thanks for your reply.

I already searched on the forum and try some solutions without success.

I tried to enable the Apache header configuration and add these settings in the zammad.conf:
User Login - CSRF token verification failed! (‘RequestHeader’ fix does not work):

RequestHeader set X_FORWARDED_PROTO 'http'
RequestHeader set X-Forwarded-Ssl on

But not working

I tried to clear the cache.
I tried to create a new user with admin rights via console, but the login not working.

The CSRF error appears also if I insert the wrong username and password…

This is a test installation to verify the Zammad functionality with OTRS data imported, I don’t have configured the https protocol (it is the next step).

But OTRS was configured in https, can this be the problem? Did you change the Zammad setting from http to https during import?

How I can verify the Zammad protocol configuration via console?

Thanks.

Hi all,

I have yet this issue, and it’s frustrating.

I confirm that the problem is only when I import OTRS data, I’m tried to start from scratch (delete and recreate the database) and it works without a problem.

I tried to start with a new installation too with ngix, but the problem is the same:
With OTRS data imported, I get the CSR error.
With clean data, It works.

@lpignedoli we have the same issue after migrating from otrs, unfortunately we created a new topic here. Do you have any news?

Like with us-- a clean installation is running. A migration from OTRS brings the CSRF error. The suggested solutions doesn’t work

I resolved this issue by configuring the web server in SSL with a self-signed certificate.

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.