Core: CSRF Error on Logout

Which browser do you use?

It only happens to me with Firefox v52.0.1(64-bit) and http, I can log in through https on firefox and without any problem in other browsers.
It happens to me recently, with the same server I can log in previously.
Server 9.0.1, and any version with http.

Related https://support.mozilla.org/t5/Protect-your-privacy/Insecure-password-warning-in-Firefox/ta-p/27861

Steps are not clear. I cannot reproduce this using current master or 9.1.4 (both community and enterprise editions) using latest firefox (52.0.1).

I'm using FireFox 52.0, just tried in Chromium 53.0.2785.143 and have the same problem.

@SergioBertolinSG did you use the official docker image with apache reverse proxy on top?

@Starkmann no, I was assuming it was a more generic issue after seeing @nasli comment.

So if normal fresh installation (without docker/apache reverse proxy) does not have that issue it might be ssl + reverse proxy related, or?

@Starkmann Might be related to e.g. https://github.com/owncloud/core/issues/17201

I can reproduce this doing this steps:

1. Share via public link a file putting a password.

2. Using firefox, access the public link and enter the password.

@SergioBertolinSG but you're not logging out ?

I cannot reproduce this again with 10.0.1.

Witch server are you using? Maybe my use case scenery it is different but, with Firefox 53.0.2 (64-bit), I cannot log in, same CSRF error appears with "10.0.1 RC1" over http.

@nasli If you have this issue when doing a Login then its different to the issue reported by the OP which is about getting such a message when doing a Logout.

The Login issue is discussed here https://github.com/owncloud/core/issues/25927 and mostly an environmental issue / server misconfiguration.

I found an easier way to trigger this error without the need for a reverse proxy.

• Open a session in the webinterface
• Wait for the session lifetime or delete your session cookie
• do not reload the page in the meantime
• Click on "Log out" in the user menu
• Log in again (be careful to type in the password correct in the first attempt, because a failed login leads to a reload of the page) -> I get a CSRF check failed error every time I do this

I can reproduce it following @Helios07 steps in latest master.

The CSRF token is stored in the session, so if the cookie is gone then of course the CSRF token that was stored in the web page is now invalid. Ok so for this specific case we could detect that the user is not logged in and instead of displaying "CSRF invalid" we just redirect to the login page with another message.

On some banking websites I sometimes see a message like "you took to long to login, we had to refresh the page for security purposes. please try again now" or something

btw, we must not allow the login to succeed if the CSRF token is invalid because it would open the door to nasty XSS attacks.

@PVince81 What about showing a message saying your session has expired and refresh the page?

Similar to that banks.

The page is already refreshed, so we could just show the login form again with a little additional box "your session has expired".

But the csrf check failed message appears after the second login.

Hey, this issue has been closed because the label status/STALE is set and there were no updates for 7 days. Feel free to reopen this issue if you deem it appropriate.

Hey, this issue has been closed because the label status/STALE is set and there were no updates for 7 days. Feel free to reopen this issue if you deem it appropriate.

(This is an automated comment from GitMate.io.)

10.0.6 will have a fix that redisplays the login page: https://github.com/owncloud/core/pull/30035

I'm still getting CSRF Access forbidden CSRF check failed on logout with Owncloud 10.0.4.

try again with 10.0.6 when it's out

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.