Hydra: No CSRF value available in the session cookie happend in the guiding demo

Created on 5 Mar 2020  Â·  7Comments  Â·  Source: ory/hydra

HI, i install the demo follow as https://www.ory.sh/docs/hydra/5min-tutorial. the first and second time demo works welll. but after that i got 'No CSRF value available in the session cookie' error . could you help me ?

hydra_1 | time="2020-03-05T06:10:20Z" level=error msg="An error occurred" debug="No CSRF value available in the session cookie" description="The request is not allowed" error=request_forbidden hint="You are not allowed to perform this action."
image

All 7 comments

Make sure to not confuse localhost and 127.0.0.1 and use a browser that allows cookies

On 5. Mar 2020, at 03:16, LuoWei0731 notifications@github.com wrote:


HI, i install the demo follow as https://www.ory.sh/docs/hydra/5min-tutorial. the first and second time demo works welll. but after that i got 'No CSRF value available in the session cookie' error . could you help me ?

hydra_1 | time="2020-03-05T06:10:20Z" level=error msg="An error occurred" debug="No CSRF value available in the session cookie" description="The request is not allowed" error=request_forbidden hint="You are not allowed to perform this action."

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.

I have a similar issue with Chrome v84.0.4147.125 (but it works with Safari v13.1.2).

I cannot login using Chrome and access the consent screen.

The error from the docker log is:

hydra_1          | time=2020-08-13T04:42:04Z level=info msg=access denied audience=audit error=map[message:request_forbidden reason:You are not allowed to perform this action. status:Forbidden status_code:403] http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 accept-encoding:gzip, deflate, br accept-language:en-US,en;q=0.9,fr;q=0.8 cache-control:max-age=0 cookie:_csrf=grXlH0pxagriO-rAh_8E4aRL referer:http://127.0.0.1:3000/login?login_challenge=fcdbcb1595434e779eda0b6569485637 user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36] host:127.0.0.1:4444 method:GET path:/oauth2/auth query:audience=&client_id=auth-code-client&login_verifier=020669e581b241bdacbd391e681a04e6&max_age=0&nonce=zhadpabkxbodidtwpgbhiwjd&prompt=&redirect_uri=http%3A%2F%2F127.0.0.1%3A5555%2Fcallback&response_type=code&scope=openid+offline&state=wcfdqswwvhdlgrpajbtpmnmn remote:172.17.0.1:40696 scheme:http] service_name=ORY Hydra service_version=v1.6.0

I tried to change the cookie settings of Chrome without any success.
Is it because of some security features of Chrome because of no HTTPs or local IP?

Same here, it works fine on Safari but not on Chrome
Screen Shot 2020-08-13 at 5 07 45 PM

I have the same with chrome 84.0.4147.125
Hydra version 1.4.6.
Logs show this: "time="2020-08-13T11:39:28Z" level=error msg="An error occurred" debug="No CSRF value available in the session cookie" description="The request is not allowed" error=request_forbidden hint="You are not allowed to perform this action.""
It doesn't complain that CSRF token is invalid/missing, but there's no token stored in the internal Hydra session store...
It works in Firefox/Safari. Looks like this Chrome build changed something that disrupts Hydra server-side session management.

Hi there, sorry to hear that this is apparently an issue for Chrome environments.

To help, it is critical to have at least some idea of your set up. Please fill out the issue template. Also note that this issue is about the 5 minute tutorial. Seeing that there are older versions reported here I assume that you're not running the tutorial.

If your environment stopped working since upgrading chrome or similar problems, please create a separate issue with as much detail as possible.

If you have issues with the 5 minute tutorial please state so clearly and we'll reopen this.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

ms42Q picture ms42Q  Â·  8Comments

flavioleggio picture flavioleggio  Â·  7Comments

wojciechce picture wojciechce  Â·  3Comments

aeneasr picture aeneasr  Â·  3Comments

dselyuzhitskiy picture dselyuzhitskiy  Â·  3Comments