Server: CSRF check failed Upon Logout (Upgrade NC9 to NC10)

Created on 26 Aug 2016 · 24Comments · Source: nextcloud/server

Steps to reproduce

Log in with any user
Attempt to log out
Error occurs

Expected behaviour

The user should be logged out.

Actual behaviour

The user clicks logout, and is provided with the error:

"Access forbidden
CSRF check failed"

Going back to the NextCloud login page redirects to the same user being logged in.

Server configuration

Operating system: Ubuntu 16.04

Web server: Apache2

Database: MySQL

PHP version: 7.0.3

Nextcloud version: (see Nextcloud admin page) 10

Updated from an older Nextcloud/ownCloud or fresh install: Updated

Where did you install Nextcloud from: Via .zip file

Signing status:

Signing status

No errors have been found.

List of activated apps:

App list

Enabled:

activity: 2.3.2
admin_audit: 1.0.0
calendar: 1.3.3
comments: 1.0.0
contacts: 1.3.1.0
dav: 1.0.0
documents: 0.13.1
federatedfilesharing: 1.0.1
federation: 1.0.1
files: 1.5.2
files_pdfviewer: 0.8.1
files_sharing: 1.0.0
files_texteditor: 2.1
files_trashbin: 1.0.0
files_versions: 1.3.0
files_videoplayer: 0.9.8
firstrunwizard: 1.1
gallery: 15.0.0
notifications: 0.3.0
password_policy: 1.0.0
provisioning_api: 1.0.0
qownnotesapi: 0.4.4
serverinfo: 1.1.1
survey_client: 0.1.5
systemtags: 1.0.2
templateeditor: 0.1
theming: 1.0.1
updatenotification: 1.0.1
workflowengine: 1.0.1
Disabled:
bookmarks
encryption
external
files_accesscontrol
files_automatedtagging
files_external
files_retention
user_external
user_ldap
user_saml

The content of config/config.php:

Config report

{
"system": {
"instanceid": "oce8z1iwk6a5",
"passwordsalt": "_REMOVED SENSITIVE VALUE_",
"secret": "_REMOVED SENSITIVE VALUE_",
"trusted_domains": [
"mauris.kbnetwork.ca"
],
"datadirectory": "\/var\/www\/html\/nextcloud\/data",
"overwrite.cli.url": "http:\/\/mauris.kbnetwork.ca\/nextcloud",
"dbtype": "mysql",
"version": "9.1.0.16",
"dbname": "nextcloud",
"dbhost": "192.168.1.143",
"dbtableprefix": "oc_",
"dbuser": "_REMOVED SENSITIVE VALUE_",
"dbpassword": "_REMOVED SENSITIVE VALUE_",
"logtimezone": "UTC",
"installed": true,
"memcache.local": "\OC\Memcache\APCu",
"maintenance": false,
"loglevel": 2
}
}

Are you using external storage, if yes which one: No

Are you using encryption: no

Are you using an external user-backend, if yes which one: No

Client configuration

Browser: Firefox or Chrome

Operating system: Windows 10

Logs

Web server error log

[Thu Aug 25 19:02:25.230161 2016] [mpm_prefork:notice] [pid 40854] AH00163: Apache/2.4.18 (Ubuntu) configured -- resuming normal operations
[Thu Aug 25 19:02:25.230191 2016] [core:notice] [pid 40854] AH00094: Command line: '/usr/sbin/apache2'
[Thu Aug 25 19:03:12.724372 2016] [authz_core:error] [pid 41301] [client 192.168.1.130:37256] AH01630: client denied by server configuration: /var/www/html/nextcloud/data/htaccesstest.txt
[Thu Aug 25 19:06:37.495216 2016] [authz_core:error] [pid 41276] [client 192.168.1.130:37372] AH01630: client denied by server configuration: /var/www/html/nextcloud/data/htaccesstest.txt
[Thu Aug 25 19:06:44.998652 2016] [authz_core:error] [pid 41282] [client 192.168.1.130:37384] AH01630: client denied by server configuration: /var/www/html/nextcloud/data/htaccesstest.txt

Nextcloud log (data/nextcloud.log)

Nextcloud log

{"reqId":"WrGgQpGzWvGO4Hx9xg7T","remoteAddr":"192.168.1.130","app":"PHP","message":"touch(): Utime failed: Permission denied at \/var\/www\/html\/nextcloud\/lib\/private\/Config.php#229","level":3,"time":"2016-08-25T22:50:44+00:00","method":"GET","url":"\/nextcloud\/status.php","user":"--"}
{"reqId":"WrGgQpGzWvGO4Hx9xg7T","remoteAddr":"192.168.1.130","app":"PHP","message":"fopen(\/var\/www\/html\/nextcloud\/config\/config.php): failed to open stream: Permission denied at \/var\/www\/html\/nextcloud\/lib\/private\/Config.php#230","level":3,"time":"2016-08-25T22:50:44+00:00","method":"GET","url":"\/nextcloud\/status.php","$
{"reqId":"WrGgQpGzWvGO4Hx9xg7T","remoteAddr":"192.168.1.130","app":"PHP","message":"chmod(): Operation not permitted at \/var\/www\/html\/nextcloud\/lib\/private\/Config.php#233","level":3,"time":"2016-08-25T22:50:44+00:00","method":"GET","url":"\/nextcloud\/status.php","user":"--"}
{"reqId":"WrGgQpGzWvGO4Hx9xg7T","remoteAddr":"192.168.1.130","app":"remote","message":"Can't write into config directory!","level":4,"time":"2016-08-25T22:50:44+00:00","method":"GET","url":"\/nextcloud\/status.php","user":"--"}
{"reqId":"7eSpV\/jLcMiRp9Qp0jiw","remoteAddr":"","app":"core","message":"starting upgrade from 9.0.53.0 to 9.1.0.16","level":0,"time":"2016-08-25T22:51:09+00:00","method":"--","url":"--","user":"--"}
{"reqId":"NfcQ5rofQ5p3wvXmnaYR","remoteAddr":"192.168.1.130","app":"webdav","message":"Exception: {\"Message\":\"HTTP\/1.1 503 System in maintenance mode.\",\"Exception\":\"Sabre\DAV\Exception\ServiceUnavailable\",\"Code\":0,\"Trace\":\"#0 [internal function]: OCA\DAV\Connector\Sabre\MaintenancePlugin->checkMain$

Browser log

Nothing in console.

Network: https://mauris.kbnetwork.ca/nextcloud/index.php/s/iHoa08cQZ0H9P0A

0. Needs triage bug

Source

Diablosblizz

Most helpful comment

Oh, fixed it!
In case someone else runs into the same issue as me, here is my solution :
I am running Nextcloud behind a reverse proxy and the https traffic is handled by the proxy. I added

'forcessl' => true,
'overwriteprotocol' => 'https',

to my config.php and I can now logout without errors.

stanelie on 23 Jan 2017

👍11

All 24 comments

@LukasReschke Do you have an idea what this has caused? I can't reproduce with current stable10

MorrisJobke on 13 Sep 2016

I had noticed that when I had enabled a custom image for the login screen prior to upgrade, after upgrade I got the same CSRF check failed message. Refreshing the page completes the login successfully.

totalcaos on 16 Sep 2016

I have the same issue on a clean install of Nextcloud 11.0.1 installed from scratch. I use an ActiveDirectory backend for user logins. I can't logout, I get the

Access forbidden
CSRF check failed

error message.

stanelie on 23 Jan 2017

Oh, fixed it!
In case someone else runs into the same issue as me, here is my solution :
I am running Nextcloud behind a reverse proxy and the https traffic is handled by the proxy. I added

'forcessl' => true,
'overwriteprotocol' => 'https',

to my config.php and I can now logout without errors.

stanelie on 23 Jan 2017

👍11

'forcessl' => true,

This option is not needed anymore. This is not used in any newer Nextcloud version

MorrisJobke on 23 Jan 2017

Hi,

The "CSRF check failed" appears to happen when you login and then after the session timeout click on "Logout". To really logout in this case, the user has to refresh the page (this logs him in automatically) and then click "logout" again. That's not so good, as the user has to know this in order to logout and prevent unwanted to access to his files.

GitHubUser4234 on 6 Feb 2017

The "CSRF check failed" appears to happen when you login and then after the session timeout click on "Logout". To really logout in this case, the user has to refresh the page (this logs him in automatically) and then click "logout" again. That's not so good, as the user has to know this in order to logout and prevent unwanted to access to his files.

@ChristophWurst @LukasReschke is there a fine way to kill this "remember me" state if the CSRF failed? I guess there is not and otherwise would allow an attacker to do the same. Maybe we redirect immediately on the CSRF failure, because it doesn't mean anything for the user (and disable this redirect in debug mode?)

MorrisJobke on 7 Feb 2017

I had same issue with 11.0.2 and FF 52 64bit and reopen last session enabled

Login with an user(my admin account f.e.) Close FF wait a while. Reopen FF. Now u see u are logged in and a user and password prompt is shown. Close that prompt (3x for me). Than log out your user over menu. Try to login generate that message (CSRF check failed)
If u go to "normal" login page u can login without problems

Bullnados on 4 Mar 2017

I just noticed still the same on NC11.0.3 are we planning to resolve this in NC12?

JK74 on 2 May 2017

See for a possible fix: https://github.com/nextcloud/server/issues/5742#issuecomment-315466205

@ChristophWurst @LukasReschke I guess changing to the plain URL instead of the full URL could be tricky, because the two factor auth challenge seems to use it in the "logout_url" attribute. Could you have a look if this is fine to change, or if it then still needs to be made absolute.

MorrisJobke on 29 Aug 2017

MorrisJobke on 30 Aug 2017

@ChristophWurst Did you already had a look at this?

MorrisJobke on 14 Sep 2017

well https://github.com/nextcloud/server/pull/6360 is somewhat in that direction

rullzer on 14 Sep 2017

@ChristophWurst @LukasReschke is there a fine way to kill this "remember me" state if the CSRF failed? I guess there is not and otherwise would allow an attacker to do the same.

I'm afraid there's little we can do about this. If the pages CSRF token is outdated (due whatever reason), we never update it to a newer/valid one.

See for a possible fix: #5742 (comment)

That looks like a reverse proxy misconfiguration to me.

Maybe we redirect immediately on the CSRF failure, because it doesn't mean anything for the user (and disable this redirect in debug mode?)

Redirect what/where? Like redirecting to the default app after x seconds? Fine by me :)

ChristophWurst on 18 Sep 2017

The same issue came up to me, when I recently set up NC13 behind a reverse proxy.
Turned out I missconfigured the proxy to omit any request arguments contained in the URL.

Logout is requiring the CSRF token to be contained in the URL.
Given the aforementioned config, this results in the described error.

ahres93 on 4 Mar 2018

Should be finally fixed with #8648 in the next major version - 14.

MorrisJobke on 13 Mar 2018

Should be finally fixed with #8648 in the next major version - 14.

I'm afraid this is one of the edge cases #8648 doesn't fix because the CSRF token is statically included in the page's HTML. The heartbeat only works for requests where the current token is read from OC.requesttoken by a script. A possible solution would be to add a click handler that dynamically builds the logout URL including the CSRF token.

ChristophWurst on 13 Mar 2018

iOS app - CSRF error on first login. Can't clear. Need to delete app and reinstall in order to try again (and fail again).

Mac app, Android app and web app no problem logging in. Joplin notes app can log into Nextcloud via webdav on iOS, Mac, Android.

Nextcloud docker (latest) behind Nginx reverse proxy.

rammjet on 8 Apr 2018

👍2

Same problem I can't login with the app and when I try to logging with the token I can't upload/download files.
I do not know if it's related but I opened an issue (https://github.com/nextcloud/ios/issues/625)

Floflobel on 14 Aug 2018

same problem for me, NC 13.0.5.2 behind a reverse-proxy and ldap auth…

julpec on 16 Aug 2018

My config works for me (CSRF iOS app problem):

'overwrite.cli.url' => 'https://cloud.blablabla.bla',
'overwriteprotocol' => 'https',
'overwritehost' => 'cloud.blablabla.bla',
'forcessl' => true,
'overwritewebroot' => '',
'overwritecondaddr' => '192.168.1.11', -> IP address - apache2 with reverse proxy
'trusted_proxies' => ['127.0.0.1','192.168.1.11'],
'htaccess.RewriteBase' => '/',

andre-almeid on 30 May 2019

Same problem here on NC 16.0.3, no proxy.
It appends always when I try to _logout soon after being logged in_. If I wait a bit, I can logout normally.
The reload trick doesn't work, I just can't logout without cleaning my browser cache...

EDIT:
Solved by setting a color as login background. It fails with custom images but default image too.

EDIT2:
Even with color as login background, it sometimes append, but when I stay logged for a while, no more when I logout just after logging in.

vnourdin on 19 Jul 2019

I suggest we move investigation/discussion over to #17065 which contains some additional testing and debug and rules out that some meanwhile done commits fixed it until including NC18.