Steps to reproduce
- Add account, set the password.
- Place the site behind reverse proxy for ssl.
- Login on an iPhone, iOS app.
Expected behaviour
Login should go through. The same account logs in w/o issues on Android and Windows app, as well as browsers on windows and mac. Macos app also w/o issues. Just iOS app.
Actual behaviour
Get the CSRF Access Denied error.
Server configuration
Operating system: debian gnu/linux 9 (stretch) docker container, under openshift.
Web server: nginx
Database: mariadb
PHP version:
Nextcloud version: (see Nextcloud admin page) 13-fpm (13.0.6)
Updated from an older Nextcloud/ownCloud or fresh install: no
Where did you install Nextcloud from: docker.io/nextcloud
Signing status:
CSRF Access Denied after correctly entering credentials username/password. Token based auth spins forever.
Login as admin user into your Nextcloud and access
http://example.com/index.php/settings/integrity/failed
No errors have been found.
List of activated apps:
App list
any apps there by default, none installed on top of that. this is a fresh install.
If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder
Nextcloud configuration:
Config report
If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder
or
Insert your config.php content here.
Make sure to remove all sensitive content such as passwords. (e.g. database password, passwordsalt, secret, smtp password, …)
<?php
$CONFIG = array (
'memcache.local' => '\\OC\\Memcache\\APCu',
'apps_paths' =>
array (
0 =>
array (
'path' => '/var/www/html/apps',
'url' => '/apps',
'writable' => false,
),
1 =>
array (
'path' => '/var/www/html/custom_apps',
'url' => '/custom_apps',
'writable' => true,
),
),
'instanceid' => 'ocmcrrkeis6l',
'passwordsalt' => 'blah',
'secret' => 'blah',
'trusted_domains' =>
array (
0 => 'cloud.blah.net',
1 => 'nextcloud.os.lnsz.local',
),
'datadirectory' => '/var/www/html/data',
'overwrite.cli.url' => 'http://cloud.blah.net',
'dbtype' => 'mysql',
'version' => '13.0.6.1',
'dbname' => 'nextcloud',
'dbhost' => 'mariadb.default.svc',
'dbport' => '',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => 'nextcloud',
'dbpassword' => 'blah',
'installed' => true,
'csrf.disabled' => true,
);
I've added the last line in an attempt to disable csrf .. no go.
Are you using external storage, if yes which one: local running ceph
Are you using encryption: no
Are you using an external user-backend, if yes which one: no.
Client configuration
Browser: iOS app.
Operating system: iOS.
Logs
Web server error log
Web server error log
2018/09/29 19:51:57 [info] 5#5: *3604 client closed connection while waiting for request, client: 10.131.0.1, server: 0.0.0.0:8080
| 10.130.0.1 - - [29/Sep/2018:19:51:58 +0000] "POST /login?redirect_url=/login/flow/redirect%3FclientIdentifier%3D%26stateToken%3DIUp4U4eMRJKz8hRMZL3oZ9VXwL9LZxLhn5wL09W2xniJfzMa5PvIg2MtY4DLLzHb&user=blah HTTP/1.0" 303 0 "-" "Mozilla/5.0 (iOS) Nextcloud-iOS/2.22.4"
| 10.130.0.1 - - [29/Sep/2018:19:51:58 +0000] "GET /login/flow/redirect?clientIdentifier=&stateToken=IUp4U4eMRJKz8hRMZL3oZ9VXwL9LZxLhn5wL09W2xniJfzMa5PvIg2MtY4DLLzHb HTTP/1.0" 200 5323 "-" "Mozilla/5.0 (iOS) Nextcloud-iOS/2.22.4"
| 10.130.0.1 - - [29/Sep/2018:19:51:58 +0000] "GET /core/js/oc.js?v=ec5f41dd HTTP/1.0" 200 3313 "-" "Mozilla/5.0 (iOS) Nextcloud-iOS/2.22.4"
| 10.130.0.1 - - [29/Sep/2018:19:51:58 +0000] "POST /login/flow HTTP/1.0" 412 4582 "-" "Mozilla/5.0 (iOS) Nextcloud-iOS/2.22.4"
| 10.130.0.1 - - [29/Sep/2018:19:51:58 +0000] "GET /core/js/oc.js?v=ec5f41dd HTTP/1.0" 200 3313 "-" "Mozilla/5.0 (iOS) Nextcloud-iOS/2.22.4"
| 10.130.0.1 - - [29/Sep/2018:19:51:59 +0000] "GET /cron.php HTTP/1.0" 200 20 "-" "Mozilla/5.0 (iOS) Nextcloud-iOS/2.22.4"
| 10.130.0.1 - - [29/Sep/2018:19:51:59 +0000] "GET /cron.php HTTP/1.0" 200 20 "-" "Mozilla/5.0 (iOS) Nextcloud-iOS/2.22.4"
above is from the nginx log.. that makes mention of iOS
Nextcloud log (data/nextcloud.log)
Nextcloud log
| ::1 - 29/Sep/2018:20:03:32 +0000 "GET /cron.php" 200
| ::1 - blah 29/Sep/2018:20:03:54 +0000 "PROPFIND /remote.php" 207
| 127.0.0.1 - 29/Sep/2018:20:04:03 +0000 "GET /index.php" 200
| ::1 - 29/Sep/2018:20:04:03 +0000 "GET /index.php" 302
| 127.0.0.1 - blah 29/Sep/2018:20:04:24 +0000 "PROPFIND /remote.php" 207
| ::1 - blah 29/Sep/2018:20:04:24 +0000 "GET /ocs/v2.php" 200
| 127.0.0.1 - blah 29/Sep/2018:20:04:54 +0000 "PROPFIND /remote.php" 207
| ::1 - blah 29/Sep/2018:20:05:24 +0000 "PROPFIND /remote.php" 207
| 127.0.0.1 - blah 29/Sep/2018:20:05:54 +0000 "PROPFIND /remote.php" 207
| ::1 - blah 29/Sep/2018:20:06:24 +0000 "PROPFIND /remote.php" 207
| 127.0.0.1 - blah 29/Sep/2018:20:06:54 +0000 "PROPFIND /remote.php" 207
| ::1 - blah 29/Sep/2018:20:07:24 +0000 "PROPFIND /remote.php" 207
| 127.0.0.1 - blah 29/Sep/2018:20:07:54 +0000 "PROPFIND /remote.php" 207
| ::1 - blah 29/Sep/2018:20:08:24 +0000 "PROPFIND /remote.php" 207
| 127.0.0.1 - blah 29/Sep/2018:20:08:54 +0000 "PROPFIND /remote.php" 207
| ::1 - blah 29/Sep/2018:20:09:24 +0000 "PROPFIND /remote.php" 207
| 127.0.0.1 - blah 29/Sep/2018:20:09:24 +0000 "GET /ocs/v2.php" 200
| ::1 - blah 29/Sep/2018:20:09:54 +0000 "PROPFIND /remote.php" 207
| 127.0.0.1 - blah 29/Sep/2018:20:10:23 +0000 "GET /status.php" 200
| ::1 - blah 29/Sep/2018:20:10:24 +0000 "PROPFIND /remote.php" 207
| 127.0.0.1 - blah 29/Sep/2018:20:10:54 +0000 "PROPFIND /remote.php" 207
| ::1 - blah 29/Sep/2018:20:11:24 +0000 "PROPFIND /remote.php" 207
CSRF access denied not logged here.
Browser log
Browser log
Insert your browser log here, this could for example include:
a) The javascript console log
b) The network log
c) ...
Can CSRF be disabled altogether?
zvyezdan
All 22 comments
GitMate.io thinks possibly related issues are https://github.com/nextcloud/server/issues/754 (Log in: Access forbidden, CSRF check failed), https://github.com/nextcloud/server/issues/9037 (Deny access if weak password), https://github.com/nextcloud/server/issues/9719 (Invalid authorization specification: 1045 Access denied for user), https://github.com/nextcloud/server/issues/9257 (Can't access federated share), and https://github.com/nextcloud/server/issues/7155 (Avoid "CSRF failed" pages).
nextcloud-bot
on 29 Sep 2018
As this seems to be a setup issue I would like to ask you to raise your question in the forums: https://help.nextcloud.com
If you wish support with setup issues from Nextcloud GmbH we offer this as part of the Nextcloud subscription. Learn more about this at https://nextcloud.com/enterprise/
MorrisJobke
on 30 Sep 2018
Sure, I will ask the question in forums. I am sorry if it does turn out to be a setup issue... it just looked like an issue related to iOS app... since others work just fine. And there really isn't anything much to set up in the iOS app.
zvyezdan
on 30 Sep 2018
Quick follow up to this... managed to log in using iOS application "the old way". On the login screen there is a link to "log in the old way" and that works just fine.
"New way" is a no go. Whatever the difference is, you can figure now if it is truly due to my setup or a problem with the iOS application... 'cause again, all other apps/browsers log in no problems.
zvyezdan
on 6 Oct 2018
This is still an issue with the iOS app, unfortunately there is no login the old way option in 15.
alienp4nda
on 13 Jan 2019
I just hit this also.
tucknology
on 15 Jan 2019
Same here on ios for NextCloud version 15
kajhoej
on 15 Jan 2019
At the very bottom of the app there should be an option to “login the old way”. I just found it yesterday and was able to login. I’m not sure why the new way is causing the CSRF issue.
alienp4nda
on 16 Jan 2019
Log in the old way worked for me.
tucknology
on 16 Jan 2019
See related ticket: https://github.com/nextcloud/ios/issues/768
tucknology
on 16 Jan 2019
Log in the old wayworked for me.
Your right ... i missed that. At the very bottom of the "Login" screen, there is a test "Revert to old login".
Using that, worked.
Thanks tucknology.
kajhoej
on 16 Jan 2019
Hard to see this, but it's working now. Is this problem really solved? I mean the issue is still there.
WeirdCircumstances
on 22 Jan 2019
CSRF error occurs with default login, old way without 2FA is working...
mko-x
on 24 Jan 2019
I have the same problem.
wb14123
on 25 Jan 2019
@wb14123 @kajhoej See https://github.com/nextcloud/ios/issues/768
tucknology
on 26 Jan 2019
I just want to confirm that I'm running into this exact same issue on my iPad mini running ios 12.1.3. I receive the CSRF error using the normal login, but the old login style works fine.
Hopefully this will be fixed very soon!
Ddog800
on 4 Feb 2019
@Ddog800 take a look at nextcloud/ios#768
alienp4nda
on 4 Feb 2019
same problem. on ios. Works with old login style.
kcris
on 8 Feb 2019
I'm getting this too, but it works fine on macOS, Windows and Android so isn't a server configuration problem. Why is this bug closed?
markshep
on 9 Feb 2019
Just happened to me on 15.0.5 Docker/Nextcloud iOS 2.23.1.10. Had to use the old way to log in.
koehn
on 6 Mar 2019
THIS ISSUE HAS BEEN SOLVED
tucknology
on 6 Mar 2019
sharing folder or file exception message :
"There was an error retrieving the share. Maybe the link is wrong, it was unshared, or it was deleted."
Have same issue appear after upgrade to 15.0.3. Login works fine, but "sharing folder" API is not working anymore. Error 403 forbidden on POST with path to /ocs/v2.php/apps/files_sharing/api/v1/shares?format=json. Exact message is "Access denied CSRF check failed". Since already signed, why this message ?
Please help
tekmedm
on 21 May 2019
Related issues
blackcrack
·
3Comments
jancborchardt
·
3Comments
ThomasLeister
·
3Comments
MorrisJobke
·
3Comments
ghost
·
3Comments