Content

422 CSRF token problem

Hi, I deployed OpenProject latest Docker version and now I have this problem:

@ 422
Unable to verify Cross-Site Request Forgery token. The OpenProject cookie is missing. Please ensure that cookies are enabled, as this application will not properly function without. @

I checked cookies and found that session cookie is not set in the browser.

I don’t know what can be the reason for that, as I tried to deploy simple application that will just set cookie header in the same environment and it works without problem.

Do you have any suggestions?

OpenProject was deployed with following env vars:
@ - name: “SECRET_KEY_BASE”
value: “”
- name: “SMTP_ADDRESS”
value: “”
- name: “SMTP_PORT”
value: “25”
- name: “SMTP_DOMAIN”
value: “”
- name: “SMTP_AUTHENTICATION”
value: “plain”
- name: “SMTP_ENABLE_STARTTLS_AUTO”
value: “true”
- name: “DATABASE_URL”
value: “postgres://openproject:openprojectADMIN@openproject-postgree/openproject” @

Replies (4)

RE: 422 CSRF token problem - Added by Alex Z almost 7 years ago

Version 7.4.3 helped to remove this problem.

Is there was something related to GDPR? Because of it cookie was not saved and other things.

RE: 422 CSRF token problem - Added by Oliver Günther almost 7 years ago

Hi Alex,

v7.4.5 enforces the cookie secure flag at all times when your instance is running on SSL.

You can verify that this is indeed the issue when OpenProject does not output a cookie _open_project_session (ensure you cleared previous cookies).

This is the offending line. If you remove secure: ..., and restart the server, it should work (only use this for confirming the issue, see actual fix below!)

https://github.com/opf/openproject/compare/v7.4.4…v7.4.5#diff-ae8f555b82c0416edbcf62c9c1a5b73bR40

To fix this, you need to ensure that if you run on https, you set the X-Forwarded-Proto in your Apache configuration. The packaged installation does that automatically.

RequestHeader set X-Forwarded-Proto “https”

Best,
Oliver

RE: 422 CSRF token problem - Added by Thomas Roder almost 7 years ago

I’m posting this message just for future reference.

I faced the same problem with nginx instead of Apache. Had to add this line to my nginx config file: proxy_set_header X-Forwarded-Proto $scheme;

See full thread: https://community.openproject.com/topics/9404?r=9439#message-9439

RE: 422 CSRF token problem - Added by Cascade Sun over 6 years ago

Hello - I upgraded from OP 7.4 --> 8.1 and have run into this issue. I added the X-Forwarded-Proto header to my Apache 2 config, but still get the error. I cannot access the instance through the web interface at all, 422 error on all valid login users, including admin. This is on a Univention server, was running perfect before, using https. thanks for help

Top Menu

Side Menu