Top Menu

Jump to content
Home
    • Projects
    • Work packages
    • News
    • Getting started
    • Introduction video

      Welcome to OpenProject Community

      Get an overview

      Get a quick overview of project management and team collaboration with OpenProject.
      You can restart this video from the help menu

    • Help and support
    • User guides
    • Videos
    • Shortcuts
    • Community forum
    • Professional support

    • Additional resources
    • Data privacy and security policy
    • Digital accessibility (DE)
    • OpenProject website
    • Security alerts / Newsletter
    • OpenProject blog
    • Release notes
    • Report a bug
    • Development roadmap
    • Add and edit translations
    • API documentation
  • Sign in
      Forgot your password?
      Create a new account

      or sign in with your existing account

      Google

Side Menu

  • Overview
  • Activity
  • Roadmap
  • Work packages
  • Calendars
  • Team planners
  • Boards
  • Forums
  • Wiki
    • Table of contents
      • Expanded. Click to collapseCollapsed. Click to showDeveloper
        • Hierarchy leafAccessibility Checklist
        • Hierarchy leafCode Review Guidelines
        • Expanded. Click to collapseCollapsed. Click to showContribution
          • Hierarchy leafGit Workflow
          • Hierarchy leafTranslations
        • Expanded. Click to collapseCollapsed. Click to showDeveloping Plugins
          • Hierarchy leafDeveloping an OmniAuth Authentication Plugin
        • Hierarchy leafRelease Process
        • Hierarchy leafReport a bug
        • Hierarchy leafSecurity
        • Hierarchy leafSetting up an OpenLDAP server for testing
        • Hierarchy leafTheme Features
      • Hierarchy leafDownload
      • Expanded. Click to collapseCollapsed. Click to showFeature tour
        • Hierarchy leafRelease Notes OpenProject 30
        • Expanded. Click to collapseCollapsed. Click to showRelease Notes OpenProject 30 - Overview
          • Hierarchy leafGlossary
          • Hierarchy leafRelease Notes - Accessibility
          • Hierarchy leafRelease Notes - Accessibility changes
          • Hierarchy leafRelease Notes - Add work package queries as menu items to sidebar
          • Hierarchy leafRelease Notes - Copy projects based on Templates
          • Hierarchy leafRelease Notes - Design changes
          • Hierarchy leafRelease Notes - Fixed Bugs
          • Hierarchy leafRelease Notes - Keyboard Shortcuts
          • Hierarchy leafRelease Notes - Project settings
          • Hierarchy leafRelease Notes - Ruby&Rails Update
          • Hierarchy leafRelease Notes - Security
          • Hierarchy leafRelease Notes - Timelines
          • Hierarchy leafRelease Notes - Work packages
      • Hierarchy leafHowto create animated gifs
      • Hierarchy leafMigration Squashing
      • Hierarchy leafMod security
      • Hierarchy leafNew work package page
      • Hierarchy leafOP3 to OP4 Debian upgrade
      • Hierarchy leafOP4 Ubuntu1404 Stable with MySQL in production
      • Hierarchy leafOpenProject 40 Development Setup
      • Expanded. Click to collapseCollapsed. Click to showOpenProject Foundation
        • Hierarchy leafBoards
        • Hierarchy leafMembers
        • Hierarchy leafOPF-Meetings
        • Hierarchy leafStatutes
      • Expanded. Click to collapseCollapsed. Click to showRelease Notes
        • Hierarchy leafOpenProject released on Bitnami
      • Expanded. Click to collapseCollapsed. Click to showRelease Notes OpenProject 40 - Overview
        • Hierarchy leafRelease Notes OpenProject 40 - Accessibility improvements
        • Hierarchy leafRelease Notes OpenProject 40 - Column header functions in work package table
        • Hierarchy leafRelease Notes OpenProject 40 - Improved Design
        • Hierarchy leafRelease Notes OpenProject 40 - Integrated query title on work package page
        • Hierarchy leafRelease Notes OpenProject 40 - Integrated toolbar on work package page
        • Hierarchy leafRelease Notes OpenProject 40 - OmniAuth integration for OpenProject
        • Hierarchy leafRelease Notes OpenProject 40 - Work package details pane
      • Expanded. Click to collapseCollapsed. Click to showSecurity and privacy
        • Hierarchy leafFAQ
      • Expanded. Click to collapseCollapsed. Click to showSupport
        • Expanded. Click to collapseCollapsed. Click to showDownload and Installation
          • Hierarchy leafInstallation MacOS
          • Expanded. Click to collapseCollapsed. Click to showInstallation OpenProject 3 0
            • Hierarchy leafDebian Stable with MySQL in production
            • Hierarchy leafInstallation Ubuntu
            • Hierarchy leafInstallation Windows
            • Hierarchy leafInstallation on Centos 65 x64 with Apache and PostgreSQL 93
          • Expanded. Click to collapseCollapsed. Click to showInstallation OpenProject 40
            • Hierarchy leafOP4 Debian Stable with MySQL in production
          • Expanded. Click to collapseCollapsed. Click to showMigration paths
            • Hierarchy leafFrom Chilliproject to OpenProject
            • Hierarchy leafMigration 15 to 30
            • Hierarchy leafMigration 24 to 30
            • Hierarchy leafMigration Redmine 2x › OpenProject 30
            • Hierarchy leafOpenProject 3 Migration
          • Hierarchy leafOpenProject 40
        • Expanded. Click to collapseCollapsed. Click to showNews
          • Hierarchy leafNew OpenProject Translations Plugin
          • Hierarchy leafNew Plugin on OpenProjectorg Local Avatars
          • Hierarchy leafNew design for OpenProject
          • Hierarchy leafNews Accessibility workshop for OpenProject
          • Hierarchy leafNews Glossary for OpenProject
          • Hierarchy leafNews Heartbleed fixed
          • Hierarchy leafNews Icon Fonts
          • Hierarchy leafNews OpenProject 30 Release
          • Hierarchy leafNews Release GitHub Integration Plugin
          • Hierarchy leafNews Success Story Deutsche Telekom
          • Hierarchy leafNews Timelines
          • Hierarchy leafOpenProject 3013 released
          • Hierarchy leafOpenProject 3017 released
          • Hierarchy leafOpenProject 40 released
          • Hierarchy leafOpenProject 40 will be coming soon
          • Hierarchy leafOpenProject 405 released
          • Hierarchy leafOpenProject and pkgrio
          • Hierarchy leafOpenProject news moved to a new blog
          • Hierarchy leafOpenProjectBitnami
          • Hierarchy leafPackager version with plugins released ("Community edition")
          • Hierarchy leafRegistration OpenProject-Foundation
          • Hierarchy leafRelease OpenProject AuthPlugins
          • Hierarchy leafUpdates on OpenProject
          • Hierarchy leafWe need your feedback for the the new fullscreen view for work packages
        • Hierarchy leafOpenProject Plug-Ins
      • Hierarchy leafWiki
You are here:
  • Forums
  • Support Installation & Updates

Content

Update 7.4.3 to 7.4.4: Unable to verify Cross-Site Request Forgery token.

Added by Thomas Roder about 4 years ago

I need some help, urgently if possible!

I just updated OpenProject from 7.4.3 to 7.4.4 as described here .

Now, I cannot login anymore, with any account. I get this message:
Unable to verify Cross-Site Request Forgery token. The OpenProject cookie is missing. Please ensure that cookies are enabled, as this application will not properly function without.

I get log entries such as these:

W, [2018-05-30T12:25:04.020020 #13257]  WARN -- : [auth_saml] Missing settings from '/opt/openproject/config/plugins/auth_saml/settings.yml', skipping omniauth registration.
W, [2018-05-30T12:25:04.204836 #13257]  WARN -- : hook registered
W, [2018-05-30T12:25:05.601244 #13257]  WARN -- : Creating scope :order_by_name. Overwriting existing method Sprint.order_by_name.
W, [2018-05-30T12:25:19.893569 #13331]  WARN -- : Can't verify CSRF token authenticity.

Full logs: https://pastebin.com/y3kD6PMy

My system: Ubuntu 16:04, packaged installation. Only irregularity: Nginx 1.14.0 instead of Apache.

I already tried: Reboots, reconfigure OpenProject, restarting memcached service, different browsers and private modes.

#EDIT:
I downgraded to 4.3.3 as follows: sudo apt-get install openproject=7.4.3-1523266776.fea7c3d7.xenial sudo openproject configure

Now it works again. I wonder what went wrong! But I’m afraid to update…


Replies (12)

RE: Update 7.4.3 to 7.4.4: Unable to verify Cross-Site Request Forgery token. - Added by Martin Dittmar about 4 years ago

I have exactly the same problem, also with Ubuntu 16.04.
I’m using Apache in version 2.4.33-1+ubuntu16.04.1+deb.sury.org+1

The solution to downgrade to 7.4.3 worked for me.

I can confirm that 7.4.5 does not resolve the problem.

RE: Update 7.4.3 to 7.4.4: Unable to verify Cross-Site Request Forgery token. - Added by Oliver Günther about 4 years ago

Dear Martin, Thomas,

please see my response here: https://community.openproject.com/topics/9407?r=9410#message-9410

You’re running on https but your reverse proxy does not receive the X-Forwarded-Proto ‘https’ header, and in turn the secure cookie is not transmitted.

Best,
Oliver

RE: Update 7.4.3 to 7.4.4: Unable to verify Cross-Site Request Forgery token. - Added by Thomas Roder about 4 years ago

Thank you very much, this solved the problem!
I had to add this line to my nginx-configuration:
proxy_set_header X-Forwarded-Proto $scheme;

For reference, here’s my entire nginx-config, anonymized:

#/etc/nginx/sites-enabled/openproject_nginx.conf
upstream backend {
    server 127.0.0.1:6000 fail_timeout=0;
}

server {
    listen 443 ssl default_server;
    server_name projects.example.com;

    ssl on;    
    ssl_certificate_key /etc/ssl/private/example.key;
    ssl_certificate /etc/ssl/certs/projects.example.com.2017.crt.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    root /opt/openproject/public;

    try_files $uri/index.html $uri @backend;

    location @backend {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_redirect off;
        proxy_pass http://backend;
    }

    error_page 500 502 503 504 /500.html;
    client_max_body_size 4G;
    keepalive_timeout 10;
}

# redirect all http:// requests to https://
server {
    listen 80;
    listen [::]:80;
    server_name _;
    return 301 https://$host$request_uri;
}

RE: Update 7.4.3 to 7.4.4: Unable to verify Cross-Site Request Forgery token. - Added by Oliver Günther about 4 years ago

Hi Thomas,

great to hear! I’ll add that as a note to the manual installation.

Best,
Oliver

RE: Update 7.4.3 to 7.4.4: Unable to verify Cross-Site Request Forgery token. - Added by Martin Dittmar about 4 years ago

I can confirm that the solution is working with Apache 2.4 and https:

Inside the Virtualhost I could set:

RequestHeader set X-Forwarded-Proto "https"

and reload Apache.

Thank you for your help!

RE: Update 7.4.3 to 7.4.4: Unable to verify Cross-Site Request Forgery token. - Added by Lars G about 4 years ago

I can confirm that Thomas Roder’s configuration worked for me.

I have Debian 9 with nginx and it worked fine. Then i installed php7.0-fpm and i got the 422 error after the server rebooted. Maybe it has to do with this. Had the same problem on another machine, where i only updated Plesk and couldn’t figure the issue.

Now its working. My config looks like this:

location / {
    gzip off;

    proxy_redirect off;
    proxy_http_version 1.1;

    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_pass http://127.0.0.1:6000;
}

RE: Update 7.4.3 to 7.4.4: Unable to verify Cross-Site Request Forgery token. - Added by Hilfan Soeltansyah almost 4 years ago

In my case, the notification was due when I enable https on “system setting >> protocol”

So I re-run “openproject configure”, and the configuration back to default. That can solve my problem

RE: Update 7.4.3 to 7.4.4: Unable to verify Cross-Site Request Forgery token. - Added by Patrick Hough almost 4 years ago

I can say that Hilfan's solution worked for me at least. 

In my case I inherited an open project installation and was working on moving it into a container like the rest of our tools. I didn't know at the time but the https setting was enabled and it seems like its value is stored in the database so any time I restored a backup of the old version, it would assume it's running on https (it wasn't), giving my the CSRF error.

My upgrade path consisted of restoring the backup data to a container running open project 7.4.3 (which doesn't enforce secure cookies), logging in as admin, switching flag to only http, and then upgrading the container to version 8. This picked up the change in the database and I was able to log in without the CSRF warning.

RE: Update to 7.4.4+: Unable to verify Cross-Site Request Forgery token. - Added by Mauricio Čulibrk over 3 years ago

I recently upgraded my dockerized OpenProject from version 6.1.4 to the last "packaged" 8.0.1 (still running in the container) and the 422 errors start popping up.

I followed previous instructions and managed to made it "work" (somehow) but i still get occasional 422 errors mainly on login. The interesting thing is that sometimes just refreshing the page (after error) shows the "right content" and seems to work normally... until it throws the 422 again...

In my config I have a "double proxy" configuration like this:

internet --> HTTPS:443 FrontEnd (Apache) --> HTTP:40004 Backend (Apache) --> HTTP:6000 Docker OP (Apache)

OpenProject has the "protocol" set to HTTP in Settings

Apache on the frontend has the RequestHeader set X-Forwarded-Proto "https"

I recreated the Op database from scratch as it simply would not work with the original/old DB regardless of the settings.

I also noticed a parameter in OP configuration (by executing openproject config)

OPENPROJECT_RAILS__FORCE__SSL=
RAILS_FORCE_SSL=

and tried to play with those too... without getting to some "definitive answer".

Can someone, please, tell how should all those parameters be configured for normal OP operation in the before mentioned setup?

Thanks in advance!

RE: Update 7.4.3 to 7.4.4: Unable to verify Cross-Site Request Forgery token. - Added by Pedro Paulo Palazzo over 3 years ago

I faced the same CSRF issue as Mauricio until I set the first backend step to HTTPS and copied the certificate from the frontend to the backend. However, once I do that, I get a different problem: all requests are redirected to the backend's private IP address — which obviously fails to resolve if the user is not in the same internal network.

RE: Update 7.4.3 to 7.4.4: Unable to verify Cross-Site Request Forgery token. - Added by Pierre Roukens over 3 years ago

Just to add to the discussion. I'm running OpenProject 8.0.2.  and have the same error, although only with Chrome. Firefox and IE work without any problems.

I use pfSense with HAproxy and the X-Forwarded-proto https is set and the _open_project_session cookie is created. Clearing the sessions, deleting the cache and cookie doesn't resolve this. The openproject log says "Can't verify CSRF token authenticity.".

Any suggestions?

RE: Update 7.4.3 to 7.4.4: Unable to verify Cross-Site Request Forgery token. - Added by Pierre Roukens over 3 years ago

Sorry, solved it. I just checked the protocol setting in OpenProject and it was reset to http (during upgrade?). Setting it to https solved it in Chrome.

  • (1 - 12/12)
Loading...