Content
Added by Thomas Roder about 4 years ago
I need some help, urgently if possible!
I just updated OpenProject from 7.4.3 to 7.4.4 as described here .
Now, I cannot login anymore, with any account. I get this message:
Unable to verify Cross-Site Request Forgery token. The OpenProject cookie is missing. Please ensure that cookies are enabled, as this application will not properly function without.
I get log entries such as these:
W, [2018-05-30T12:25:04.020020 #13257] WARN -- : [auth_saml] Missing settings from '/opt/openproject/config/plugins/auth_saml/settings.yml', skipping omniauth registration.
W, [2018-05-30T12:25:04.204836 #13257] WARN -- : hook registered
W, [2018-05-30T12:25:05.601244 #13257] WARN -- : Creating scope :order_by_name. Overwriting existing method Sprint.order_by_name.
W, [2018-05-30T12:25:19.893569 #13331] WARN -- : Can't verify CSRF token authenticity.
Full logs: https://pastebin.com/y3kD6PMy
My system: Ubuntu 16:04, packaged installation. Only irregularity: Nginx 1.14.0 instead of Apache.
I already tried: Reboots, reconfigure OpenProject, restarting memcached service, different browsers and private modes.
#EDIT:
I downgraded to 4.3.3 as follows: sudo apt-get install openproject=7.4.3-1523266776.fea7c3d7.xenial sudo openproject configure
Now it works again. I wonder what went wrong! But I’m afraid to update…
Replies (12)
I have exactly the same problem, also with Ubuntu 16.04.
I’m using Apache in version 2.4.33-1+ubuntu16.04.1+deb.sury.org+1
The solution to downgrade to 7.4.3 worked for me.
I can confirm that 7.4.5 does not resolve the problem.
Dear Martin, Thomas,
please see my response here: https://community.openproject.com/topics/9407?r=9410#message-9410
You’re running on https but your reverse proxy does not receive the X-Forwarded-Proto ‘https’ header, and in turn the secure cookie is not transmitted.
Best,
Oliver
Thank you very much, this solved the problem!
I had to add this line to my nginx-configuration:
proxy_set_header X-Forwarded-Proto $scheme;For reference, here’s my entire nginx-config, anonymized:
#/etc/nginx/sites-enabled/openproject_nginx.conf upstream backend { server 127.0.0.1:6000 fail_timeout=0; } server { listen 443 ssl default_server; server_name projects.example.com; ssl on; ssl_certificate_key /etc/ssl/private/example.key; ssl_certificate /etc/ssl/certs/projects.example.com.2017.crt.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; root /opt/openproject/public; try_files $uri/index.html $uri @backend; location @backend { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Proto $scheme; proxy_redirect off; proxy_pass http://backend; } error_page 500 502 503 504 /500.html; client_max_body_size 4G; keepalive_timeout 10; } # redirect all http:// requests to https:// server { listen 80; listen [::]:80; server_name _; return 301 https://$host$request_uri; }Hi Thomas,
great to hear! I’ll add that as a note to the manual installation.
Best,
Oliver
I can confirm that the solution is working with Apache 2.4 and https:
Inside the Virtualhost I could set:
and reload Apache.
Thank you for your help!
I can confirm that Thomas Roder’s configuration worked for me.
I have Debian 9 with nginx and it worked fine. Then i installed php7.0-fpm and i got the 422 error after the server rebooted. Maybe it has to do with this. Had the same problem on another machine, where i only updated Plesk and couldn’t figure the issue.
Now its working. My config looks like this:
location / { gzip off; proxy_redirect off; proxy_http_version 1.1; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://127.0.0.1:6000; }In my case, the notification was due when I enable https on “system setting >> protocol”
So I re-run “openproject configure”, and the configuration back to default. That can solve my problem
I can say that Hilfan's solution worked for me at least.
In my case I inherited an open project installation and was working on moving it into a container like the rest of our tools. I didn't know at the time but the https setting was enabled and it seems like its value is stored in the database so any time I restored a backup of the old version, it would assume it's running on https (it wasn't), giving my the CSRF error.
My upgrade path consisted of restoring the backup data to a container running open project 7.4.3 (which doesn't enforce secure cookies), logging in as admin, switching flag to only http, and then upgrading the container to version 8. This picked up the change in the database and I was able to log in without the CSRF warning.
I recently upgraded my dockerized OpenProject from version 6.1.4 to the last "packaged" 8.0.1 (still running in the container) and the 422 errors start popping up.
I followed previous instructions and managed to made it "work" (somehow) but i still get occasional 422 errors mainly on login. The interesting thing is that sometimes just refreshing the page (after error) shows the "right content" and seems to work normally... until it throws the 422 again...
In my config I have a "double proxy" configuration like this:
OpenProject has the "protocol" set to HTTP in Settings
Apache on the frontend has the RequestHeader set X-Forwarded-Proto "https"
I recreated the Op database from scratch as it simply would not work with the original/old DB regardless of the settings.
I also noticed a parameter in OP configuration (by executing openproject config)
and tried to play with those too... without getting to some "definitive answer".
Can someone, please, tell how should all those parameters be configured for normal OP operation in the before mentioned setup?
Thanks in advance!
I faced the same CSRF issue as Mauricio until I set the first backend step to HTTPS and copied the certificate from the frontend to the backend. However, once I do that, I get a different problem: all requests are redirected to the backend's private IP address — which obviously fails to resolve if the user is not in the same internal network.
Just to add to the discussion. I'm running OpenProject 8.0.2. and have the same error, although only with Chrome. Firefox and IE work without any problems.
I use pfSense with HAproxy and the X-Forwarded-proto https is set and the _open_project_session cookie is created. Clearing the sessions, deleting the cache and cookie doesn't resolve this. The openproject log says "Can't verify CSRF token authenticity.".
Any suggestions?
Sorry, solved it. I just checked the protocol setting in OpenProject and it was reset to http (during upgrade?). Setting it to https solved it in Chrome.