Top Menu

Jump to content
Home
    Modules
      • Projects
      • Activity
      • Work packages
      • Gantt charts
      • Calendars
      • Team planners
      • Boards
      • News
    • Getting started
    • Introduction video
      Welcome to OpenProject Community
      Get a quick overview of project management and team collaboration with OpenProject. You can restart this video from the help menu.
    • Help and support
    • User guides
    • Videos
    • Shortcuts
    • Community forum
    • Enterprise support
    • Additional resources
    • Data privacy and security policy
    • Digital accessibility (DE)
    • OpenProject website
    • Security alerts / Newsletter
    • OpenProject blog
    • Release notes
    • Report a bug
    • Development roadmap
    • Add and edit translations
    • API documentation
  • Sign in
      Forgot your password?

      or sign in with your existing account

      Google

Side Menu

  • Overview
  • Activity
    Activity
  • Roadmap
  • Work packages
    Work packages
  • Gantt charts
    Gantt charts
  • Calendars
    Calendars
  • Team planners
    Team planners
  • Boards
    Boards
  • News
  • Forums
  • Feature tour
    Feature tour

Content

You are here:
  1. Forums
  2. Support Installation & Updates

422 CSRF token problem

Added by Alex Z over 6 years ago

Hi, I deployed OpenProject latest Docker version and now I have this problem:

@ 422
Unable to verify Cross-Site Request Forgery token. The OpenProject cookie is missing. Please ensure that cookies are enabled, as this application will not properly function without. @

I checked cookies and found that session cookie is not set in the browser.

I don’t know what can be the reason for that, as I tried to deploy simple application that will just set cookie header in the same environment and it works without problem.

Do you have any suggestions?

OpenProject was deployed with following env vars:
@ - name: “SECRET_KEY_BASE”
value: “”
- name: “SMTP_ADDRESS”
value: “”
- name: “SMTP_PORT”
value: “25”
- name: “SMTP_DOMAIN”
value: “”
- name: “SMTP_AUTHENTICATION”
value: “plain”
- name: “SMTP_ENABLE_STARTTLS_AUTO”
value: “true”
- name: “DATABASE_URL”
value: “postgres://openproject:openprojectADMIN@openproject-postgree/openproject” @


Replies (4)

RE: 422 CSRF token problem - Added by Alex Z over 6 years ago

Version 7.4.3 helped to remove this problem.

Is there was something related to GDPR? Because of it cookie was not saved and other things.

RE: 422 CSRF token problem - Added by Oliver Günther over 6 years ago

Hi Alex,

v7.4.5 enforces the cookie secure flag at all times when your instance is running on SSL.

You can verify that this is indeed the issue when OpenProject does not output a cookie _open_project_session (ensure you cleared previous cookies).

This is the offending line. If you remove secure: ..., and restart the server, it should work (only use this for confirming the issue, see actual fix below!)

https://github.com/opf/openproject/compare/v7.4.4…v7.4.5#diff-ae8f555b82c0416edbcf62c9c1a5b73bR40

To fix this, you need to ensure that if you run on https, you set the X-Forwarded-Proto in your Apache configuration. The packaged installation does that automatically.

RequestHeader set X-Forwarded-Proto “https”

Best,
Oliver

RE: 422 CSRF token problem - Added by Thomas Roder over 6 years ago

I’m posting this message just for future reference.

I faced the same problem with nginx instead of Apache. Had to add this line to my nginx config file: proxy_set_header X-Forwarded-Proto $scheme;

See full thread: https://community.openproject.com/topics/9404?r=9439#message-9439

RE: 422 CSRF token problem - Added by Cascade Sun almost 6 years ago

Hello - I upgraded from OP 7.4 --> 8.1 and have run into this issue. I added the X-Forwarded-Proto header to my Apache 2 config, but still get the error. I cannot access the instance through the web interface at all, 422 error on all valid login users, including admin. This is on a Univention server, was running perfect before, using https. thanks for help

  • (1 - 4/4)
Loading...