CSRF check failed

[sonanchenko]

Dear Colleagues,

STR:

1. Update to 9.1 version
2. Try to log in using https://myhost/owncloud

Expected result:
Logged in

Actual result:
I receive "Access denied. CSRF check failed" after I click Enter.

Strange thing is that for http version everything is fine.

I've also switched to 9.2 alpha and now have owncloud-files-9.2.0-0.1.1.prealpha.20160822.noarch but the issue still in place.

Similar issues were discussed in #25557 and #25799 but @PVince81 asked me to create a new issue.

Here is the tech details:

OS: CentOS 6.8 x64
WebServer: httpd=2.2.27
DB: MariaDB-server-10.1.16
PHP: 5.5.38
Owncloud version: 9.2.0-0.1.1.prealpha.20160822 updated from 9.1 and older ones

APPS:

root /var/www/html/owncloud # sudo -u owncloud php occ app:list
Enabled:

• calendar: 1.3.2
• comments: 0.3.0
• dav: 0.2.5
• direct_menu: 0.8.1
• encryption: 1.3.0
• federatedfilesharing: 0.3.0
• federation: 0.1.0
• files: 1.5.1
• files_excel_reader: 0.1.0
• files_mv: 0.8.2
• files_sharing: 0.10.0
• files_trashbin: 0.9.0
• files_versions: 1.3.0
• provisioning_api: 0.5.0
• systemtags: 0.3.0
• tasks: 0.9.2
• updatenotification: 0.2.1

Disabled:

• activity
• bookmarks
• calendarplus
• contacts
• documents
• external
• files_antivirus
• files_external
• files_pdfviewer
• files_texteditor
• files_videoplayer
• firstrunwizard
• gallery
• galleryplus
• notifications
• ojsxc
• ownnote
• sharelinks
• tasksplus
• templateeditor
• user_external
• user_ldap
• vids

CONFIG:
root /var/www/html/owncloud # sudo -u owncloud php occ config:list system
{
"system": {
"debug": true,
"instanceid": "ocjl3amsodm7",
"passwordsalt": "_REMOVED SENSITIVE VALUE",
"secret": "_REMOVED SENSITIVE VALUE",
"trusted_domains": [
"mydomain.com"
],
"datadirectory": "/var/www/html/owncloud/data",
"overwrite.cli.url": "https://mydomain.com/owncloud",
"dbtype": "mysql",
"version": "9.2.0.1",
"dbname": "owncloud",
"dbhost": "localhost",
"dbtableprefix": "oc_",
"dbuser": "_REMOVED SENSITIVE VALUE",
"dbpassword": "_REMOVED SENSITIVE VALUE",
"installed": true,
"forcessl": true,
"forceSSLforSubdomains": true,
"mail_from_address": "root",
"mail_smtpmode": "php",
"mail_domain": "mydomain.com",
"theme": "",
"maintenance": false,
"loglevel": 1,
"trashbin_retention_obligation": "auto",
"updatechecker": false,
"htaccess.RewriteBase": "/owncloud"
}
}

As for logs - no new lines in owncloud.log and in httpd logs and browser ones there were no info about error also.

---

Please check and do not hesitate to ask if any additional information is required

[PVince81]

Can you check your access log and see whether it's using http or https when posting the login form ?
The CSRF token is stored in the session, which is handled by the cookies. If the form is posted to a different domain / protocol, the session would be a different one and the CSRF token wouldn't match.

So far it looks like an environment/config issue. I assume you already checked http://central.owncloud.org/ and the forums for similar issues ? (https + csrf)

[sonanchenko]

Hi,
Sorry for re-opening.

I've checked logs - in httpd logs I see that everything is handled by https:

[26/Aug/2016:19:12:54 +0300] 31.135.132.106 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "POST /owncloud/index.php/login HTTP/1.1" 8965
[26/Aug/2016:19:12:55 +0300] 31.135.132.106 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /owncloud/index.php/core/js/oc.js?v=e2c0a62bf817618e92f96d24613b7250 HTTP/1.1" 3934
[26/Aug/2016:19:12:56 +0300] 31.135.132.106 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /owncloud/core/vendor/jquery/dist/jquery.min.map HTTP/1.1" 127576
[26/Aug/2016:19:12:58 +0300] 31.135.132.106 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /owncloud/cron.php HTTP/1.1" 20

Also, I have not found any useful info on central.owncloud.org that may be connected with my issue.
(I've only added opcache.save-comments that is suggested at https://central.owncloud.org/t/known-problems-with-php-webserver-modules-or-configs/835)

Could you please help me with my issue ?

I appreciate any help you can provide. What other info about my system can be useful ?

[mmattel]

After reinstalling 9.1 from scratch, I got one time the same error when trying to logon. When retrying it worked and I have no clue why. My working nginx config did not change between killing and reinstalling the instance.

[sonanchenko]

hi2all

any updates on this issue ?
9.2 alpha is also affected with this issue (

[PVince81]

Could you guys all post your configs so we can see what is similar ?

From the first config I see this:

"forcessl": true,
"forceSSLforSubdomains": true,

I suppose you're all using the exact same options ?

[thommierother]

The issue is still present in the just released 9.1.1 (session cookies were cleared before testing).
I only use

'forcessl' => true,

But not "forceSSLforSubdomains" I disabled and enabled the forcessl value, no difference. Note that this apache itself has a rewrite rule for https

RewriteRule ^/owncloud(.*) https://%{SERVER_NAME}/owncloud$1 [R,L]

So forcessl inside OC is not really necessary in my case
Is there any option to log the login procedure?

[lolnerd]

Here is my config regarding the "CSRF check failed" issue, after upgrading from 9.0 to 9.1 and persistent after upgrade to 9.1.1:

root@mydomain:/var/www/owncloud# sudo -u www-data php occ config:list system
{
"system": {
"updatechecker": false,
"instanceid": "ocwnXXXXXXX",
"passwordsalt": "_REMOVED SENSITIVE VALUE",
"secret": "_REMOVED SENSITIVE VALUE",
"trusted_domains": [
"mydomain.com"
],
"datadirectory": "/var/www/owncloud/data",
"overwrite.cli.url": "https://cloud.mydomain.com",
"dbtype": "mysql",
"version": "9.1.1.3",
"dbname": "ownclouddb",
"dbhost": "localhost",
"dbtableprefix": "oc_",
"dbuser": "_REMOVED SENSITIVE VALUE",
"dbpassword": "_REMOVED SENSITIVE VALUE",
"logtimezone": "UTC",
"installed": true,
"mail_from_address": "info",
"mail_smtpmode": "php",
"mail_domain": "cloud.mydomain.com",
"maintenance": false,
"loglevel": 3,
"htaccess.RewriteBase": "/",
"theme": ""
}
}

[ycollet]

I have the same problem here with 9.1.1.
"Access forbidden
CSRF check failed"

after successful login.

[ycollet]

I found an old topic related to CSRF check failed in the forum:
https://forum.owncloud.org/viewtopic.php?f=26&t=21889&start=10

[lep86]

that don't work. Have some problem with OC 9.1.1 Fresh install on ubuntu 16.04 tls

[takenek]

Same problem here - just upgrade from 9.0.2 to 9.1.0 and got CSRF check failed....

[ycollet]

I rebooted my server and everything went fine. I don't know if this was due to an openssl update ...

[tudorthe1ntruder]

I was having the same issue from an out of box installation on CentOS and discovered that 2 cookies which were set when first accessing the login page had the "Secure" flag on.
Because I have not installed the SSL certificate at that time and running on a plain HTTP connection, I realized that the browser was simply not sending the cookies to the server due to the "Secure flag".

This is a bug for non-ssl installations, secure flag should not be set when plain http is used by owncloud.

[takenek]

No - my server use only SSL and got this issue.
take a look: https://owncloud.taken.pl

[lep86]

no solutions? :(

[lolnerd]

I'm also on an SSL-only installation and still get this error.

[PVince81]

Can someone provide exact steps how to reproduce this on a local test instance ?
Additionally to config.php, also provide Apache configs (SSL, ports, etc) and the name of the URLs (including protocol) that were used when logging in, and also which URLs they get redirected to.

alternative: provide a docker or vagrant VM where the issue is happening to make debugging easier.

Thanks

[ghost]

If I use firefox navigator (https://myowncloud on Debian) I obtain the "Access forbidden CSRF check failed". If I use the chrome navigator (same address, same ubuntu PC) I can log in!

[ghost]

Hello again: the firefox extension "owncloud bookmark 0.0.6" generate this error! I remove the extension and I can log in again on my owncloud server!

[tomascohen]

@PVince81 I've come across this on a setup in which the front-end reverse proxy is applying the SSL layer and the request is forwarded to a non-SSL apache server. So I guess this is a problem with how headers reach the CSRF check code.

[tomascohen]

@PVince81 I also wonder if it is related to issue #25692

[Amourspirit]

I installed a fresh copy ver 9.1.1.3 today on Bluehost in a subdomain.
Everything seemed to work fine. but I did not log out and log back in until I added Encryption.

After enabling encryption it took 10 or 15 minutes before I could get logged back in. After I was able to log in again I created a new group and added a new user to that group.

I logged out to try logging in as the new user. That is when I go the "Access forbidden CSRF check failed" error. Now I can't log into admin account or user account without getting the same error.

Strangely enough It seems I can log in randomly on the admin account if I let enough time go by, perhaps 20 min or more. This only worked a couple of times and as soon as I logged out I got the same error when trying to log in again.

I tried multiple browsers and private browsing all with the same results.

[Amourspirit]

I just installed ownCloud linux client in Ubuntu 16.04.

I set it to log in as the new user I created that I had mentioned in my previous post. The client logged in not problem and file sharing works. Not sure why I can't login via the web interface.

---

I was just able to log in a administrator into the web interface but not as the user that I created.
I am afraid to log out lol.

[lolnerd]

I just upgraded to 9.1.1-1.2 (from 9.1.1.-1.1) via packet manager on Ubuntu 16.04. Issue still persists. The funny thing is, I can login to the web interface as the administrator user, but not as a non-privileged user. This one gets the "CSRF check failed"-message.

[GStep100]

Hi, I was having this issue as well and thought I would add what I found to see if it helps anyone else.

Similar to the above I was having an issue with logging in with my normal user account but not the admin account. @sorintelecom's comment regarding browser plugin's got me thinking about the 1password extension that I use and so rather than using the auto fill I manually entered my username and password with the "Remember Me" checkbox unchecked. This allowed me to log in.

I then did another test, logged out, logged back in but this time ticking the "Remember Me" checkbox, I was surprised to see the page submit and log me in without using the submit arrow. This got me wondering if there was a conflict between the checkbox auto-submit and the way 1password also submits the page once it has filled the details.

To test this I disabled submission of the page for that login in 1password and sure enough, it filled in the username and password, and because it checks the box, the page still auto-submitted but without failing, i.e. I was logged in. The reason, I suspect, that the admin username continued to work is because that does not check the box.

Could this be a change in behaviour between 9.0.4 (my previously installed version) and 9.1.1 (as is now installed) and an issue with browser plugins?

A failed log in from the Apache logs looks like:

[user@owncloud owncloud]# tail -n 0 -f access_log xxx.xxx.xxx.xxx - - [19/Oct/2016:11:00:37 +0100] "POST /owncloud/index.php/login HTTP/1.1" 303 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36" xxx.xxx.xxx.xxx - - [19/Oct/2016:11:00:37 +0100] "POST /owncloud/index.php/login HTTP/1.1" 412 1564 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36" xxx.xxx.xxx.xxx - - [19/Oct/2016:11:00:37 +0100] "GET /owncloud/index.php/core/js/oc.js?v=984cea3a515441a65153e08a8fd32983 HTTP/1.1" 200 992 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36"

The successful one looks like:

[user@owncloud owncloud]# tail -n 0 -f access_log xxx.xxx.xxx.xxx - - [19/Oct/2016:11:01:59 +0100] "POST /owncloud/index.php/login HTTP/1.1" 303 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36" xxx.xxx.xxx.xxx - - [19/Oct/2016:11:01:59 +0100] "GET /owncloud/index.php/apps/files/ HTTP/1.1" 200 4877 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36" xxx.xxx.xxx.xxx - - [19/Oct/2016:11:02:00 +0100] "GET /owncloud/index.php/core/js/oc.js?v=984cea3a515441a65153e08a8fd32983 HTTP/1.1" 200 992 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36" xxx.xxx.xxx.xxx - - [19/Oct/2016:11:02:01 +0100] "GET /owncloud/index.php/apps/gallery/config?extramediatypes=1 HTTP/1.1" 200 87 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36" xxx.xxx.xxx.xxx - - [19/Oct/2016:11:02:01 +0100] "GET /owncloud/ocs/v2.php/apps/notifications/api/v1/notifications?format=json HTTP/1.1" 200 81 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36" xxx.xxx.xxx.xxx - - [19/Oct/2016:11:02:01 +0100] "PROPFIND /owncloud/remote.php/webdav/ HTTP/1.1" 207 727 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36" xxx.xxx.xxx.xxx - - [19/Oct/2016:11:02:01 +0100] "GET /owncloud/index.php/apps/files/ajax/getstoragestats.php?dir=%2F HTTP/1.1" 200 177 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36" xxx.xxx.xxx.xxx - - [19/Oct/2016:11:02:01 +0100] "GET /owncloud/index.php/core/preview.png?file=%2FownCloud+Manual.pdf&c=9ee461e743d7e5f2be57975a5f5bd500&x=32&y=32&forceIcon=0 HTTP/1.1" 404 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36"

Let me know if anything else would be useful.

[thomasaurich]

I just upgraded from owncloud 9.0.1.3 to 9.1.1.3. After the occ upgrade I got the CSRF failure as well. My colleague simultaniosouly looked into it and noticed the missing /temp folder in the upgraded version. Created one and set permissions and it worked like a charm (leaving the "failed integrity checks" aside ... but that's another story).

[phil-davis]

Note that CSRF check failed has been noticed intermittently on Travis-Saucelabs UI test runs - see description in issue #28920 and a sample cut-down pair of test scenarios in PR #29028
The direct issue with the UI test runs has been worked around by doing more consistent test steps PR #29033
Also another interesting "feature" of the issue in the UI tests was that it did not happen on Firefox (47.0) but did happen on Chrome 61 and less often on Chrome 60.

Maybe some of the above will give someone a clue about where to look to find this, or at least a way to reproduce it if they think they have code to fix.

[ryanknutson]

This happened to me, and turned out that I needed to apt install owncloud-files, as the package was getting held back. This removed the package 'owncloud' and replaced it with 'owncloud-files'. I then upgraded to the latest version (10.0.3). Things work now.

[thommierother]

I observed this issue soon after upgrade from 9.1.6 to 10.0.3. All php config checks mentioned by ghost at 24 Nov 2016 were already set. The only solution was to delete the complete php session cache files from /var/lib/php/sessions. This should be mentioned in the upgrade documentation.

[ckhung]

Just a quick note for those who might have made the same mistake as me: after seeing @sorintelecom's note, I also tried chromium and then realized that it was because I was fiddling with privacy options in firefox and inadvertently disabled all cookies. For me, re-enabling cookie in firefox solved the problem. Maybe if owncloud's code checks for the ability to write cookie and print a more clear error message, it will be easier to debug further problems?

[cars10]

Edit: solved! See below.
I still experience the same issue and cannot find a way to fix it.
I was on 9.1.6, the issue already persisted there. i then upgraded to 10.0.3.3 (via apt-get install owncoud-files)

What i tried:

• Increase loglevel and enable debugging. the logs in data/owncloud.log are super unhelpful, no permissions error or anything else, just the following:

{"reqId":"xu2e8nA4q5YXRPPcBKXH","level":0,"time":"2017-10-04T12:17:29+00:00","remoteAddr":"46.87.94.36","user":"--","app":"no app in context","method":"POST","url":"\/login","message":"CSRF check failed"}

• did everything mentioned in CSRF check failed #25927 (comment)
• Checked all permissions, seem correct. Also i cannot find a permission related error in the log

I am completely lost right now. Any hints on what i could try?

Edit: solved! Thanks to #25927 (comment) it works now. Steps:

• Create temp folder in your owncloud dir
• set permissions

[PVince81]

Raised #29462 to make error more user friendly in case it happens on the login page.

[bobalo2]

I am also having this problem on my new installed owncloud instance v. 10.0.03.
Tried everything from the above mentioned fixes. I'm unsure about the session save path configurations ,as I changed it's permissions with root user, and unsure how to change it as application's user.
Please advise.
Running owncloud via cPanel / softacolous. CentOS

[issic]

Solved:
Couldnt find a solution, but then discovered that this was in my VirtualHost /etc/apache2/vhost/ip-based.config
Header edit Set-Cookie ^(.*)$ ;HttpOnly;Secure

comment it out with # or remove it and it's good to go.

[ownclouders]

Hey, this issue has been closed because the label status/STALE is set and there were no updates for 7 days. Feel free to reopen this issue if you deem it appropriate.

(This is an automated comment from GitMate.io.)

[PVince81]

Please note that since 10.0.5 is more user friendly and will ask for login again.

I'll leave this ticket closed unless someone finds a CSRF error case that is really a bug and not an environment issue.

[alexolinux]

Error: CSRF check failed

This happens when we log out on owncloud.

Scenario:
owncloud (backend) - Apache http port 80
my frontend - https port 443

I've a virtualhost with Reverse Proxy.

Solution:

Edit $HTML/owncloud/config.php

'overwrite.cli.url' => 'https://OWNCLOUD_IP/',
'overwriteprotocol' => 'https',
'forcessl' => true,

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.