[Bug 42066] New: CSRF-token sometimes missing from pages
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42066 Bug ID: 42066 Summary: CSRF-token sometimes missing from pages Initiative type: --- Sponsorship --- status: Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: normal Priority: P5 - low Component: OPAC Assignee: oleonard@myacpl.org Reporter: magnus@libriotech.no QA Contact: testopia@bugs.koha-community.org To reproduce in KTD: - In your console, keep an eye on the logs: $ sudo tail -f /var/log/koha/kohadev/plack*.log - Open the SCO main page (http://localhost:8080/cgi-bin/koha/sco/sco-main.pl) in your browser, but do not do anything there - Remove the path from the URL, in the address bar of your browser, so you just have http://localhost:8080/, and press enter - Use Ctrl+u or "developer tools" to view the source of the front page, search for "csrf" and verify the elements that should contain the csrf token are empty: <meta name="csrf-token" content="" /> <input type="hidden" name="csrf_token" value="" /> - Log in an verify you get an error like this: Error 403 This message can have the following reason(s): An unexpected error occurred while processing your request. - Check the logs and verify you have an error like this: ==> /var/log/koha/kohadev/plack-opac-error.log <== [2026/03/11 08:12:41] [WARN] Programming error - No CSRF token passed for POST http://localhost:8080/opac/opac-main.pl (referer: http://localhost:8080/) at /kohadevbox/koha/Koha/Middleware/CSRF.pm line 97. Moving from SCO to the main page like this is probably not something that happens too often, but perhaps there is some underlying problem that can also affect other parts of Koha? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42066 --- Comment #1 from Magnus Enger <magnus@libriotech.no> --- Hm, another weird thing: - Paste http://localhost:8080/cgi-bin/koha/sco/sco-main.pl into your address bar and press Enter - Edit the URL so you just have http://localhost:8080/ and press Enter - This presents the "Log in to your account" page - Do not edit the URL again, but click on it and press Enter again - This time the front page of the OPAC is displayed -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42066 Indranil Das Gupta <indradg@l2c2.co.in> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |indradg@l2c2.co.in -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42066 --- Comment #2 from Indranil Das Gupta <indradg@l2c2.co.in> --- @Magnus I probably faced something similar to this on 24.11.09: [2026/04/16 15:48:54] [WARN] Programming error - No CSRF token passed for POST https://opac.niser.ac.in/opac/opac-user.pl (referer: https://opac.niser.ac.in/cgi-bin/koha/opac-user.pl?has-search-query=) at /usr/share/koha/lib/Koha/Middleware/CSRF.pm line 97. In my case, I turned off the self_check perm given to the user and so far it looks like it is working. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42066 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au --- Comment #3 from David Cook <dcook@prosentient.com.au> --- @Magnus I think this will relate to the SCO "kick out" when you try to navigate to other parts of Koha. I imagine it's an order of operations issue in C4::Auth which will need looking at... -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42066 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff Assignee|oleonard@myacpl.org |jonathan.druart@gmail.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42066 --- Comment #4 from Jonathan Druart <jonathan.druart@gmail.com> --- Created attachment 198519 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=198519&action=edit Bug 42066: Prevent 403 after an expired OPAC session If a session has expired, the login form will get an empty CSRF token and the login form will return 403 To recreate: hit /cgi-bin/koha/sco/sco-main.pl then hit /cgi-bin/koha/opac-main.pl login => 403 Apply this patch, try again => Success -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42066 --- Comment #5 from Jonathan Druart <jonathan.druart@gmail.com> --- Created attachment 198520 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=198520&action=edit Bug 42066: Add a Cypress test Patch from commit a8f75af -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42066 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42066 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #198519|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42066 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #198520|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42066 --- Comment #6 from David Nind <david@davidnind.com> --- Created attachment 198728 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=198728&action=edit Bug 42066: Prevent 403 after an expired OPAC session If a session has expired, the login form will get an empty CSRF token and the login form will return 403 To recreate: hit /cgi-bin/koha/sco/sco-main.pl then hit /cgi-bin/koha/opac-main.pl login => 403 Apply this patch, try again => Success Signed-off-by: David Nind <david@davidnind.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42066 --- Comment #7 from David Nind <david@davidnind.com> --- Created attachment 198729 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=198729&action=edit Bug 42066: Add a Cypress test Signed-off-by: David Nind <david@davidnind.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42066 Lisette Scheer <lisette@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lisette@bywatersolutions.co | |m QA Contact|testopia@bugs.koha-communit |nick@bywatersolutions.com |y.org | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42066 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=43037 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42066 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lucas@bywatersolutions.com --- Comment #8 from Jonathan Druart <jonathan.druart@gmail.com> --- *** Bug 43037 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42066 --- Comment #10 from Nick Clemens (kidclamp) <nick@bywatersolutions.com> --- Created attachment 201881 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=201881&action=edit Bug 42066: Add a Cypress test Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42066 --- Comment #9 from Nick Clemens (kidclamp) <nick@bywatersolutions.com> --- Created attachment 201880 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=201880&action=edit Bug 42066: Prevent 403 after an expired OPAC session If a session has expired, the login form will get an empty CSRF token and the login form will return 403 To recreate: hit /cgi-bin/koha/sco/sco-main.pl then hit /cgi-bin/koha/opac-main.pl login => 403 Apply this patch, try again => Success Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42066 Nick Clemens (kidclamp) <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #198728|0 |1 is obsolete| | Attachment #198729|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42066 Nick Clemens (kidclamp) <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42066 --- Comment #11 from David Cook <dcook@prosentient.com.au> --- Splinter Review looks good -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org