Error 303 Wrong CSRF token
We have been using Koha for about 1-1/2 years now but we don’ consider ourselves Koha experts. I upgraded our Koha development environment system from 23.05.11 to 24.05.00 last week. It is running in an Ubuntu 22.04.4 LTS (5.15.0-112-generic #122-Ubuntu SMP) in an AMD virtual machine. The system has a 40G disk with 15G available. It has a duplicate of our Koha production install. After enabling the ERM module and adding a couple of test licenses, etc. The next time I attempted to login to the staff interface I got an Error 303 “The form submission failed (Wrong CSRF token). Try to come back, refresh the page, then try again.” I have cleared the cache browser (on all browsers), rebooted the system - no change. If I login using the OPAC interface and then open a new window to the staff interface, without quiting the browser, it succeeds since I don’t have to login. All of this behavior occurs regardless of the whether I use Firefox, Chrome, or Safari. The Apache and Koha logs do not show any problem. I am an experienced Linux system administrator and developer. I can read and write PERL but don’t consider myself a PERL expert. Is there a way to turn on more logging, specific things to try? Any assistance would be greatly appreciated.
It's possible that the login form is generated with one session and then another session is created before the token from the first session is checked. The value of $csrf_status in the _chk_csrf subroutine in Koha/Token.pm should specify the exact error (0 is OK, 1 is expired, 2 is invalid, 3 is malformed). If it's not set, then there's something wrong with $params. I would compare $params->{id} in the _gen_csrf and _chk_csrf subroutines. They should both begin with "anonymous" since you haven't logged in yet, but they might have different session ids. The value of $params->{secret} is likely the same in both, but would cause a problem if it was different. If _gen_csrf is not being called, there could be some caching issue. Hopefully this provides a good start. Let us know what you find. ________________________________ Från: Koha-devel <koha-devel-bounces@lists.koha-community.org> för Charles Athey via Koha-devel <koha-devel@lists.koha-community.org> Skickat: den 14 juni 2024 03:38 Till: koha-devel@lists.koha-community.org <koha-devel@lists.koha-community.org> Ämne: [Koha-devel] Error 303 Wrong CSRF token We have been using Koha for about 1-1/2 years now but we don’ consider ourselves Koha experts. I upgraded our Koha development environment system from 23.05.11 to 24.05.00 last week. It is running in an Ubuntu 22.04.4 LTS (5.15.0-112-generic #122-Ubuntu SMP) in an AMD virtual machine. The system has a 40G disk with 15G available. It has a duplicate of our Koha production install. After enabling the ERM module and adding a couple of test licenses, etc. The next time I attempted to login to the staff interface I got an Error 303 “The form submission failed (Wrong CSRF token). Try to come back, refresh the page, then try again.” I have cleared the cache browser (on all browsers), rebooted the system - no change. If I login using the OPAC interface and then open a new window to the staff interface, without quiting the browser, it succeeds since I don’t have to login. All of this behavior occurs regardless of the whether I use Firefox, Chrome, or Safari. The Apache and Koha logs do not show any problem. I am an experienced Linux system administrator and developer. I can read and write PERL but don’t consider myself a PERL expert. Is there a way to turn on more logging, specific things to try? Any assistance would be greatly appreciated. _______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : https://www.koha-community.org/ git : https://git.koha-community.org/ bugs : https://bugs.koha-community.org/
This may (or may not) be this bug https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37040 There are several bugs that will be in 24.05.01 that will fix upgrade and CSRF issues. David Nind New Zealand On Fri, 14 Jun 2024 at 13:38, Charles Athey via Koha-devel < koha-devel@lists.koha-community.org> wrote:
We have been using Koha for about 1-1/2 years now but we don’ consider ourselves Koha experts. I upgraded our Koha development environment system from 23.05.11 to 24.05.00 last week. It is running in an Ubuntu 22.04.4 LTS (5.15.0-112-generic #122-Ubuntu SMP) in an AMD virtual machine. The system has a 40G disk with 15G available. It has a duplicate of our Koha production install.
After enabling the ERM module and adding a couple of test licenses, etc. The next time I attempted to login to the staff interface I got an Error 303 “The form submission failed (Wrong CSRF token). Try to come back, refresh the page, then try again.” I have cleared the cache browser (on all browsers), rebooted the system - no change.
If I login using the OPAC interface and then open a new window to the staff interface, without quiting the browser, it succeeds since I don’t have to login.
All of this behavior occurs regardless of the whether I use Firefox, Chrome, or Safari.
The Apache and Koha logs do not show any problem.
I am an experienced Linux system administrator and developer. I can read and write PERL but don’t consider myself a PERL expert.
Is there a way to turn on more logging, specific things to try?
Any assistance would be greatly appreciated. _______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : https://www.koha-community.org/ git : https://git.koha-community.org/ bugs : https://bugs.koha-community.org/
That certainly looks like it could be the problem. I’l test it when this release comes out. My original post said ubuntu AMD, it should have said Ubuntu ARM - I haven’t seen the problem in my Ubuntu Intel development environment.
On Jun 14, 2024, at 11:25 PM, David Nind <david@davidnind.com> wrote:
This may (or may not) be this bug https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37040
There are several bugs that will be in 24.05.01 that will fix upgrade and CSRF issues.
David Nind New Zealand
On Fri, 14 Jun 2024 at 13:38, Charles Athey via Koha-devel <koha-devel@lists.koha-community.org <mailto:koha-devel@lists.koha-community.org>> wrote:
We have been using Koha for about 1-1/2 years now but we don’ consider ourselves Koha experts. I upgraded our Koha development environment system from 23.05.11 to 24.05.00 last week. It is running in an Ubuntu 22.04.4 LTS (5.15.0-112-generic #122-Ubuntu SMP) in an AMD virtual machine. The system has a 40G disk with 15G available. It has a duplicate of our Koha production install.
After enabling the ERM module and adding a couple of test licenses, etc. The next time I attempted to login to the staff interface I got an Error 303 “The form submission failed (Wrong CSRF token). Try to come back, refresh the page, then try again.” I have cleared the cache browser (on all browsers), rebooted the system - no change.
If I login using the OPAC interface and then open a new window to the staff interface, without quiting the browser, it succeeds since I don’t have to login.
All of this behavior occurs regardless of the whether I use Firefox, Chrome, or Safari.
The Apache and Koha logs do not show any problem.
I am an experienced Linux system administrator and developer. I can read and write PERL but don’t consider myself a PERL expert.
Is there a way to turn on more logging, specific things to try?
Any assistance would be greatly appreciated. _______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org <mailto:Koha-devel@lists.koha-community.org> https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : https://www.koha-community.org/ git : https://git.koha-community.org/ bugs : https://bugs.koha-community.org/
participants (3)
-
Charles Athey -
David Nind -
Kevin Carnes