Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

CSRF Invalid token for url Cf-231

See original GitHub issue

I am trying to login cloud foundry admin ui and it uses UAA to authenticate.While login in I am getting
"Invalid login attempt, request does not meet our security standards, please try again."I am facing this error in cf-231.Earlier it was working fine with cf-205. recently i migrated to cf-231 and started getting this problem in fresh install.

DEBUG — CorsFilter: CORS processing completed for: URI: /login.do; Scheme: https; Host: uaa.testinception25.io; Port: 443; Origin: https://skyfallui-testinception25.com; Method: POST Status:403

Now I resolved problem by adding these line in haproxy

rspadd Access-Control-Allow-Origin:\ https://skyfallui-testinception25.com
rspadd Access-Control-Allow-Methods:\ POST,\ GET
rspadd Access-Control-Allow-Headers:\ Origin,\ Authorization

Now I started getting error CSRF invalid token in url uaa.testinception25.io

...G...wGET /login HTTP/1.1

Host: uaa.testinception25.io User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Cookie: CP_GUTC=72.163.4.167.1450523386696152; utag_main=v_id:0152a6f950cb001b530d825bce9809048001500d00868$_sn:1$_ss:1$_pn:1%3Bexp-session$_st:1454502103051$ses_id:1454500303051%3Bexp-session; sc_suite=visc-us; s_fid=12436B75D244D97D-1E8EEB3AA3AEE40A; rack.session=BAh7BkkiD3Nlc3Npb25faWQGOgZFRiJFM2RjOTM0NTEwNTQ5MTQxMmEwNzcx%0AYWZhY2YyOTU2MDM4YzIyNWU3Y2NkMDllMzI2ZDg2NWJlNTA4MGQ4MjExNg%3D%3D%0A–f6caa63c5dab82aa3cc6849dbc39a50c43c378a5; VCAP_ID=648014f3-79c7-4665-489d-3292c5c7259b; JSESSIONID=7428BC57F8A9FEC6C3FADA19F253E6D8; AMAuthCookie=AQIC5wM2LY4Sfcz4TrZFFIGFV6DgP-byGPwOEnjVkIJvM1c.AAJTSQACMDEAAlNLABQtNDA1NjM1NDYxOTYwMjk1OTk0NwACUzEAAA…; amlbcookie=01 X-Cf-Applicationid: X-Cf-Instanceid: 648014f3-79c7-4665-489d-3292c5c7259b X-Forwarded-For: 174.38.116.197, 10.20.0.173, 10.20.0.53 X-Forwarded-Host: skyfallui-testinception25.com X-Forwarded-Proto: https X-Forwarded-Server: haproxyvms8080.com X-Request-Start: 1461174268732 X-Vcap-Request-Id: 4f46c74b-6133-4d2f-4bea-debbf16ef2b2 Connection: close

…{…GHTTP/1.1 200 OK Server: Apache-Coyote/1.1 Strict-Transport-Security: max-age=31536000 ; includeSubDomains Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-XSS-Protection: 1; mode=block X-Frame-Options: DENY X-Content-Type-Options: nosniff Set-Cookie: X-Uaa-Csrf=mfDZv6; Expires=Wed, 20-Apr-2016 17:49:28 GMT; HttpOnly Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 2307 Date: Wed, 20 Apr 2016 17:44:28 GMT Connection: close

<!DOCTYPE html> <html dir="ltr" lang="en"> ..... .......

…a…aNPOST /login.do HTTP/1.1 Host: uaa.testinception25.io User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0 Content-Length: 59 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Cookie: CP_GUTC=72.163.4.167.1450523386696152; utag_main=v_id:0152a6f950cb001b530d825bce9809048001500d00868$_sn:1$_ss:1$_pn:1%3Bexp-session$_st:1454502103051$ses_id:1454500303051%3Bexp-session; sc_suite=visc-us; s_fid=12436B75D244D97D-1E8EEB3AA3AEE40A; rack.session=BAh7BkkiD3Nlc3Npb25faWQGOgZFRiJFM2RjOTM0NTEwNTQ5MTQxMmEwNzcx%0AYWZhY2YyOTU2MDM4YzIyNWU3Y2NkMDllMzI2ZDg2NWJlNTA4MGQ4MjExNg%3D%3D%0A–f6caa63c5dab82aa3cc6849dbc39a50c43c378a5; VCAP_ID=648014f3-79c7-4665-489d-3292c5c7259b; JSESSIONID=7428BC57F8A9FEC6C3FADA19F253E6D8; AMAuthCookie=AQIC5wM2LY4Sfcz4TrZFFIGFV6DgP-byGPwOEnjVkIJvM1c.AAJTSQACMDEAAlNLABQtNDA1NjM1NDYxOTYwMjk1OTk0NwACUzEAAA…; amlbcookie=01 Referer: https://skyfallui-testinception25com/uaa/login X-Cf-Applicationid: X-Cf-Instanceid: 648014f3-79c7-4665-489d-3292c5c7259b X-Forwarded-For: 174.38.116.197, 10.20.0.173, 10.20.0.53 X-Forwarded-Host: skyfallui-testinception25.com X-Forwarded-Proto: https X-Forwarded-Server: haproxyvms8080.com X-Request-Start: 1461174383251 X-Vcap-Request-Id: 4d8107dd-7911-472c-73b0-d43c1306769a Connection: close

username=admin&password=1234abcd&X-Uaa-Csrf=mfDZv6

…aT…a.HTTP/1.1 403 Forbidden Server: Apache-Coyote/1.1 Strict-Transport-Security: max-age=31536000 ; includeSubDomains Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-XSS-Protection: 1; mode=block X-Frame-Options: DENY X-Content-Type-Options: nosniff Set-Cookie: X-Uaa-Csrf=IjM5CY; Expires=Wed, 20-Apr-2016 17:51:23 GMT; HttpOnly Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 2467 Date: Wed, 20 Apr 2016 17:46:23 GMT Connection: close

Issue Analytics

  • State:closed
  • Created 7 years ago
  • Comments:12 (6 by maintainers)

github_iconTop GitHub Comments

1reaction
mwdbcommented, Apr 20, 2016

I think this is an issue related to using different hostnames. If I read your HTTP traces correctly, you do the following:

  1. The login page is obtained from https://skyfallui-testinception25com/uaa/login. This includes a CSRF token issued for s session established to skyfallui-testinception25com.
  2. You enter u/pw to the form
  3. The form is send with u,pw,csrf token to uaa.testinception25.io
  4. As the from is not send to skyfallui-testinception25com but to uaa.testinception25.io, the browser does not include the session cookie established with skyfallui-testinception25com.
  5. When your UAA received the from data, it does not find the session and is not able to validate the CSRF token

You should search for a solution why requests go to different hostnames.

0reactions
fhanikcommented, Apr 24, 2016

@chrisrana - correct the UAA ensures that the value from the form matches the cookie

Read more comments on GitHub >

github_iconTop Results From Across the Web

Symfony CSRF invalid token: Mismatch between token in URL ...
I want to implement a form in Symfony that filters a data set for me. The extract of my twig file as well...
Read more >
CSRF token error messages - Help Center - Todoist
Invalid or missing CSRF token. This error message means that your browser couldn't create a secure cookie, or couldn't access that cookie to...
Read more >
Invalid CSRF token error - HappyFox Support
Open Safari Preferences from the drop-down menu in the navigation bar or by typing Cmd + , (⌘,). Click the Privacy tab and...
Read more >
How to fix the “CSRF token mismatch error” message
The “Invalid or missing CSRF token” message means that your browser couldn't create a secure cookie or couldn't access that cookie to authorize...
Read more >
How To Fix Missing CSRF Token Error In Safari - Maisie AI
CSRF stands for Cross-Site Request Forgery and is a type of web security vulnerability that can execute unwanted or malicious actions on a...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Support PKCE (Proof Key for Code Exchange)

Next page

Only the initial URL is crawled, and --max-crawl-depth is ignored