-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
connect Module, Error: Forbidden #702
Comments
You're not the only one, I've seen reports of it on IRC as well. However, we have never been able to narrow it down to a specific set of reproduction steps, so that is a prerequisite before we can begin triaging this CSRF error. |
fyi- it may have caused a memory issue, or it could be something else leaking, not sure yet,
|
Just thinking out loud... It could be related to long sessions... The CSRF |
So it would happen if you change code on server side and supervisor restarts causing the csrf change, then if you don't reload browser and make an ajax call it would say forbidden? |
Yes, this would do it. |
this would do it, but it's not exclusive, I just saw again now, while tailing forever log, no restart occurred, no code change either :/ |
this is spamming logs overnight :/ logs and at some point NodeBB becomes unresponsive with no error in the logs |
I wonder if it has something to do with express/connect versions, we didn't had this problem couple months ago. |
https://github.com/senchalabs/connect/blob/master/lib/middleware/csrf.js#L82 Is what is sending the 403 maybe put some console.logs there to see the token/val. |
Looks like express changed the way CSRF token were handled? Gee, thanks, I thought this was exactly what semver was supposed to protect against. I'm not impressed. |
http://stackoverflow.com/questions/20484649/csrf-token-not-working-when-submitting-form-in-express heh not sure if this will fix it but worth a shot |
May as well update |
will try that tonight thanks |
no luck with express |
Time to post at https://github.com/visionmedia/express/issues 😄 |
Not sure if this is it but we put the csrf token in the header.tpl in nodebb and then it doesn't change at all until the page is refreshed? Aren't we supposed to get a new one for each post request? Also might be relevant : |
Also tried upgrading to 3.4.7, and am getting |
I read that it is the JSON.stringify in the session middleware. expressjs/express#1741 |
@akhoury are you by any chance on any other nodebb instances when this happens? |
hmm well, yea, i've seen it locally too. My not be related, but my current solution is a cron job that restarts the forum every hour :/ - im loosing memory somewhere. I'm still on 0.2.1 in Production, I see you pushed this issue to 0.3.1, good, waiting for 0.3.0. I'm going to update then i'll feed you back. |
still happening |
senchalabs/connect@138b21c some interesting discussions there. Can you try lowering your max age on cookies to a few minutes and try to get the errors again? |
sure |
Could this be the apple icon see #977 |
Doubtful -- CSRF doesn't trigger on GETs... Refactoring so that CSRF is added in a middleware may be better (since we Thanks, Julian Lam On Fri, Feb 14, 2014 at 11:17 AM, Barış Soner Uşaklı <
|
Just wondering... @akhoury, are you still seeing these errors? |
a lot less frequent, im going to say 2-3 times per day based on a quick scan of the logs. |
Hello, I'm implementing a lti module and I feel the same, is there any solution?. thanks |
Since express 4 rolled around and was implemented, does this happen, still? |
occasionally, I see this, it doesn't crash NodeBB, but it annoys me
Want to back this issue? Place a bounty on it! We accept bounties via Bountysource.
The text was updated successfully, but these errors were encountered: