CSRF error

[haliphax]

One (and only one) of my users says that he is receiving a CSRF error every time he tries to login. He has tried multiple browsers, private windows, clearing cache, flushing DNS, using wifi vs. LTE, and using different devices.

[haliphax]

Specifically, it says the CSRF token is missing.

[haliphax]

Hmmm... now I can't access the admin interface, because when I try to re-authenticate, I get the same error.

Bad Request

The CSRF session token is missing.

[haliphax]

I bounced the service, and now I can log back in. I'll check with my user.

[haliphax]

Now after logging out, I can't log back in due to CSRF shenanigans. Something crazy is going on here. This time, though, I get this:

Bad Request

The CSRF tokens do not match.

BTW, I'm on revision 46b585c.

[sh4nks]

Sorry for my late response. Any idea what caused this error?

[haliphax]

Nope. I had to disable CSRF completely.

[sh4nks]

did you inspect the page and see if the token is actually there? Not that it would change anything.. but probably worth a shot - you could try to replace the {{ form.hidden_tag() }} with {{ form.csrf_token }}. Otherwise I don't really know what could cause that. Did you set the SECRET_KEY? Or maybe setting one of the config options?

[haliphax]

SECRET_KEY is set, yes. I'll tinker with it some more on a dev board.

[sh4nks]

@haliphax does this also appear when running the dev server?

[sh4nks]

I tried setting up a new flaskbb instance (gunicorn & nginx) but what I ever I do I can't get this error..

[nanata1115]

I've got this error too,does any solution could help me?

[sh4nks]

What did you do to get this error @nanata1115?

[nanata1115]

thank u for your reply . I've solve this problem by change the “SERVER_NAME ” from ’IP:PORT‘ to ’ domain name：port‘. But， I still got the problem of “EncodeError: Object of type User is not JSON serializable” when I regist a new user. By the way ，Firefox worked fine with ’IP:PORT‘! @sh4nks

[sh4nks]

I think you only have to specify the PORT if the application is not accessible via port 80 from the browser.

Lets say, you have flaskbb running via gunicorn on 127.0.0.1:10001 and expose flaskbb via nginx on port 8080 than you would have to set SERVER_NAME="example.org:8080". At least that's how I understood the docs.. they are a bit unclear about this though so please correct me if I am wrong.

I'll look into that EncodeError but I thought I have fixed it a couple of weeks ago. Are you using the latest commit? edit: I can't reproduce this error on 'test.flaskbb.org' which is using the latest master.

[nanata1115]

I am so sorry, it's my fault, My source code was a little older than the latest one. I've already update it. But all the language support is missing when I restart the app. It confuses me. And your understanding is almost right, except I have not use nginx, @sh4nks

[sh4nks]

@nanata1115 please open a separate issue for this.

@haliphax I can finally reproduce this error on my testing instance at https://test.flaskbb.org.
Sometimes the session cookie is not getting set which usually also stores a copy of the csrf_token for comparison. You can reproduce it by deleting the session cookie and try to login again for example.

The exception is raised on this line: https://github.com/lepture/flask-wtf/blob/master/flask_wtf/csrf.py#L94

Traceback (most recent call last):
  File "/opt/apps/.virtualenvs/flaskbb_test/local/lib/python3.5/site-packages/flask_wtf/csrf.py", line 256, in protect
    validate_csrf(self._get_csrf_token())
  File "/opt/apps/.virtualenvs/flaskbb_test/local/lib/python3.5/site-packages/flask_wtf/csrf.py", line 94, in validate_csrf
    raise ValidationError('The CSRF session token is missing.')
wtforms.validators.ValidationError: The CSRF session token is missing.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/apps/.virtualenvs/flaskbb_test/local/lib/python3.5/site-packages/flask/app.py", line 1610, in full_dispatch_request
    rv = self.preprocess_request()
  File "/opt/apps/.virtualenvs/flaskbb_test/local/lib/python3.5/site-packages/flask/app.py", line 1831, in preprocess_request
    rv = func()
  File "/opt/apps/.virtualenvs/flaskbb_test/local/lib/python3.5/site-packages/flask_wtf/csrf.py", line 224, in csrf_protect
    self.protect()
  File "/opt/apps/.virtualenvs/flaskbb_test/local/lib/python3.5/site-packages/flask_wtf/csrf.py", line 259, in protect
    self._error_response(e.args[0])
  File "/opt/apps/.virtualenvs/flaskbb_test/local/lib/python3.5/site-packages/flask_wtf/csrf.py", line 302, in _error_response
    raise CSRFError(reason)
flask_wtf.csrf.CSRFError: 400 Bad Request: The CSRF session token is missing.

[sh4nks]

Did some more digging and found out that after deleting the session cookie a few times it won't get regenerated anymore - not even when switching to a different browser.

[sh4nks]

This bug is caused by the in-built command (flaskbb server start) that starts a gunicorn server. I don't really know why but when flaskbb is started via the 'standalone' gunicorn command it works flawlessly:

gunicorn -w 4 wsgi:flaskbb -b 127.0.0.1:30000 --log-file logs/gunicorn.log --pid gunicorn.pid --reload -D

I have removed the whole flaskbb server cli group now as I think its quite easy to start flaskbb without this command anyway.

[haliphax]

I'm running gunicorn in a similar fashion now, and I haven't seen the error return so far.

[Lucguardian]

I'm having this problem after following the tutorial to deploy in pythonanywhere:

[Lucguardian]

I'm sorry, the error do not happens if I use https instead http.