CSRF Check failed after being offline for a while

[githubkoma]

Hi There,

First up: Dont want to mix things up, so just a remark that it could be related to #16698 and #13893

Using an Nextcloud WebApp (like QuickNotes) via Android Firefox, and after being offline for ~120minutes, and then returning i cannot get AJAX requests through, getting CSRF errors.

This is happening with at least 2 apps i tested, so dont assume its an app specific behaviour..

What other information (besides things below) do you need to help pinning this down?

Server Log shows this:

{"reqId":"tPO6MMrAB1S5Dcv8xFTW","level":0,"time":"2019-08-20T11:54:17+00:00","remoteAddr":"XYZ.3","user":"XYZ","app":"core","method":"PUT","url":"/nextcloud/index.php/apps/quicknotes/notes/3","message":{"Exception":"OC\\AppFramework\\Middleware\\Security\\Exceptions\\CrossSiteRequestForgeryException","Message":"CSRF check failed","Code":412,"Trace":[{"file":"/var/www/nextcloud/lib/private/AppFramework/Middleware/MiddlewareDispatcher.php","line":95,"function":"beforeController","class":"OC\\AppFramework\\Middleware\\Security\\SecurityMiddleware","type":"->","args":[{"__class__":"OCA\\QuickNotes\\Controller\\NoteController"},"update"]},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":98,"function":"beforeController","class":"OC\\AppFramework\\Middleware\\MiddlewareDispatcher","type":"->","args":[{"__class__":"OCA\\QuickNotes\\Controller\\NoteController"},"update"]},{"file":"/var/www/nextcloud/lib/private/AppFramework/App.php","line":118,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[{"__class__":"OCA\\QuickNotes\\Controller\\NoteController"},"update"]},{"file":"/var/www/nextcloud/lib/private/AppFramework/Routing/RouteActionHandler.php","line":47,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["OCA\\QuickNotes\\Controller\\NoteController","update",{"__class__":"OC\\AppFramework\\DependencyInjection\\DIContainer"},{"id":"3","_route":"quicknotes.note.update"}]},{"function":"__invoke","class":"OC\\AppFramework\\Routing\\RouteActionHandler","type":"->","args":[{"id":"3","_route":"quicknotes.note.update"}]},{"file":"/var/www/nextcloud/lib/private/Route/Router.php","line":297,"function":"call_user_func","args":[{"__class__":"OC\\AppFramework\\Routing\\RouteActionHandler"},{"id":"3","_route":"quicknotes.note.update"}]},{"file":"/var/www/nextcloud/lib/base.php","line":987,"function":"match","class":"OC\\Route\\Router","type":"->","args":["/apps/quicknotes/notes/3"]},{"file":"/var/www/nextcloud/index.php","line":42,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/var/www/nextcloud/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php","Line":174,"CustomMessage":"--"},"userAgent":"Mozilla/5.0 (Android 9; Mobile; rv:68.0) Gecko/68.0 Firefox/68.0","version":"15.0.8.1","id":"5d5bdf6a75e61"}

Update:
Also have this error on Chrome for Android:

{"reqId":"bX2X65QOf60C7euj8xOP","level":0,"time":"2019-08-20T15:11:11+00:00","remoteAddr":"XYZ.3","user":"XYZ","app":"core","method":"PUT","url":"/nextcloud/index.php/apps/quicknotes/notes/3","message":{"Exception":"OC\\AppFramework\\Middleware\\Security\\Exceptions\\CrossSiteRequestForgeryException","Message":"CSRF check failed","Code":412,"Trace":[{"file":"/var/www/nextcloud/lib/private/AppFramework/Middleware/MiddlewareDispatcher.php","line":95,"function":"beforeController","class":"OC\\AppFramework\\Middleware\\Security\\SecurityMiddleware","type":"->","args":[{"__class__":"OCA\\QuickNotes\\Controller\\NoteController"},"update"]},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":98,"function":"beforeController","class":"OC\\AppFramework\\Middleware\\MiddlewareDispatcher","type":"->","args":[{"__class__":"OCA\\QuickNotes\\Controller\\NoteController"},"update"]},{"file":"/var/www/nextcloud/lib/private/AppFramework/App.php","line":118,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[{"__class__":"OCA\\QuickNotes\\Controller\\NoteController"},"update"]},{"file":"/var/www/nextcloud/lib/private/AppFramework/Routing/RouteActionHandler.php","line":47,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["OCA\\QuickNotes\\Controller\\NoteController","update",{"__class__":"OC\\AppFramework\\DependencyInjection\\DIContainer"},{"id":"3","_route":"quicknotes.note.update"}]},{"function":"__invoke","class":"OC\\AppFramework\\Routing\\RouteActionHandler","type":"->","args":[{"id":"3","_route":"quicknotes.note.update"}]},{"file":"/var/www/nextcloud/lib/private/Route/Router.php","line":297,"function":"call_user_func","args":[{"__class__":"OC\\AppFramework\\Routing\\RouteActionHandler"},{"id":"3","_route":"quicknotes.note.update"}]},{"file":"/var/www/nextcloud/lib/base.php","line":987,"function":"match","class":"OC\\Route\\Router","type":"->","args":["/apps/quicknotes/notes/3"]},{"file":"/var/www/nextcloud/index.php","line":42,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/var/www/nextcloud/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php","Line":174,"CustomMessage":"--"},"userAgent":"Mozilla/5.0 (Linux; Android 9; SM-G950F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36","version":"15.0.8.1","id":"5d5c0d8f65256"}

Steps to reproduce

1. Show a List of QuickNotes in Webbrowser
2. Let the browser open
3. Set airplaine mode for ~120 minutes
4. Come back online, open the browser again
5. Click on a Note, edit it and try to "save"

Expected behaviour

Save the Note just fine..

Actual behaviour

CSRF Error..

Client

• Android 9 Firefox Webbrowser
• Android 9 Chrome Webbrowser

Server configuration

Nextcloud version: (see Nextcloud admin page)

• Instance 1: 15.0.8 (http port 80)
• Instance 2: 16.0.4 (https port 443)

[githubkoma]

Update: Now with a Screenshot of the Client side (this time not the QuickNotes app, but another custom one) when executing the AJAX request

[ChristophWurst]

#18778 will help with this, I think.