Forbidden - CSRF token invalid when trying to connect to console

[tobias-kuendig]

Description

When trying to connect to the console of a running container, after clicking Connect the error message Forbidden - CSRF token invalid gets displayed. The connection to the console cannot be established.

Steps to reproduce the issue:

1. Click on the Console link on a running container
2. Click on the Connect button

When inspecting the failed request in the DevTools I see the request to

http://localhost:9090/dockerapi/containers/39791e9faca17709c20081696b2aa02216ac0f5d4807e32c38870b4d4ab2fc46/exec

fails with a 403 (Forbidden) error.

The response of the failed request is

Forbidden - CSRF token invalid

CURL of the failed request

curl 'http://localhost:9090/dockerapi/containers/39791e9faca17709c20081696b2aa02216ac0f5d4807e32c38870b4d4ab2fc46/exec' -H 'Pragma: no-cache' -H 'Origin: http://localhost:9090' -H 'Accept-Encoding: gzip, deflate, br' -H 'X-CSRF-Token: 5m3IgXdSFEIPrboRywElzezik+rfAowl+P8AY+cUv+11VJDJfag4srUJuKb/LKRHNE26RWwGfXXV9OueqS+4ZQ==' -H 'Accept-Language: de,en-US;q=0.8,en;q=0.6' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/54.0.2840.59 Chrome/54.0.2840.59 Safari/537.36' -H 'Content-Type: application/json;charset=UTF-8' -H 'Accept: application/json, text/plain, */*' -H 'Cache-Control: no-cache' -H 'Referer: http://localhost:9090/' -H 'Cookie: _gorilla_csrf=MTQ3ODAxNjEyNnxJbmRyV2tkeWFFdFdOaXR0YXk5d04xSjZXRkp6YmxGclp6VlljR3hYZWpsT1dtNDBkV0pHTUZGeFdWazlJZ289fP8BUM132GWf_66LMv7x8eBi42Ipz5lPl2NjsTPwds1h; _gorilla_csrf=MTQ3ODAxNjEyNHxJbXQ2YkZsVFFYSTJURkJETm5CQlN6Tk9RekpDYVhScGRrdGhLM3BDVUVaUlRGRjJjaTlWTkRkQ05HYzlJZ289fDEzoIAZ1HsEXhEKwdhuFq59Q8Am4pBWgTxWoneg4a0p; toggle=true; csrfToken=5m3IgXdSFEIPrboRywElzezik+rfAowl+P8AY+cUv+11VJDJfag4srUJuKb/LKRHNE26RWwGfXXV9OueqS+4ZQ==' -H 'Connection: keep-alive' -H 'DNT: 1' --data-binary '{"id":"39791e9faca17709c20081696b2aa02216ac0f5d4807e32c38870b4d4ab2fc46","AttachStdin":true,"AttachStdout":true,"AttachStderr":true,"Tty":true,"Cmd":["bash"]}' --compressed

Technical details:

• Portainer version: 1.9.3
• Target Docker version (the host/cluster you manage): 1.12.3
• Platform (windows/linux): Elementary OS (Loki, Ubuntu 16.04)
• Browser: Chromium 54

[SeaOfTea]

I have had this in the past when trying to start up containers, but can no longer recreate it.

[deviantony]

This bug seems related to the current CSRF protection implementation... which in my opinion is flawed so I'm probably going to disable it for now and review it in the future.

[deviantony]

@tobias-kuendig a workaround for this problem at the moment is to clear your browser cookies for your domain (e.g. localhost:9000 or portainer.mydomain). This will allow you to retrieve a valid CSRF token on the next request to Portainer and will prevent this issue to arise.