Skip to content
Brand Logo
Start Free Trial
  1. Home
  2. Technical Support
  3. Invalid CSRF Token

Invalid CSRF Token

Technical Support
20 11 18.3k 5
  • G

    Our old friend, invalid CSRF token is back.

    NodeBB v1.1.0
    Git commit: 296dc77c7bb2bbf92f711089d77e4f32f729951f
    Redis 3.0.7

    So far, I've tried 1) different browsers and 2) clearing out the individual cookies related to the domain.

    Plugins:

    	 - nodebb-theme-persona
	 - nodebb-plugin-markdown
	 - nodebb-plugin-mentions
	 - nodebb-plugin-spam-be-gone
	 - nodebb-widget-essentials
	 - nodebb-rewards-essentials
	 - nodebb-plugin-reddit
	 - nodebb-plugin-soundpack-default
	 - nodebb-plugin-emoji-extended
	 - nodebb-plugin-rss
	 - nodebb-plugin-twitter
	 - nodebb-plugin-desktop-notifications
	 - nodebb-plugin-question-and-answer
	 - nodebb-plugin-sso-google-confirmed
	 - nodebb-plugin-dbsearch
	 - nodebb-plugin-sso-dropbox
	 - nodebb-plugin-custom-pages
	 - nodebb-plugin-twitch
	 - nodebb-plugin-write-api
	 - nodebb-plugin-youtube-lite
	 - nodebb-plugin-emailer-mandrill
	 - nodebb-plugin-vimeo
	 - nodebb-plugin-newuser-invitation
	 - nodebb-plugin-gravatar
	 - nodebb-plugin-imgur
	 - nodebb-plugin-codeinput
	 - nodebb-plugin-composer-redactor
	 - nodebb-plugin-header-extend
	 - nodebb-plugin-poll
	 - nodebb-plugin-soundcloud
	 - nodebb-plugin-sso-github
	 - nodebb-plugin-sso-google

    I've tried resetting all the plugins as well, but this error persists:

    0_1468890215658_Screen Shot 2016-07-18 at 7.59.08 PM.png

    Any ideas??

    0
  • G Guiri

    Our old friend, invalid CSRF token is back.

    NodeBB v1.1.0
    Git commit: 296dc77c7bb2bbf92f711089d77e4f32f729951f
    Redis 3.0.7

    So far, I've tried 1) different browsers and 2) clearing out the individual cookies related to the domain.

    Plugins:

    	 - nodebb-theme-persona
	 - nodebb-plugin-markdown
	 - nodebb-plugin-mentions
	 - nodebb-plugin-spam-be-gone
	 - nodebb-widget-essentials
	 - nodebb-rewards-essentials
	 - nodebb-plugin-reddit
	 - nodebb-plugin-soundpack-default
	 - nodebb-plugin-emoji-extended
	 - nodebb-plugin-rss
	 - nodebb-plugin-twitter
	 - nodebb-plugin-desktop-notifications
	 - nodebb-plugin-question-and-answer
	 - nodebb-plugin-sso-google-confirmed
	 - nodebb-plugin-dbsearch
	 - nodebb-plugin-sso-dropbox
	 - nodebb-plugin-custom-pages
	 - nodebb-plugin-twitch
	 - nodebb-plugin-write-api
	 - nodebb-plugin-youtube-lite
	 - nodebb-plugin-emailer-mandrill
	 - nodebb-plugin-vimeo
	 - nodebb-plugin-newuser-invitation
	 - nodebb-plugin-gravatar
	 - nodebb-plugin-imgur
	 - nodebb-plugin-codeinput
	 - nodebb-plugin-composer-redactor
	 - nodebb-plugin-header-extend
	 - nodebb-plugin-poll
	 - nodebb-plugin-soundcloud
	 - nodebb-plugin-sso-github
	 - nodebb-plugin-sso-google

    I've tried resetting all the plugins as well, but this error persists:

    0_1468890215658_Screen Shot 2016-07-18 at 7.59.08 PM.png

    Any ideas??

    P

    @Guiri follow the instructions here... https://github.com/NodeBB/NodeBB/issues/4734

    0
  • P pichalite

    @Guiri follow the instructions here... https://github.com/NodeBB/NodeBB/issues/4734

    G

    @pichalite TY

    0
  • S

    Hi, I have the same issue as you, it started a few weeks ago.

    Yesterday I have a reported case of "Invalid-session"

    - nodebb-plugin-asset-manager
- nodebb-plugin-composer-embedly
- nodebb-plugin-emailer-sendgrid
- nodebb-plugin-embed-videos
- nodebb-plugin-emoji-extended
- nodebb-plugin-emoji-one
- nodebb-plugin-iframely
- nodebb-plugin-markdown
- nodebb-plugin-mentions
- nodebb-plugin-newsletter
- nodebb-plugin-newuser-invitation
- nodebb-plugin-ns-awards
- nodebb-plugin-poll
- nodebb-plugin-rss
- nodebb-plugin-s3-uploads-updated
- nodebb-plugin-slack-extended
- nodebb-plugin-soundpack-default
- nodebb-plugin-videoplayer
- nodebb-rewards-essentials
- nodebb-theme-persona
- nodebb-widget-essentials
- nodebb-widget-ns-stats

    We have the same:

    • nodebb-theme-persona
    • nodebb-plugin-markdown
      
- nodebb-plugin-mentions
    • nodebb-widget-essentials
    • nodebb-rewards-essentials
    • nodebb-plugin-soundpack-default
    • nodebb-plugin-emoji-extended
    • nodebb-plugin-rss
    • nodebb-plugin-newuser-invitation
    0
  • JamJ

    @pichalite

    I have met the same problem!

    "csrf-invalid": "We were unable to log you in, likely due to an expired session. Please try again"

    I tried to clean all the cache and cookies of the chrome, but still happened!

    NodeBB: V1.1.0 in github tag
    Mongodb: 3.2.7
    SSL: no
    Upgraded from: fresh installed

    0
  • JamJ Jam

    @pichalite

    I have met the same problem!

    "csrf-invalid": "We were unable to log you in, likely due to an expired session. Please try again"

    I tried to clean all the cache and cookies of the chrome, but still happened!

    NodeBB: V1.1.0 in github tag
    Mongodb: 3.2.7
    SSL: no
    Upgraded from: fresh installed

    R

    @Jam said in Invalid CSRF Token:

    SSL: no

    Although you have SSL set to no, have you tried to resolve this problem by adding proxy_set_header X-Forwarded-Proto $scheme; to your Nginx configuration?

    2
  • R rod

    @Jam said in Invalid CSRF Token:

    SSL: no

    Although you have SSL set to no, have you tried to resolve this problem by adding proxy_set_header X-Forwarded-Proto $scheme; to your Nginx configuration?

    JamJ

    @rod thanks, i have added it~

    I thought it was no necessary to add proxy_set_header X-Forwarded-Proto $scheme when we did not use SSL with nginx~

    0
  • JamJ Jam

    @rod thanks, i have added it~

    I thought it was no necessary to add proxy_set_header X-Forwarded-Proto $scheme when we did not use SSL with nginx~

    R

    @Jam Has adding that line resolved your problem?

    0
  • R rod

    @Jam Has adding that line resolved your problem?

    JamJ

    @rod It seems that working ok till right now~

    1
  • C

    where do we set SSL:no. Can you paste your config.json?

    0
  • C

    @pichalite

    where do we set SSL:no. Can you paste your config.json?

    0
  • C codecowboy

    @pichalite

    where do we set SSL:no. Can you paste your config.json?

    P

    @codecowboy don't think there is a setting like that. Where did you get that from?

    C 1 Reply
    0
  • julianJ

    @codecowboy As @pichalite has mentioned in the other thread, you'll want to reset the cookieDomain config in your NodeBB.

    0
  • P pichalite

    @codecowboy don't think there is a setting like that. Where did you get that from?

    C

    @pichalite SSL:No is mentioned higher up in this thread

    0
  • C codecowboy

    @pichalite SSL:No is mentioned higher up in this thread

    P

    @codecowboy he just said that he is not using SSL. There is no such setting.

    0
  • P pichalite

    @codecowboy he just said that he is not using SSL. There is no such setting.

    C

    @pichalite aha. My bad. I am stupid. Its a curse.

    0
  • Peter-Zoltan KeresztesP

    I had the exact same issue, I ended up going back to v1.0.3. Lucky me that there was no change in the database so I could just use git checkout v1.0.3 and then run npm install followed by ./nodebb upgrade and everything went back to a working state.

    0
  • Charly86C

    I'm using nginx with SSL, had the same issue with login/CSRF Token when migrated from 1.0.3 to 1.1.2, and, as described before but always good to remain, adding this to my nginx config (/etc/nginx/sites-enabled/default in my case) saved my life, thank

    proxy_set_header X-Forwarded-Proto $scheme;
    0
  • P

    for the record for people finding this via search, for apache2 you have to set this somewhere in your nodebb vhost configuration
    with ssl

    RequestHeader set X-Forwarded-Proto "https"

    without ssl

    RequestHeader set X-Forwarded-Proto "http"

    you might have to enable mod_headers to do so!

    4
  • P phit

    for the record for people finding this via search, for apache2 you have to set this somewhere in your nodebb vhost configuration
    with ssl

    RequestHeader set X-Forwarded-Proto "https"

    without ssl

    RequestHeader set X-Forwarded-Proto "http"

    you might have to enable mod_headers to do so!

    H

    @phit said in Invalid CSRF Token:

    for the record for people finding this via search, for apache2 you have to set this somewhere in your nodebb vhost configuration

    Thank you very much. This really made my day !!!

    1
Log in to reply

Suggested Topics

  • Jeremy SnyderJ

    Invalid CSRF Token when Uploading File via REST API

    Moved Technical Support
    6
    1 Votes
    6 Posts
    3k Views
    Jeremy SnyderJ
    Finally getting back around to testing this, still not having much luck. After digging through a lot of the code, and reading through the unit tests for the /api/post/upload endpoint, a user is logged in first. I have been trying to do this with only an API token, as this process is loading data from another system. I really don't want to have to store a password in addition to an API token when doing my data load. I guess my next question is: Is /api/post/upload even usable without logging in with a username/password?
  • K

    Invalid CSRF Token, again

    Technical Support
    9
    0 Votes
    9 Posts
    5k Views
    T
    Hello, This problem persists in version v1.17.2. The invalid csrf token error happens occassionaly when updating existing topics. Single tab open in single browser.
  • J

    Invalid csrf token, have tried multiple solutions without success

    Technical Support
    1
    0 Votes
    1 Posts
    2k Views
    J
    I've recently been trying to setup NodeBB on my server, but whenever i try to login or register the POST request returns a 403 forbidden response and NodeBB logs an "invalid csrf token" error. The following software packages are used: NodeBB 1.10.1 MongoDB 3.2.11 Node.js 8.11.4 Debian 9.3 NodeBB itself is a subfolder installation in https://endless-endeavors.theswc.net/forum/. The node server is multi-tenant and works with express.js as a router/reverse proxy. All external http requests are redirected to https, but requests to the nodeBB server are proxied internally over http. Essentially this is the flow for an incoming forum request: main server app -> enforce https, direct request to endless-endeavors.theswc.net directory host/domain app -> Check url, if /forum, proxy to port 4567 over http (or wss if websocket) let nodeBB do its thing. I've been googling and have found quite a few threads, but none of the suggested solutions have worked. things i have tried so far: Check url in config.json: 'https://endless-endeavors.theswc.net/forum/' Make sure cookieDomain is '' in MongoDB Including header 'X-Forwarded-Proto: https' Including header 'X-Forwarded-SSL: on' Including header 'X-Url-Scheme: https' I've also found that in the GET request for the login form, no X-CSRF-Token header is received. The form itself however is populated with a token. Lastly, here are the relevant code snippets: main server app #!/usr/bin/env nodejs // filename: app.js const http = require('http'); const https = require('https'); const fs = require('fs'); const express = require('express'); const vhost = require('vhost'); const app = express(); const sslOptions = { cert: fs.readFileSync('./.sslcert/fullchain.pem'), key: fs.readFileSync('./.sslcert/privkey.pem') } http.createServer(function(req, res) { res.writeHead(301, { "Location": "https://" + req.headers['host'] + req.url }); res.end(); }).listen(80); app .use(require('helmet')()) .use(express.static(__dirname + '/static')) <redacted, other domains> .use(vhost('endless-endeavors.theswc.net', require('./apps/EndlessEndeavors').app)) app.get('/', function (req, res) { res.writeHead(200, {'Content-Type': 'text/plain'}); res.end(''); }); domain app const express = require('express') const app = express(); const http = require('http'); const httpProxy = require('http-proxy'); const proxy = httpProxy.createProxyServer(); app.use('/static',express.static(__dirname + '/static')); app.use('', express.static(__dirname + '/dist/EndlessEndeavors')); app.all('/forum[/]+*', function(req, res){ if(req.url.substr(0,18).indexOf('socket.io')>-1){ console.log('got socket request'); proxy.web(req, res, {target: 'wss://endless-endeavors.theswc.net:4567', ws: true}); } else { res.header('X-Forwarded-Proto','https'); res.header('X-Forwarded-Ssl','on'); res.header('X-Url-Scheme','https'); res.header('Access-Control-Allow-Origin','endless-endeavors.theswc.net'); proxy.web(req, res, {target: 'http://endless-endeavors.theswc.net:4567'}); } }); app.all('/forum$', function(req, res) { res.writeHead(301, { "Location": "https://" + req.headers['host'] + '/forum/' }); res.end(); } ) exports.app = app; nodeBB config.json { "url": "https://endless-endeavors.theswc.net/forum/", "secret": "<redacted>", "database": "mongo", "port": 4567, "mongo": { "host": "127.0.0.1", "port": 27017, "username": "<redacted>", "password": "<redacted>", "database": "<redacted>", "uri": "<redacted>" } } Hopefully this is enough into to help find the cause of the invalid csrf token issue... i have no idea what else could be wrong at this point.
  • B

    Help! Invalid CSRF token after upgrading to v1.5.1

    Technical Support
    3
    0 Votes
    3 Posts
    2k Views
    J
    @btw6391 are you using Nginx in front? Search this forum for the error and check those posts for a tweak to Nginx.
  • D

    invalid csrf token when I login in forum

    Technical Support
    4
    0 Votes
    4 Posts
    2k Views
    J
    Check your Nginx settings. One of my systems broke on upgrade because of that. https://community.nodebb.org/post/57525
Copyright © 2026 NodeBB | Contributors

Looks like your connection to NodeBB Community was lost, please wait while we try to reconnect.