Invalid form authenticity token for some users #1
Comments
Norwan commented Jul 21, 2010
Hi,
We are not sure but it seems that since we installed this plugin some users got «Invalid form authenticity token» when they perform any action linked with a form : new demand, new project etc.
How do you rate it?
Thank you for your help
Stéphane
The text was updated successfully, but these errors were encountered:
AdamLantos commented Jul 21, 2010
first of all, please specify which version are you using (redmine and http_auth). Also please try to update if you’re not using the latest version.
Also can you reliable reproduce these types of problems, or does it occur to be random, only with some users? Is it a browser-specific or user-specific issue?
Norwan commented Jul 22, 2010
Hi Adam
We are using Redmine 0.9.4 and and the lastest version of http_auth. We tryed but did not success to reproduce the problem, but once a user got the problem, it got it for ever.
An other information which is perhaps linked, when we call the application by
https://server_name/account/login we got «Internal Error» and the log contains:
Processing AccountController#login (for x.x.x.x at 2010-07-21 15:42:52) [GET] Parameters: <"action"=>«login», «controller»=>»account»> Rendering template within layouts/base Rendering account/login ActionView::TemplateError (undefined method `signin_path’ for #ActionView::Base:0x2b120b3fff00) on line #25 of app/views/layouts/base.rhtml:
22:
Rendering /opt/redmine-0.9.4/public/500.html (500 Internal Server Error)
Redmine
Задачи
Сохранённые запросы
Defect #5915
Invalid form authenticity token for some users
| Статус: | Closed | Начата: | 2010-07-20 |
|---|---|---|---|
| Приоритет: | High | Дата выполнения: | |
| Назначена: | — | Готовность: | |
| Категория: | Accounts / authentication | ||
| Версия: | — | ||
| Resolution: | No feedback | Affected version: | 0.9.3 |
Описание
Some users of my Redmine (0.9.3) encounter this error when they want to perform any action linked to forms. Some users don’t seem to have any problem, so I’m guessing it has something to do with the tokens registered in the database and not the server (we’re using Apache).
I’ve seen that this problem has already been raised in previous defects, but I couldn’t find any valuable information. Is this going to be fixed in the next release?
Связанные задачи
История
#1 Обновлено Felix Schäfer больше 11 лет назад
Benjamin FRAUD wrote:
Some users of my Redmine (0.9.3) encounter this error when they want to perform any action linked to forms. Some users don’t seem to have any problem, so I’m guessing it has something to do with the tokens registered in the database and not the server (we’re using Apache).
I’ve seen that this problem has already been raised in previous defects, but I couldn’t find any valuable information. Is this going to be fixed in the next release?
That happens if you keep your form open too long (for example: open a new tab with a form, do something else, the token has expired). The authenticity token is a rails feature to thwart XSS attacks.
#2 Обновлено Benjamin FRAUD больше 11 лет назад
Hi Felix, thank you for your answer.
However, the problem doesn’t seem to be linked to the waiting time of some users regarding forms, as I tried to submit some form entries just a few seconds after accessing the page.
Obviously, the tokens stored in the session variable and in the forms hidden field don’t match, but I don’t understand why. And since the problem occurs for just some users, could it has something to do with the registration process? Tests have been made on several computers using different browsers, so I don’t think it’s related to the way of stocking session variables, but I can’t be sure. Can I access the client-side token variable to see what it looks like?
#3 Обновлено Benjamin FRAUD больше 11 лет назад
An important thing : the problem seems to move when I try to connect to the same account on several computers or on multi-browsers. As far as I know, this is not supposed to be a problem on Redmine, but what you need to know is that for security reasons we had to delete the ability for users to log out. The function was not erased in the account controller, but the link in the top menu and the route reaching the log out action are no longer available. We installed the plug in «http authentication» to let Apache deal with user authentication.
#4 Обновлено Felix Schäfer больше 11 лет назад
In the view, the authenticity_token is stored in a hidden field, I’m not sure where it gets stored where it gets stored ‘server-side’, but I’d wager it’s in the session. If you have the stock session store, the sessions are stored in encrypted and signed cookies, which also means sessions aren’t/can’t be shared across cookie jars/browsers.
My advice would be to try with a stock redmine, or at least without the http-authentication plugin. If there really was such a glaring problem with the tokens, basically every other rails app would have it too and it would certainly be known, so I suspect the http-auth plugin doesn’t handle sessions correctly.
#5 Обновлено Nikolay Kotlyarov больше 11 лет назад
In my case the same problem was due to redmine_time_tracker plugin and was fixed by plugin developer:
http://github.com/delaitre/redmine_time_tracker/commit/822b573601875c618d87964589d655e670a674eb
#6 Обновлено claude g больше 11 лет назад
#7 Обновлено Stu Bendelow больше 11 лет назад
Same issue caused by opening Redmine in more than one browser
-open Firefox and log into Redmine (copy A)
-open a second copy of Firefox and log into Redmine (Copy B)
attempt to save a change in copy A and you see the invalid form authenticity token warning
however you do not get the same issue using tabs in Firefox I could log in on two seperate tabs and save changes in both, it has to be a seperate copy of the browser
#8 Обновлено Felix Schäfer больше 11 лет назад
Stu Bendelow wrote:
Same issue caused by opening Redmine in more than one browser
This is normal as the session information is stored in a cookie in the browser: only the «last» cookie is valid, thus logging in in a second browser will deprecate the session cookie from the first browser, effectively logging you out.
#9 Обновлено jin wang около 11 лет назад
I find this problem caused by opening redmine in more than one browser. If you delete the files in *Temporary Internet Files * and restart your pc you can solve this proble.
清空ie缓存,重新刷新或打开页面;
如果还不行就清空ie临时文件夹下所有文件,然后重启下机器。
IE临时文件夹:C:\Documents and Settings\用户名\Local Settings\Temporary Internet Files(默认为隐藏目录) 你也可以通过这个操作查看:打开IE—工具—internet选项—常规—设置。 IE临时文件夹里存放着我们最近浏览过的网页的内容,这样做的目的是提高我们的上网浏览的速度。
#10 Обновлено Felix Schäfer около 11 лет назад
Benjamin, can you confirm this is still a problem for you, or did you find what was going wrong?
Авторизация в Redmine с другого сайта
На сайте centos-admin.ru дизайнер придумал очень здоровский эффект для формы логина. Идея формы состоит в том, что пользователь вводит свои логин и пароль в Redmine и попадает авторизованным на свою страничку.
Все бы здорово, но в Ruby on Rails (на коих Redmine сделан) прямые POST запросы с внешних сайтов не принимаются — для успешного запроса нужен авторизационный токен.
Сей токен генерируется rails-приложениями в автоматическом режиме, хранится в cookies. В связи с этим сперва думал в iframe загружать сайт с Redmine-ом и из cookies брать нужный ключ. Но как-то это совсем не rails-way.
Самое простое решение — слегка пропатчить Redmine — добавить возможность обработки запросов с внешних ресурсов. Благо в Redmine все для этого есть — можно написать небольшой плагин, который и будет решать эту задачу.
Что будет делать плагин?
Вопрос казалось бы простой, но нужно помнить о сохранении безопасности пользовательских данных.
Первые решения со Stackoverflow предлагали отключать проверку токена для конкретного экшена. Но это совсем не решения, т.к. открывают дыру в безопасности сайта.
Соответственно остается вариант использовать самостоятельно генерируемый токен, на стороне Redmine его проверять и в случае успешной проверки, проводить авторизацию.
Как генерировать токен?
Самый простой вариант — использовать любую строку символов, но мне показалось, что этого мало для безопасной авторизации. Так как простой токен можно перехватить и использовать его для отправки данных с неавторизованных ресурсов.
Поэтому я решил в авторизационный токен добавить домен, с которого отправляется запрос и информацию о текущей дате.
На стороне сайта в хэлперах создаем метод
и затем его используем в форме
Что происходит на стороне Redmine?
На стороне Redmine нужно добавить маршрут для обработки POST запросов на путь /remote_login
И слегка пропатчить AccountController, добавив к нему экшен remote_login:
Здесь используется отмена стандартной проверки токена
и вместо нее выполняется написанная нами
Вот собственно и весь плагин. Небольшой, но решает важную задачу — посетителям сайта удобно заходить в свой личный кабинет, не допуская при этом авторизацию с левых ресурсов.
С кодом плагина можно ознакомиться тут.
Советы, вопросы и замечания принимаются в комментариях.
422 Invalid form authenticity token #455
Comments
fabiopires77 commented Feb 9, 2021
My Redmine is giving 422 Invalid form authenticity token error everytime. I’m using Docker. I’ve disabled HTTPS using REDMINE_HTTPS=false and I’ve manually setted a token with REDMINE_SECRET_TOKEN and it keeps displaying error 422 everytime I submit a form.
The text was updated successfully, but these errors were encountered:
jcormier commented Feb 9, 2021
Is this a fresh install? If not do you get this error when using the example docker-compose?
What version of redmine are you using?
Are you using any plugins?
Are you using REDMINE_RELATIVE_URL_ROOT? #368
fabiopires77 commented Feb 9, 2021
It’s not a fresh install.
I’m using Redmine 3.3.10 on Docker using a Synology NAS.
I’m not using REDMINE_RELATIVE_URL_ROOT.
jcormier commented Feb 9, 2021
Did this issue crop up suddenly then? Has anything changed recently?
fabiopires77 commented Feb 9, 2021
The only thing that changed recently was the HTTPS configuration on the NAS itself, but not on the Redmine / Docker side.
fabiopires77 commented Feb 10, 2021
I ended up reinstalling it and it’s working now.
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Redmine
Задачи
Сохранённые запросы
Defect #7651
‘Invalid form authenticity token’ when updating issue causes dataloss
| Статус: | New | Начата: | 2011-02-18 |
|---|---|---|---|
| Приоритет: | Normal | Дата выполнения: | |
| Назначена: | — | Готовность: | |
| Категория: | Issues | ||
| Версия: | — | ||
| Resolution: | Affected version: |
Описание
When updating an issue to add a comment, if your session is no longer valid, you receive the error:
‘Invalid form authenticity token.’
While this part is correct behaviour, it causes dataloss because:
a) The page with the error does not contain the text of the comment you submitted.
b) At least in Firefox 3.6, the Back button returns to the issue you were updating, but without the text.
I don’t operate the redmine server in question, but I verified that this still occurs on demo.redmine.org, so it is a current issue.
0. Use the Firefox browser with web developer extension (or any other browser with similar features)
1. Go to an issue
2. Click Update
3. Type some text into a comment
4. In the web developer toolbar, choose Cookies / Clear Session Cookies
5. Submit the comment
6. Error page appears
Error page does not contain text you entered in #3. If you click the Back button, you are returned to the form but without your text.
Error page should additionally contain the text of the comment you entered. Or, alternatively, the Back button should take you to the update page that includes your text.
1) Clearing session cookies is fairly common behaviour when testing web applications. While it’s obvious that doing this will break a Redmine session (i.e. you shouldn’t do it), Redmine doesn’t have to add injury to insult by causing annoying dataloss as a result.
3) I haven’t verified what happens with other update form errors such as simultaneous edit. If the same thing happens there, then those could benefit from being fixed, too.
История
#1 Обновлено Alberto Fanjul Alonso больше 5 лет назад
Any progress on this? It’s really annoying to lose comments or modifications. Why not just stop redirection if there’s no authenticity token. That easily solve the problem
