CSRF Check failed -- Access Forbidden on new installations

Steps to reproduce
1. Provision virtual server.
2. I'm using Vultr, so it will let me provision an Owncloud app server.
3. Log in to new server via the IP address only
4. Verify access. Just looked at the admin page and version.
5. Log in to the new server via the domain name, which is already provisioned as the system hostname by Vultr. It exists before Owncloud is installed. It will ask me of course to add the domain name to the approved list, and once doing so proceeds with the login.
6. CSRF Check Failed - I get an error page informing me of this and no account can log in anymore.

Expected behaviour
CSRF Check should not be happening at all.

Actual behaviour
I get the CSRF check notice and I can never log in to the Owncloud instance ever again, from anywhere, ever.

Server configuration
Operating system: Centos 6
Web server: Nginx
Database: Probably MySQL, whatever was provisioned by Vultr.
PHP version: 2.6.0
ownCloud version (see ownCloud admin page): Owncloud Version 9.1.1 ($OC_VersionString = '9.1.1':wink:
Updated from an older ownCloud or fresh install: Fresh Install
Special configuration (external storage, external authentication, reverse proxy, server-side-encryption): None

ownCloud log (data/owncloud.log)
Nothing there except some squawking about MySQL, but the very first login shows a working Owncloud so it can probably be disregarded as installation errors that were corrected.

Integrity status for oC9+

I can't log in at all. Period.

It's worth noting that I'm running an older app server with Owncloud and it is running just fine. I've set it up with Letsencrypt and hardened the SSL. I have no problems with any of that. It's just this CSRF check that instantly fails and kills the Owncloud platform before I can begin to install certificates or do anything.

Last I checked this was a bug being seen in upgrades and I've waited patiently for a fix, but nothing is fixing this error I have. I would appreciate any help as I promised somebody I would deliver them an Owncloud about 2 weeks ago, and all Owncloud instances are dead on arrival at Vultr.


I destroyed the server and had a complete reinstallation from Vultr. After logging into console the very first time:

  1. yum update && yum upgrade
  2. Letsencrypt provisioning steps (This included modifications to the nginx configuration)
  3. Tested with Mozilla Observatory-- A-
  4. In /var/www/owncloud/config/config.php, I removed the IP address from trusted domains and added the domain I have for this server.
  5. Attempted to access Owncloud via the website and login
  6. CSRF failure occurred instantly

    $CONFIG = array (
    'memcache.local' => '\OC\memcache\Redis',
    'redis' =>
    array (
    'host' => 'localhost',
    'port' => 6379,
    'timeout' => 0,
    'dbindex' => 0,
    'instanceid' => 'ocy29uw8x0wn',
    'passwordsalt' => 'C/opXt19IQVQl9ZVCzKOJxSdNVaTSG',
    'secret' => 'zLMK3XIELVdn7ul4Y55f0IBVTTNM7drmOnN1RHDQGHAeTnIq',
    'trusted_domains' =>
    array (
    0 => ''
    'datadirectory' => '/var/www/owncloud_data/',
    'overwrite.cli.url' => '',
    'dbtype' => 'mysql',
    'version' => '',
    'dbname' => 'owncloud',
    'dbhost' => 'localhost',
    'dbtableprefix' => '',
    'dbuser' => 'owncloud79831',
    'dbpassword' => 'xxxxxxxxxxxxxxxxxxxxxxxxxxx',
    'logtimezone' => 'UTC',
    'installed' => true,

    listen 443 ssl;
    server_name xxxxxxxxxxxxxxx;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/xxxxxxxxxxx/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/xxxxxxxxxxxxxxx/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/xxxxxxxxxxxxxx/chain.pem;
    ssl_session_cache shared:SSL:10m;
    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver valid=86400;
    resolver_timeout 10;

    ssl_dhparam /root/dhparams.pem;

Is there a way to get an older version of Owncloud? I can install it myself instead of allowing Vultr to install the latest. Anything to get this working.

When having such issues it really help to use the search functionality at the top right. When putting "CSRF Check failed" into that search you will stumble over the following existing FAQ explaining that your server is mis-configured an shows example how to configure it correctly:

I did use the search functionality in the top right. With both https + csrf

The articles I saw all applied to upgrades from older versions. My problem was different.

The misconfiguration of the PHP config / webserver is affecting upgraded installations as well as new installations. Only the message/impact of this misconfiguration changed between the oC versions.

I've tried all the steps to mitigate it that were in the github comments. That didn't fix the environment.

I did notice that as part of creating a new instance I updated everything. I usually perform yum update && yum upgrade before provisioning anything. The CSRF check error does not appear if I check before I update.

Something in the update is breaking the environment, but those issues listed in the github comments don't represent what broke. If that is just a different message indicating misconfiguration, where can I go to get a better explanation of what the problem was to diagnose my environment?

From: https://github.com/owncloud/core/issues/25927#issuecomment-262703655

It may also be an issue that your web server has no write access to /var/lib/php/session. At least that happens on all our centos installations after every update to PHP.

Overall, contact a forum/community dedicated to your used distro to get support / hints how to research why a yum upgrade is causing such issues.

1 Like

You saved my day. Thank you :slight_smile: