CSRF check failed on login


#1

Hello!

I had a working installtion of nextcloud 12 running on my Raspbian stretch up-to-date Raspberry Pi 3 home server. Because of some issues with external storage and apache 2 shutting down often i upgraded to nextcloud 13. However, i got strange issues at login, why i changed to owncloud. I was happy to find a Debian package for stretch. After installing that via the repository i followed all the steps for installing php extensions, restarting apache and so on. I made a new database in Mariadb. I changed the file permissions to www-data:www-data for using the setup web interface. I also prepared the site-configuration file for owncloud exactly as in the instruction. However, before i had a different one. After successful (????) setup i tried to login via the web interface from my desktop machine's web browser to my server, but i got an error:

Access denied. CSRF check failed. This much happens. From little bit research in the internet there were old contributions relating such errors to PHP problems, but till some days ago my nextcloud 12 was working nicely with my up-to-date Raspbian 9 Stretch system. I think the issue is related to both nextcloud and owncloud, which have both released new versions recently.


#2

Hi,

maybe this could be helpful to you:

You could also just disable the CSRF check in your config.php.

'csrf.disabled' => true,'

#3

Thanks for the info... In how far is the CSRF check essential to the security of the cloud?


#4

Hi! After switching off csrf check, i can login as administrator, but at the file screen get the message that owncloud cannot load the page. This seems to be a bug. Maybe as long as there is no files that error message is displayed. That is the same message i got after updating to from Nextcloud 12 to Nextcloud 13. Now, the same error appears also for the most recent version of Owncloud 10. I ran the script provided on https://doc.owncloud.org/server/10.0/admin_manual/installation/installation_wizard.html#post-installation-steps for setting file permissions in post-installation procedure.


#5

I would try to set the permissions manually, to exclude an error in the script or if it's not suitable for your setup.

I have also found something in our doc

https://doc.owncloud.com/server/10.0/admin_manual/installation/configuration_notes_and_tips.html?highlight=csrf#session-auto-start-enable-post-data-reading


#6

Maybe its really also just an issue on your setup if both (ownCloud and Nextcloud) are showing the same behavior? I think the link posted by @dmitry above (https://github.com/owncloud/core/issues/25927#issuecomment-262703655) shows that there are quite a lot misconfigurations on server side known to cause such a CSRF check failed message.

It seems in a few additional comments further issues could be found:

browser cache related (https://github.com/owncloud/core/issues/25927#issuecomment-271838460)

cookies disabled in browser (https://github.com/owncloud/core/issues/25927#issuecomment-333084040)

lacking disc space (https://github.com/owncloud/core/issues/25927#issuecomment-277237545)

webserver messing with cookies (https://github.com/owncloud/core/issues/25927#issuecomment-356147763)

tempdir issue (https://github.com/owncloud/core/issues/25927#issuecomment-334137448)

php session folder issue (https://github.com/owncloud/core/issues/25927#issuecomment-330965669)


#7

Post_Max_Size was set in my PHP 7.0 configuration to 8M. I changed to 512M and it did not solve my problem. session.auto.start setting was by default correct. enable post data reading setting was also correct by default. I am using Raspbian 9 Stretch on Rasberry Pi 3. PHP session file seems also to be correct by default. Only if i swith off CSFR check, then i can login and even after that things seem not to work completely correctly...


#8

Maybe there is something else broken and the CSRF message is just a side-effect of this? It could be possible that inspecting your logfiles of e.g. webserver, php or owncloud gives you some hints.

I think another possibility could be to setup a fresh OS like e.g. Debian Stretch in a VM, install ownCloud there and then compare the setup like e.g. PHP Configuration, Permissions etc. of that working System with your current one.


#9

Hi! I looked in the log file of owncloud after disabling CSRF check. There was an error because the themes folder was not there. I installed the directory tree from debian package from the owncloud site. Same happens for the tarball. The themes directory is missing and is producing an error message. After again enabling the CSRF check, in the owncloud logfile it is just mentioned that the login failed without further specification.


#10

Hi, I think you are looking for another forum. this is ownCloud central, you are using the wrong software. please go to their forum.


#11

From what i understand the same happens on a ownCloud installation of the user as well so i think the forums here is fitting as well.


#12

the thing with the themes folder seems to also popup in the nextcloud as well owncloud installation according to manuals for nextcloud 13 and owncloud 10. They seem to have pretty much the same code base???? This issue can be corrected easily by making a themes folder with proper access rights and maybe putting some of the contents in that the owncloud installation is searching for after the login. The CSRF thing maybe one can simply switch off and forget about it. I don't know. As far as i know one can buy professionally packed NAS drives with owncloud on them easily in electronic markets. Maybe such installations would work nicely. However, there was also a lot of fuzz about making an owncloud/nextcloud server on a Raspberry Pi, which is essentially my use case. If that would really work nicely (and my nextcloud 12 was working somehow although in several aspects unsatisfactory), one would have the constellation of running an own cloud at the cost of a Raspberry Pi 3 (ca. 80-90 EURO including accessories), electricity cost of 20 EURO for running the server day and night a whole year. Using a dynamic DNS provider and forwarding the proper port of the web server to the Raspberry Pi. That is a total amount of cost equal to peanuts everyone could afford. The only pity is that ISPs charge money for fixed IPs and for your right to drive your own DNS server (who provides domain registration with free and unrestricted access to the DNS record of your domain?). Theoretically ICANN allows someone who is certified by ICANN to provide domain registration also free of charge, but currently ICANN has only comissioners for country level top level domains and extraordinary domains, but not for free and unrestricted domains. It would be so nice to have a .linux or .opensource or .freesociety unrestricted and free of charge top level domain.


#13

I don't have a theme folder in my ownCloud 10.0.7 installation folder and not getting any errors. Maybe you're running an outdated version of ownCloud?


#14

I used the most recent Debian package and later tarball. Since it is a PHP project is suspect it should not matter, whether i run it on a Raspberry Pi 3 with an up-to-date Raspbian Stretch or on any other machine. And nextcloud 12 used to work, though the web server was deactivating itself regularly, which was annoying and i did not solve that isseu before i changed to owncloud 10.0.7. And as mentioned before the only error messages in the owncloud.log was the failed login when CSRF is activated and the missing themes folder, otherwise the logfile was pretty empty.


#15

No, is not the same.

Did you install a fresh installation from ownCloud, including Database or just tried to migrate the software?


#16

I deleted the old database as i did not fill it extensively under Nextcloud 12. I also deleted the nextcloud folder and made a completely new owncloud folder from the Debian package of owncloud 10.0.7. From that i got the error messages as listed above (missing themes folder, login failed). The missing themes folder message was only displayed after i deactivated the CSRF check according to the hint of 'dmitry' in the config.php file of my owncloud installation. Those two messages were the only ones in my error log. Also after login (having CSRF check deactivated) immediatley the next error message is displayed on the webpage "Problem beim Laden der Seite" (problem while loading the page) which might be due to the missing themes folder...


#17

The theme folder is not necessary for version 10, you can have it as app, but you have first to check in your config.php if you have the entry, if that is, remove it or create a theme folder to avoid the error.

It would help more if you put the log files and your config.php (remove the passwords) , then we can see the stack trace and analyze the code better.


#18

I've seen in https://github.com/owncloud/core/pull/29950 that since 10.0.5 you should be directed to the login page if your CSRF fails. Probably your configuration from Apache has a missing configuration. Can you provide that too?


#19

Hi! I did yesterday some update of my Debian packages in which i had included the Debian repository for owncloud files. I noticed that the package seemed to be 10.0.5 and was updated to 10.0.7. Still, after update the error remains: "Problem while loading the page. Page will be loaded in 5 seconds." German original: "Problem beim Laden der Seite. Seite wird in 5 Sekunden geladen." That happens directly after login provided CSRF is switched off.

The apache2.conf looks like this on my owncloud Raspberry Pi 3 server:

Then there are also several files in conf-enabled, especially 2 seem related to php: phpmyadmin standard apache configuration:

and php7.0-fpm.conf:

Otherwise some other files are present in the conf-enabled folder: javascript-common.conf ...


#20

Maybe you can try to switch from php-fpm to mod_php?