Blank page with "Invalid csrf token."

[DuckDuckWhale]

• Gitea version (or commit ref): 1.13.0
• Git version: 2.25.1
• Operating system: Ubuntu Server 20.04
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Haven't tried
• Log gist: N/A

Description

When clicking buttons or adding comments in issues I often see a blank page saying Invalid csrf token., which I had to work around using a refresh and a re-click, which has problems such as losing text already typed up in the comments. This could be related to me using a lot of tabs.

Issues that this might be related to are:

• Invalid csrf token #4311: seems very similar, but locked so no discussion can be continued. Don't quite understand how it is closed as [Feature] detect and "logout" on old csrf token #11182 doesn't seem to be solution to this page appearing and proposes to log out instead (why though and how does it make things better?).
• Replace CRSF token with SameSite=strict #11188: proposes switching to SameSite=strict cookies instead, which seem to be able to fix this issue. Still filling this issue since this is not what a user might expect so should be better categorized as a bug than a proposal. Also, fixing this issue doesn't directly necessitate using Replace CRSF token with SameSite=strict #11188 and other fixes might be possible.

[lunny]

csrf token has an expired time. Most time it occurred because stay in an input page too long.

[lunny]

The CSRF token expired time should larger than session expired time. Then if you click the submit button, you will be redirected to a Gitea login page but not returned invalid csrf token.

[DuckDuckWhale]

That's strange... After how long does it expire? I have just encountered it again when I opened a lot of Gitea tabs and waited for only about an hour.

[lunny]

That's wired. CSRF expired time is one day.

[DuckDuckWhale]

Encountered this again (400 Bad Request with Invalid csrf token but when saving a comment, in which case after the refresh the typed up comment disappeared so it might lead to small scale data loss which is bad), I think this page lived less than a day as well.

[somera]

That's wired. CSRF expired time is one day.

Is this a new feature in 1.13.x? I didn't get it before 1.13.x.

And if it expired, why the browsing is working? I get the error only when I start import new mirror:

[lakostin]

Have the same problem.

[zeripath]

CSRF is only checked on POST so GETs will not affect it.

[lafriks]

Could it be related to token strict attribute?

[kevung]

I encounter the same problem, on version 1.13.0+rc1. I have only one Gitea tab open and the "Invalid csrf token" page appears imediately after I try to comment and review a Pull request. (for me, no need to wait an expire time to see the problem)

[JulianOrteil]

Encountering the same scenario as @kevung as well on 1.13.6 for Windows. What do you guys need from us since @CL-Jeremy says you need more information in the linked PR?

[kevung]

Hello everybody,
I migrated today to Gitea 1.14.0+rc2, and I could not reproduce the problem :) I could smoothly review pull requests. It seems to have been fixed somehow. Perhaps, it is wise to confirmation from other people using 1.14 before resolving this issue.
Thanks to the Gitea team for the amazing work.

[lunny]

v1.14 changed web framework from macaron to chi and modified the old csrf middleware. But I cannot ensure we fixed that.

[josch]

I just created a fresh installation of v1.14.1 and am seeing the Invalid csrf token. message every time there is a POST request. Interestingly this only happens with firefox 86 but not with chromium 89. In contrast to the other reports, refreshing the page does not fix this.

EDIT: what fixed the problem for me was to clear all cookies and site data in the firefox preferences.

[xergio]

@josch solution was the key for me, I had some cookies from a previous instalation of gogs, then installed gitea in the same domain and some cookies remained (maybe the one called _csrf) and was doing something bad.

[kevung]

Hello, I am encountering the problem "Invalid csrf token." when I try to start the Timer on an issue. I use Gitea Version: 1.14.0+rc2