Project

General

Profile

Bug #10510

"Invalid authenticity token" after login

Added by Michael Moll over 3 years ago. Updated 3 months ago.

Status:
Closed
Priority:
High
Assignee:
Category:
Security
Target version:
Difficulty:
Triaged:
Bugzilla link:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

I'm running Foreman nightlies on Debian/jessie. Since about three days I can't log in anymore:

2015-05-14 14:54:22 [I] Started GET "/users/login" for 2001:6f8:12f2:1::8 at 2015-05-14 14:54:22 +0200
2015-05-14 14:54:22 [I] Processing by UsersController#login as HTML
2015-05-14 14:54:22 [I]   Rendered users/login.html.erb within layouts/login (4.6ms)
2015-05-14 14:54:22 [I]   Rendered layouts/base.html.erb (2.2ms)
2015-05-14 14:54:22 [I] Completed 200 OK in 11.1ms (Views: 8.6ms | ActiveRecord: 0.0ms)
2015-05-14 14:54:26 [I] Started POST "/users/login" for 2001:6f8:12f2:1::8 at 2015-05-14 14:54:26 +0200
2015-05-14 14:54:26 [I] Processing by UsersController#login as HTML
2015-05-14 14:54:26 [I]   Parameters: {"utf8"=>"✓", "authenticity_token"=>"UvOb9l5ujQ1LdspGB+OWmayxfXcI2OsDqgNrbLha6m8=", "login"=>{"login"=>"mmoll", "password"=>"[FILTERED]"}, "commit"=>"Login"}
2015-05-14 14:54:26 [W] WARNING: Can't verify CSRF token authenticity
2015-05-14 14:54:26 [W] Operation FAILED: ERF42-4995 [Foreman::Exception]: Invalid authenticity token
2015-05-14 14:54:26 [I]   Rendered common/500.html.erb within layouts/application (5.5ms)
2015-05-14 14:54:26 [I]   Rendered layouts/base.html.erb (3.1ms)
2015-05-14 14:54:26 [I] Completed 500 Internal Server Error in 17.6ms (Views: 16.0ms | ActiveRecord: 0.0ms)
2015-05-14 14:55:10 [I] Started GET "/" for 192.168.200.11 at 2015-05-14 14:55:10 +0200
2015-05-14 14:55:10 [I] Processing by DashboardController#index as */*
2015-05-14 14:55:10 [I] Redirected to https://sledge.kvedulv.de/
2015-05-14 14:55:10 [I] Filter chain halted as #<Proc:0x00000003e60700@/usr/share/foreman/vendor/ruby/2.1.0/gems/actionpack-3.2.21/lib/action_controller/metal/force_ssl.rb:28> rendered or redirected
2015-05-14 14:55:10 [I] Completed 301 Moved Permanently in 1.7ms (ActiveRecord: 0.0ms)
2015-05-14 14:55:10 [I] Started GET "/users/login" for 192.168.200.11 at 2015-05-14 14:55:10 +0200
2015-05-14 14:55:10 [I] Processing by UsersController#login as */*
2015-05-14 14:55:10 [I]   Rendered users/login.html.erb within layouts/login (4.7ms)
2015-05-14 14:55:10 [I]   Rendered layouts/base.html.erb (2.0ms)
2015-05-14 14:55:10 [I] Completed 200 OK in 11.4ms (Views: 8.6ms | ActiveRecord: 0.0ms)

Related issues

Related to Foreman - Bug #10275: CVE-2015-3155 - The _session_id cookie is issued without the Secure flagClosed2015-04-27

Associated revisions

Revision 800c14d2 (diff)
Added by Dominic Cleal over 3 years ago

fixes #10510 - move secure flag to existing session configuration

On a source installation with SSL, the session store is properly configured
now and no longer continually resets user sessions.

Revision 425caed4 (diff)
Added by Dominic Cleal over 3 years ago

fixes #10510 - move secure flag to existing session configuration

On a source installation with SSL, the session store is properly configured
now and no longer continually resets user sessions.

(cherry picked from commit 800c14d29ee0811ad808f6eef8de8134d4498944)

History

#1 Updated by Dominic Cleal over 3 years ago

  • Related to Bug #10275: CVE-2015-3155 - The _session_id cookie is issued without the Secure flag added

#2 Updated by Dominic Cleal over 3 years ago

  • Priority changed from Normal to High
  • Legacy Backlogs Release (now unused) set to 50

#3 Updated by Dominic Cleal over 3 years ago

  • Status changed from New to Assigned
  • Assignee set to Dominic Cleal

Seems that the session store configuration is incorrect and what's happening on every page load is that the browser gets a new session. Since the CSRF token's in the session, it continually fails to process forms like the login page.

The session store is actually already configured in config/initializers/session_store.rb so I'll move the secure option here. The existing patch seems to work differently on 3.2.8 versus .21.

#4 Updated by The Foreman Bot over 3 years ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/2386 added
  • Pull request deleted ()

#5 Updated by Dominic Cleal over 3 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF