Actions
Bug #10510
closed
"Invalid authenticity token" after login
Description
I'm running Foreman nightlies on Debian/jessie. Since about three days I can't log in anymore:
2015-05-14 14:54:22 [I] Started GET "/users/login" for 2001:6f8:12f2:1::8 at 2015-05-14 14:54:22 +0200
2015-05-14 14:54:22 [I] Processing by UsersController#login as HTML
2015-05-14 14:54:22 [I] Rendered users/login.html.erb within layouts/login (4.6ms)
2015-05-14 14:54:22 [I] Rendered layouts/base.html.erb (2.2ms)
2015-05-14 14:54:22 [I] Completed 200 OK in 11.1ms (Views: 8.6ms | ActiveRecord: 0.0ms)
2015-05-14 14:54:26 [I] Started POST "/users/login" for 2001:6f8:12f2:1::8 at 2015-05-14 14:54:26 +0200
2015-05-14 14:54:26 [I] Processing by UsersController#login as HTML
2015-05-14 14:54:26 [I] Parameters: {"utf8"=>"✓", "authenticity_token"=>"UvOb9l5ujQ1LdspGB+OWmayxfXcI2OsDqgNrbLha6m8=", "login"=>{"login"=>"mmoll", "password"=>"[FILTERED]"}, "commit"=>"Login"}
2015-05-14 14:54:26 [W] WARNING: Can't verify CSRF token authenticity
2015-05-14 14:54:26 [W] Operation FAILED: ERF42-4995 [Foreman::Exception]: Invalid authenticity token
2015-05-14 14:54:26 [I] Rendered common/500.html.erb within layouts/application (5.5ms)
2015-05-14 14:54:26 [I] Rendered layouts/base.html.erb (3.1ms)
2015-05-14 14:54:26 [I] Completed 500 Internal Server Error in 17.6ms (Views: 16.0ms | ActiveRecord: 0.0ms)
2015-05-14 14:55:10 [I] Started GET "/" for 192.168.200.11 at 2015-05-14 14:55:10 +0200
2015-05-14 14:55:10 [I] Processing by DashboardController#index as */*
2015-05-14 14:55:10 [I] Redirected to https://sledge.kvedulv.de/
2015-05-14 14:55:10 [I] Filter chain halted as #<Proc:0x00000003e60700@/usr/share/foreman/vendor/ruby/2.1.0/gems/actionpack-3.2.21/lib/action_controller/metal/force_ssl.rb:28> rendered or redirected
2015-05-14 14:55:10 [I] Completed 301 Moved Permanently in 1.7ms (ActiveRecord: 0.0ms)
2015-05-14 14:55:10 [I] Started GET "/users/login" for 192.168.200.11 at 2015-05-14 14:55:10 +0200
2015-05-14 14:55:10 [I] Processing by UsersController#login as */*
2015-05-14 14:55:10 [I] Rendered users/login.html.erb within layouts/login (4.7ms)
2015-05-14 14:55:10 [I] Rendered layouts/base.html.erb (2.0ms)
2015-05-14 14:55:10 [I] Completed 200 OK in 11.4ms (Views: 8.6ms | ActiveRecord: 0.0ms)
Updated by Dominic Cleal over 9 years ago
- Related to Bug #10275: CVE-2015-3155 - The _session_id cookie is issued without the Secure flag added
Updated by Dominic Cleal over 9 years ago
- Priority changed from Normal to High
- Translation missing: en.field_release set to 50
Updated by Dominic Cleal over 9 years ago
- Status changed from New to Assigned
- Assignee set to Dominic Cleal
Seems that the session store configuration is incorrect and what's happening on every page load is that the browser gets a new session. Since the CSRF token's in the session, it continually fails to process forms like the login page.
The session store is actually already configured in config/initializers/session_store.rb so I'll move the secure option here. The existing patch seems to work differently on 3.2.8 versus .21.
Updated by The Foreman Bot over 9 years ago
- Status changed from Assigned to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/2386 added
- Pull request deleted (
)
Updated by Dominic Cleal over 9 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 800c14d29ee0811ad808f6eef8de8134d4498944.
Actions