Project

General

Profile

Actions

Bug #10510

closed

"Invalid authenticity token" after login

Added by Anonymous almost 9 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
High
Assignee:
Category:
Security
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

I'm running Foreman nightlies on Debian/jessie. Since about three days I can't log in anymore:

2015-05-14 14:54:22 [I] Started GET "/users/login" for 2001:6f8:12f2:1::8 at 2015-05-14 14:54:22 +0200
2015-05-14 14:54:22 [I] Processing by UsersController#login as HTML
2015-05-14 14:54:22 [I]   Rendered users/login.html.erb within layouts/login (4.6ms)
2015-05-14 14:54:22 [I]   Rendered layouts/base.html.erb (2.2ms)
2015-05-14 14:54:22 [I] Completed 200 OK in 11.1ms (Views: 8.6ms | ActiveRecord: 0.0ms)
2015-05-14 14:54:26 [I] Started POST "/users/login" for 2001:6f8:12f2:1::8 at 2015-05-14 14:54:26 +0200
2015-05-14 14:54:26 [I] Processing by UsersController#login as HTML
2015-05-14 14:54:26 [I]   Parameters: {"utf8"=>"✓", "authenticity_token"=>"UvOb9l5ujQ1LdspGB+OWmayxfXcI2OsDqgNrbLha6m8=", "login"=>{"login"=>"mmoll", "password"=>"[FILTERED]"}, "commit"=>"Login"}
2015-05-14 14:54:26 [W] WARNING: Can't verify CSRF token authenticity
2015-05-14 14:54:26 [W] Operation FAILED: ERF42-4995 [Foreman::Exception]: Invalid authenticity token
2015-05-14 14:54:26 [I]   Rendered common/500.html.erb within layouts/application (5.5ms)
2015-05-14 14:54:26 [I]   Rendered layouts/base.html.erb (3.1ms)
2015-05-14 14:54:26 [I] Completed 500 Internal Server Error in 17.6ms (Views: 16.0ms | ActiveRecord: 0.0ms)
2015-05-14 14:55:10 [I] Started GET "/" for 192.168.200.11 at 2015-05-14 14:55:10 +0200
2015-05-14 14:55:10 [I] Processing by DashboardController#index as */*
2015-05-14 14:55:10 [I] Redirected to https://sledge.kvedulv.de/
2015-05-14 14:55:10 [I] Filter chain halted as #<Proc:0x00000003e60700@/usr/share/foreman/vendor/ruby/2.1.0/gems/actionpack-3.2.21/lib/action_controller/metal/force_ssl.rb:28> rendered or redirected
2015-05-14 14:55:10 [I] Completed 301 Moved Permanently in 1.7ms (ActiveRecord: 0.0ms)
2015-05-14 14:55:10 [I] Started GET "/users/login" for 192.168.200.11 at 2015-05-14 14:55:10 +0200
2015-05-14 14:55:10 [I] Processing by UsersController#login as */*
2015-05-14 14:55:10 [I]   Rendered users/login.html.erb within layouts/login (4.7ms)
2015-05-14 14:55:10 [I]   Rendered layouts/base.html.erb (2.0ms)
2015-05-14 14:55:10 [I] Completed 200 OK in 11.4ms (Views: 8.6ms | ActiveRecord: 0.0ms)

Related issues 1 (0 open1 closed)

Related to Foreman - Bug #10275: CVE-2015-3155 - The _session_id cookie is issued without the Secure flagClosedShlomi Zadok04/27/2015Actions
Actions #1

Updated by Dominic Cleal almost 9 years ago

  • Related to Bug #10275: CVE-2015-3155 - The _session_id cookie is issued without the Secure flag added
Actions #2

Updated by Dominic Cleal almost 9 years ago

  • Priority changed from Normal to High
  • translation missing: en.field_release set to 50
Actions #3

Updated by Dominic Cleal almost 9 years ago

  • Status changed from New to Assigned
  • Assignee set to Dominic Cleal

Seems that the session store configuration is incorrect and what's happening on every page load is that the browser gets a new session. Since the CSRF token's in the session, it continually fails to process forms like the login page.

The session store is actually already configured in config/initializers/session_store.rb so I'll move the secure option here. The existing patch seems to work differently on 3.2.8 versus .21.

Actions #4

Updated by The Foreman Bot almost 9 years ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/2386 added
  • Pull request deleted ()
Actions #5

Updated by Dominic Cleal almost 9 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF