Bug #10577

ERF42-4995 - Invalid authenticity token (Session timed out at login screen)

Added by Tommy McNeely over 6 years ago. Updated 8 months ago.

Web Interface
Target version:
Bugzilla link:
Fixed in Releases:
Found in Releases:


Steps to reproduce...

  • Open the Foreman Login screen
  • Wait a long time (overnight?) for the session to time out [1]
  • Try to login

[1] - NOTE: I produced this during a chrome upgrade (per script below) last night, then tried to login this morning.

Expected Result: Session timed out, back to the login screen again (similar to when the session times out in other parts of the app)

Actual Result: ERF42-4995 [Foreman::Exception]: Invalid authenticity token (500 error)

[08:23] <TommyTheKid> Bug or feature? - I "updated chrome" last night, and my foreman screen was sitting at the login. I entered my details, and clicked Login, and got an error that looked a lot like a "500" error Invalid Authenticity Token
[08:23] <Dominic> likely a feature, your session probably timed out
[08:23] <TommyTheKid> There shouldn't be any token "before" I login?
[08:24] <Dominic> there is, every form, including the login form has a token and you even have a session before logging in, which the token's stored in, so it was probably just that
[08:24] <Dominic> (to stop cross site posting attacks)
[08:24] <TommyTheKid> should it be handled cleaner than a 500 error?
[08:25] <Dominic> yeah, I'd accept that :)
[08:25] <Dominic> "go back and refresh, try again"
[08:26] <TommyTheKid> it seems like it only happens at the login screen, otherwise everything else dumps me back to the login screen
[08:27] <TommyTheKid> very niche case, but just a UX thing that I thought I would ask about
[08:28] <Dominic> TommyTheKid: hm yeah, I suppose if your session expired on another page then you may hit the session check before the token authenticity check, hence the redirect. good spot
[08:31] <Dominic> TommyTheKid: #6999 originally introduced it, btw

Associated revisions

Revision e0d14b3c (diff)
Added by Tomer Brisker about 1 year ago

Fixes #10577 - Handle login csrf token expiry nicely (#7832)


#1 Updated by Dominic Cleal over 6 years ago

I wonder if leaving the session_expiry filter enabled on the login page would be enough to make this work properly. Currently it's disabled:

#2 Updated by Tommy McNeely over 6 years ago


ERF42-4995 [Foreman::Exception]: Invalid authenticity token
app/controllers/application_controller.rb:376:in `handle_unverified_request'
lib/middleware/catch_json_parse_errors.rb:9:in `call'

#3 Updated by Tommy McNeely over 6 years ago

I just realized that it may be more than a simple session timeout.... still not sure what the best way to handle it is though.

New Steps to reproduce:

  • Open the foreman login screen in more than one tab/window (in Chrome)
  • (not sure if this is required) - Leave them overnight
  • Open a new foreman tab (for example clicking on a host in the email report)
  • Login there, view report
  • Switch back to the other tabs (that were left last night) and try to login to foreman.

Now its getting even more niche case?

#4 Updated by Dominic Cleal over 6 years ago

Makes a bit more sense now, probably not the session expiry versus token order in this case.

It's likely that both tabs were part of the same session - Chrome would've used the session cookie from the new tab when submitting the old tab, but since the form was old, it had an old token in there.

Foreman's doing the right thing in preventing it, but it could simply redirect the user back, or show a nicer error page to suggest what might have happened (either somebody being attacked, or an innocent "go back and try again").

#5 Updated by Tomer Brisker about 1 year ago

  • Bugzilla link set to 1840166

#6 Updated by The Foreman Bot about 1 year ago

  • Assignee set to Tomer Brisker
  • Status changed from New to Ready For Testing
  • Pull request added

#7 Updated by The Foreman Bot about 1 year ago

  • Fixed in Releases 2.2.0 added

#8 Updated by Tomer Brisker about 1 year ago

  • Status changed from Ready For Testing to Closed

#9 Updated by The Foreman Bot about 1 year ago

  • Pull request added

#10 Updated by Shira Maximov 8 months ago

  • Bugzilla link changed from 1840166 to 1868303

Also available in: Atom PDF