CSRF token error. Try to refresh the page and try again

joeyk · January 20, 2022, 12:59pm

@mikew did you apply the ugly-but-works workaround with the cookie lifetime?

mzagmajster · January 20, 2022, 2:01pm

Another ugly fix for Mautic 3 instance is to replace the template Views:User:Security:ajax.html.php template

I encountered this error if the user has been logged out and I logged back in using ajax render login form.

I solved it by forcing complete refresh of login page which also regenerates the CSRF token:

<?php
$view->extend('MauticCoreBundle:Default:content.html.php');
$view['slots']->set('headerTitle', $view['translator']->trans('mautic.user.auth.expired.header'));
?>

<script type="text/javascript">
    window.location.reload();
</script>

Hope it helps someone.
Regards, M.

elsaadj · March 23, 2022, 12:15pm

Using latest 4.2.0 and still getting this issue.

Click new contact, fill the form with details, click save, and it tells CSRF token error, now you have to re-enter all the contact information again after refresh. Why it does not tell you the CSRF token error when clicking on add contact or doing refresh before entering info?

What is the fix for this?

mzagmajster · March 23, 2022, 1:39pm

I have solved this here:

Its not my favorite fix, but its the only one that worked so far.

joeyk · March 23, 2022, 2:11pm

There is a PR coming up, that plays with the ‘Remember me’ cookie.
Plz test if you can, it’s keeping me logged in:

github.com/mautic/mautic

Fix "keep me logged in"

mautic:4.x ← bradycargle:fix-rememberme

opened 03:59AM - 23 Mar 22 UTC

bradycargle

+16 -4

| Q | A | -------------------------------------- | --- | Bug fix? (use the a.b branch) | [X ] | New feature/enhancement? (use the a.x branch) | [ ] | Deprecations? | [ ] | BC breaks? (use the c.x branch) | [ ] | Automated tests included? | [ ] | Related user documentation PR URL | mautic/mautic-documentation#... | Related developer documentation PR URL | mautic/developer-documentation#... | Issue(s) addressed | Fixes #...  #### Description: When people log in, there is an option to "keep me logged in". This used to add a cookie to the browner named REMEMBERME, but this behavior broke somewhere down the line. Now people are getting logged out soon and having to log back in, often losing work. Look at [this issue](https://github.com/mautic/mautic/issues/9804#issuecomment-1025756557) and [this issue](https://github.com/mautic/mautic/issues/9011#issuecomment-1009051271) for reference. #### Steps to test this PR: 1. Open this PR on Gitpod or pull down for testing locally (see docs on testing PRs [here](https://contribute.mautic.org/contributing-to-mautic/tester)) 2. Before logging in, open the cookie viewer. You can do this by right click -> Inspect -> and go to Application. Scroll down to Storage -> Cookies and there you can see browser cookies 3. Log in and click "keep me logged in". You should see a cookie named REMEMBERME added to the browser cookies 4. Delete all cookies except the REMEMBERME cookie (click on the cookie, then Backspace). Reload the page. You should still be logged in 5. Delete all cookies (including REMEMBERME) and reload the page. You should be logged out <a href="https://gitpod.io/#https://github.com/mautic/mautic/pull/10994"><img src="https://gitpod.io/button/open-in-gitpod.svg"/></a>

mikew · March 23, 2022, 4:30pm

Hey @joeyk I tried this and seems to have not worked for me.
I updated the issue on GitHub, I am not able to get to the mautic instance “offline error”. I see some errors in my log:

[error] 1851#1851: *784641 FastCGI sent in stderr: "PHP message: ParseError: syntax error, unexpected ''lifetime'' (T_CONSTANT_ENCAPSED_STRING), expecting ']' - in file /var/www/mautic/app/config/security.php - at line 98" while reading response header from upstream, client: 132.82.126.64, server: mymautic.com, request: "POST /mailer/sendgrid_api/callback HTTP/1.1", upstream: "fastcgi://unix:/run/php/php7.4-fpm.sock:", host: "mymautic.com"

mzagmajster · March 23, 2022, 6:28pm

It would be interesting to know whats the value of:
$configParameterBag->get('rememberme_lifetime')

Looking at my config its nothing out of the ordinary and it should not break. Can you clear the cache and try again.

mikew · March 23, 2022, 6:44pm

did that a few times… strange behaviour.

bradycargle · March 25, 2022, 1:22pm

@mzagmajster You can check the value of $configParameterBag->get(‘rememberme_lifetime’) by putting the line: dd($configParameterBag); right after your configParameterBag = $parameterLoader->getParameterBag();. The value should be 31536000, which is one year in seconds

@mikew Copying a reply I made on GitHub here:

Might be a few ways to fix this. It sounds like the file might have been copied to the wrong directory; can you make sure the change is only in app/config/security.php?

If that’s not the problem, let’s try this: Revert back to your Mautic instance from before the change, then open your console, cd to the Mautic folder, and type “gh pr checkout 10994”. This will make the exact file changes that’s in my PR. See if that works for you

Last, we can always test with GitPod. You can click on the “Open in GitPod” button in GitHub when you look at the PR. It’s working for me there. I found the cookie using Right Click > Inspect > Application > Cookies > https://8080-bradycargle…

richmarks20 · February 2, 2023, 2:38pm

Just to reup this, it’s still happening to me on 4.4.5 - frequency vastly reduced, so something has been changed in the last few releases, but still happening, particularly when adding contacts, although I can’t put my finger on any particular action that causes it. Anyone working on it, let me know if I can provide any helpful information…

ankushanand · March 3, 2023, 8:41am

I am also facing this issue in some of my mautic installations

joeyk · March 3, 2023, 6:00pm

It’s normal. Just log in again from the REAL login page.

ankushanand · March 4, 2023, 5:15am

Yeah, I do that all the time, Login Again but sometimes its frustrating when I have made changes and then it gives this error.

diegoom · May 9, 2023, 12:28pm

This happens to me a lot too.
The truth is a bit strange.

Yosu_Cadilla · May 9, 2023, 12:32pm

Oldest problem in the Mautic pile!

I remember @escopecz giving an explanation many years ago, I also remember not understanding anything he said at the time…
What I do remember from his explanation of the issue is that it wasn’t Mautic’s fault…

mikew · May 9, 2023, 12:55pm

I actually once got this fixed by upgrading nginx to the latest version… but downgraded after that and back to the same problem. I remember that Mautic was not playing well with php 8.0 and the latest nginx version

richmarks20 · September 6, 2023, 1:38pm

It seems to me that this might have some (positive) impact on the issue

github.com/mautic/mautic

AJAX requests use the site_url instead of the current domain [backport]

mautic:4.4 ← nick-vanpraet:backport/subrequests-incorrect-domain

opened 10:50AM - 01 Mar 23 UTC

nick-vanpraet

+5 -2

| Q | A | -------------------------------------- | --- | Bug fix? (use the a.b branch) | [x] | New feature/enhancement? (use the a.x branch) | [ ] | Deprecations? | [ ] | BC breaks? (use the c.x branch) | [ ] | Automated tests included? | [ ] | Related user documentation PR URL | mautic/mautic-documentation#... | Related developer documentation PR URL | mautic/developer-documentation#... | Issue(s) addressed | Fixes #...  #### Description:  Backport for PR: https://github.com/mautic/mautic/pull/12037 When a Mautic instance is setup with 2 domains, one publicly accessible and one not (e.g. internal.mautic.com and public.mautic.com), and the site_url is set to the public mautic (so emails add the correct URls, images, etc) then AJAX requests when browsing the internal site will incorrectly use the public URL. Specifically: - Campaign detail view fetches contacts using a JS request, which will use the wrong URL - Segment detail view fetches contacts using a JS request, which will use the wrong URL This PR simply replaces the absolute URL in the data-target-url with the path, so the JS automatically uses the current domain regardless of which one it is. #### Steps to test this PR:  1. Open this PR on Gitpod or pull down for testing locally (see docs on testing PRs [here](https://contribute.mautic.org/contributing-to-mautic/tester)) 2. Set the site URL to a subdomain 3. Clear caches 4. Create a campaign and some contacts that will be added to the campaign 5. Visit the campaign detail page 6. Check the network tab, the request to fetch contacts should NOT use the subdomain site URL (without this patch, it would use the site url) 7. Then do the same for segments.

In some cases, if AJAX requests are made by the page to an apparently different (perhaps local as opposed to public) location, that may well cause CSRF issues.

This is merged into Mautic 4.4.10

richmarks20 · September 6, 2023, 1:48pm

Likewise, logging in via /s/login has no effect - I regularly get the same error <1min later.

hovirag · January 3, 2024, 9:37am

it happened to me as well and your suggestion solved the issue

Topic		Replies	Views
Cannot solve this error: CSRF token error. Try to refresh the page and try again Mautic 4 Install/Upgrade Support	5	515	March 2, 2022
Getting a "CSRF token error" all the time Product Support	1	455	October 17, 2019
Email edits:CSRF token error. Try to refresh the page and try again Product Support	0	351	February 6, 2023
Login Portal not working, password reset not working "The CSRF token is invalid. Please try to resubmit the form" Product Support	3	1625	February 25, 2020
CSRF token error when trying to save edited landing page layout Product Support mautic-4	4	302	November 10, 2023

CSRF token error. Try to refresh the page and try again

Related topics