Discourse admin login throws 403 ["BAD CSRF"] error

We had a discourse build on AWS with CentOS 7 operation system, we followed the document and used docker to build discourse with almost default settings. It was working well at first, but since last Friday suddenly we couldn’t login to it, got 403 [“BAD CSRF”] error doing any POST calls.

We didn’t use any reverse proxy in front of docker, we directly map the docker instance with 80 port of AWS server, we didn’t use ssl.

After getting the error, we tried pulling latest git code and did a full rebuild, but still getting the 403 error.

Any suggestions what else we could do?

Lei Zhang

Figure out what changed last Friday. Clearly something happened then. Absent that, you’ll probably want to examine the network traffic going into the app server (via tcpdump or strace) and make sure the cookies aren’t being stripped, then verify that the session data is correctly coming out of Redis.

1 Like

Thanks Matt,

To eliminate the network and traffic influence, what I did earlier today was:

  1. Get into the docker container with command docker exec -it app /bin/bash
  2. Do curl call to localhost:3000 to get a csrf token:
    curl -X GET http://localhost:3000/session/csrf -H ‘X-Requested-With: XMLHttpRequest’.
  3. Then call a login request with the token got:
    curl -X POST http://localhost:3000/session -H ‘Content-Type: application/x-www-form-urlencoded’ -H ‘X-CSRF-Token: qh4CYDsFXIlZ70MJ7bz6FLHxrKRR0zVQoKLOPDyKeXJbkzV/+NEk3JTCaEDFcZ/vzAZa3MhKuETcquJ9zarTKw==’ -H ‘X-Requested-With: XMLHttpRequest’ -d ‘login=test&password=testpassword’

Still got 403 bad csrf error with that.

Are you doing proxying and not setting the proper HTTPS headers in your proxy? I believe lots of times I have seen this error, that has been the case.

Oh wait, I see you don’t use HTTPS or proxy, so that can’t be.

Hi Jeff,

We are not using reverse proxy or https, I’ve already checked the related issued raised by others in this forum, we don’t have reverse proxy in our aws layer, I tried modifying related nginx settings inside docker container but no luck with that.

Lei Zhang