[HELP] Cannot login, error shows "BAD CSRF"


Hello all,

I have installed Discourse on my server, and it has ran a long good time, without any troubles.
However after the latest update, I have found that all of the user accounts are failed to login, including admin ones.

After awhile I was suspecting it is a plugin issue, therefore I removed all the plugins then ran ./launcher rebuild app to have it run pure vanilla version, but no cigar to that. For the current situation, it seems like our site is read only and cannot do any action other than reading threads.

Upon any login form submission, it shows this and we have no idea what this means.

Site is located at https://discuss.stickyricelove.com and we are a Non-Profit educating and promoting SexEd in Hong Kong, for teenagers and resolving their wonder and doubts.

Very looking forward to an answer soooooooooooooooooooooon.:weary::sob:
Thank you.

(Jeff Atwood) #2

It looks like one of your plugins is not compatible with the current version of Discourse. I suggest removing all third party (non-official) plugins and rebuilding.


It is already a clean build without plugins, only with the docker_manager. Should I remove that too?

(Jeff Atwood) #4

Hmm, did you try upgrading at the command line?

Please SSH into your server and run:

cd /var/discourse
git pull
./launcher rebuild app


I have already tried this many many times, and it still shows the same error.

I’m now removing the docker_manager and rebuilding it.

(Jeff Atwood) #6

Is this an install that followed our official install guide? Any errors in the rebuild?


Yes I have followed the exact steps carefully, and it’s a “no” for the errors. It builds smoothly that I can’t even tell what has gone wrong.

Will extract the backups and rebuild the VPS if nothing works out today. :sob:

(Jeff Atwood) #8

Do you have this behind cloudflare or anything like that? @sam do you see anything in the pictured JS console errors that would indicate what is the issue?


We have consider that issue too, therefore a month ago we completely disabled all Cloudflare features, will also consider moving out Cloudflare since it brings enough troubles for us.

Will there be any override that I can force my current session as an admin? In that way I can get into the backend and see what’s the log telling :worried:

(Stéphane P.) #10


I manage a small discourse forum for an opensource project and we have something that looks like the same problem. The error is exactly the same with google chrome, but is different with firefox : the login dialog works normally, the page is refreshed but it does not log me in (screenshots bellow).

It’s a dedicated host, and it doesn’t change much if I rebuild with beta, previous beta, or “tests-passed”. We don’t use cloudfare, but it’s behind a nginx reverse proxy (nothing too fancy). The discourse container is http, but nginx serves it in https through the reverse proxy, if that makes any difference.

I would appreciate any idea if there is something I can try.




@codinghorror @sam Will that be an upstream bug?

(Jeff Atwood) #12

We have no repro of this, so it is likely something about your local setup.


We’re rebuilding the VPS and installing a fresh Discourse installation, the follow happened and hanged awhile:

(Fin Reinhard) #14

Is there a solution? We have the same problem…


It appears to us an upgrade issue. We have backup away the data, and performed a clean install and backup restoration.

However other than that, I have no idea what caused this issue.

(Stéphane P.) #16

Hello. I tried to run it without the nginx reverse proxy and it did not resolve the issue. Will run a reinstall tomorrow except if anyone think about something that could help by that time.

I noticed that by default, the launcher rebuild script was checking out the “tests-passed” version. Is it a bit dangerous ? should it be beta ? When I update from the admin web screen, it update to the most recent beta instead ?

I had to launch a rebuild before the problem appeared because the host ip from inside the container changed. The host is also my mailserver, and the mail config was in app.yml.

Is it possible that with the rebuild, I updated to a version that somehow corrupted the config ? (I launched the rebuild around 11/02/2016 07:00 PM if that’s any help).



(Sam Saffron) closed #17

(Sam Saffron) opened #18

(Sam Saffron) #19

In future if you feel your issue was not resolved, flag to reopen topic and DON’T accept an answer on the topic.

(Sam Saffron) #20

If you are running a reverse proxy 99.999% the issue is that you are not passing headers right to discourse.