Users can't sign in due to 403 error

(Frey) #1

Hey, guys, I was trying to post in a topic on my forum but got 403 error. I decided to clear cookies and now I can’t even sign in at all.

I’ve updated Discourse with gut pull and ./launcher rebuild app and didn’t help at all.

Can you help me please?

(Markus Vuorio) #2

I am seeing this as well. In the logs, I’m seeing:

Started GET "/session/csrf?_=1485544587272" for <ip> at 2017-01-27 19:16:45 +0000
Processing by SessionController#csrf as */*
  Parameters: {"_"=>"1485544587272"}
Completed 200 OK in 1ms (Views: 0.2ms | ActiveRecord: 0.0ms)
Started POST "/session" for <ip> at 2017-01-27 19:16:46 +0000
Processing by SessionController#create as */*
  Parameters: {"login"=>"username", "password"=>"[FILTERED]"}
Can't verify CSRF token authenticity
  Rendered text template (0.0ms)
Filter chain halted as :verify_authenticity_token rendered or redirected

It has been like this for a few days, I think since updating to 1.7.0. I’ve installed the 1.7.1 fix but it didn’t help. Trying now with the 1.7.2, but by the looks of the diff, this issue isn’t fixed there.

edit: Yep, no change with 1.7.2.

(Jeff Atwood) #3

This is usually because you are doing an internal proxy but not setting the https forwarding headers in your proxy.

(If your site is https)

(Frey) #4

yeah, I also have seen CSRF-related errors in the console.

(Frey) #5

I’ve enabled force https, but got CSRF error when tried to disable it.

(Markus Vuorio) #6

Oh, indeed! This was fixed by adding to my Apache proxy configuration:

RequestHeader set X-Forwarded-Proto "https"

Thanks a lot for help. Quite interesting that this only begun to happen in the 1.7 series.

(Rafael dos Santos Silva) #7

We didn’t had secure cookies before so that wasn’t a problem.

(Frey) #8

Just in case anybody got in the same situation:

  1. SSH to server
  2. cd /var/discourse
  3. ./launcher enter app
  4. rails c
  5. SiteSetting.force_https = false
    6, 7, 8. exit

(cloudunicorn) #9

My users just started seeing “403 Unknown Error” when trying to log in. I followed these instructions - but I’m now getting an error in the admin settings: " * Your website is using SSL. But [force_https]( is not yet enabled in your site settings."

I am using the Digital Ocean app setup with nothing custom, and ‘v2.0.0.beta2 +170’. Is this because I’m using a beta version?

[Paid] User login issues -- improper https forwarding headers?
(cloudunicorn) #10

Not fun, this is still happening to users - getting “Unknown Error” when trying to log in, and 403 Forbidden error when trying to reset password. I’m now on current Discourse.

(Jeff Atwood) #11

Yet again, as said upstream ↑

(cloudunicorn) #12

Hm, k. No idea what that means. So Digital Ocean one-click install has this issue…

This appears to be the suggested fix:

I did that, but users kept having the same issue. How do I check if I am ‘doing an internal proxy’? We’re using Cloudflare + Digital Ocean.

(Ryan Erwin) #13

Thanks @Frey. I has having the same problem with a restore I did from one server to another.