CSRF Token expiration on PR review during several minutes after page is created #11375

New Issue

Closed

opened 2025-11-02 09:35:57 -06:00 by GiteaMirror · 10 comments

GiteaMirror commented 2025-11-02 09:35:57 -06:00

Owner

Copy Link

Originally created by @sgabenov on GitHub (Jul 31, 2023).

Description

Sometimes i face the issue, when starting review of PR i got error "Bad Request: invalid CSRF token". This happens when i try to post some comments to the PR. The web-page can be opened not more then for 20 minutes before i got this error.
As i understood from docs and other posts, CSRF token should be valid for more then 24hours before expiration and it is more, than user session exist. In my case the token expiration happens in less then 1 hour.

Gitea Version

1.20.0

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

Git Version

No response

Operating System

No response

How are you running Gitea?

docker

Database

PostgreSQL

Originally created by @sgabenov on GitHub (Jul 31, 2023). ### Description Sometimes i face the issue, when starting review of PR i got error "Bad Request: invalid CSRF token". This happens when i try to post some comments to the PR. The web-page can be opened not more then for 20 minutes before i got this error. As i understood from docs and other posts, CSRF token should be valid for more then 24hours before expiration and it is more, than user session exist. In my case the token expiration happens in less then 1 hour. ### Gitea Version 1.20.0 ### Can you reproduce the bug on the Gitea demo site? Yes ### Log Gist _No response_ ### Screenshots <img width="1490" alt="csrf" src="https://github.com/go-gitea/gitea/assets/15741789/f883c82e-21d2-4850-9a07-6a442caec0b0"> ### Git Version _No response_ ### Operating System _No response_ ### How are you running Gitea? docker ### Database PostgreSQL

GiteaMirror added the type/bug label 2025-11-02 09:35:57 -06:00

GiteaMirror closed this issue 2025-11-02 09:35:57 -06:00

GiteaMirror commented 2025-11-02 09:35:58 -06:00

Author

Owner

Copy Link

@wxiaoguang commented on GitHub (Jul 31, 2023):

Are you using multiple accounts?

@wxiaoguang commented on GitHub (Jul 31, 2023): Are you using multiple accounts?

GiteaMirror commented 2025-11-02 09:35:58 -06:00

Author

Owner

Copy Link

@sgabenov commented on GitHub (Jul 31, 2023):

No, this is only from 1 user with 1 account.

@sgabenov commented on GitHub (Jul 31, 2023): No, this is only from 1 user with 1 account.

GiteaMirror commented 2025-11-02 09:35:58 -06:00

Author

Owner

Copy Link

@wxiaoguang commented on GitHub (Jul 31, 2023):

It looks weird. I haven't got an idea for it. Could you help:

1. Check the web site URL you are visiting in your browser and the ROOT_URL in your "app.ini", what are they?
2. If you can replace the Gitea binary program (just copy a new binary to the docker's app directory and restart the docker container), I can help to add some more debug logs, then when this problem happens next time, we can have some more clues.

@wxiaoguang commented on GitHub (Jul 31, 2023): It looks weird. I haven't got an idea for it. Could you help: 1. Check the web site URL you are visiting in your browser and the ROOT_URL in your "app.ini", what are they? 2. If you can replace the Gitea binary program (just copy a new binary to the docker's app directory and restart the docker container), I can help to add some more debug logs, then when this problem happens next time, we can have some more clues.

GiteaMirror commented 2025-11-02 09:35:59 -06:00

Author

Owner

Copy Link

@sgabenov commented on GitHub (Aug 1, 2023):

1. The URL in app.ini looks identical to the one used in browser
2. Where i can grab a modified binary?

@sgabenov commented on GitHub (Aug 1, 2023): 1. The URL in app.ini looks identical to the one used in browser 2. Where i can grab a modified binary?

GiteaMirror commented 2025-11-02 09:35:59 -06:00

Author

Owner

Copy Link

@wxiaoguang commented on GitHub (Aug 1, 2023):

The code is https://github.com/go-gitea/gitea/pull/26266 (you can also build it by yourself: GOOS=linux GOARCH=amd64 TAGS=bindata GITEA_VERSION="1.20-CsrfTest" make build).

The binary (for linux amd64 only, no sqlite support) is: https://github.com/wxiaoguang/gitea-test-release/releases/tag/v1.20-CsrfTest

You can docker cp ~/Download/gitea gitea:/app/gitea/gitea and restart (start/stop) the container (don't do compose up/down, it just resets the filesystem in the container)

Then you will see a startup log: [W] This is a special build for testing CSRF token issues

If the bad CSRF problem happens again, you will see some logs like:

[E] Failed to validate CSRF token "fR9m4zs0pzHbfsY07Ce-UOKhYkE6MTY5MDg4MTUxOTE1ODY4MDAwMA" (secret=!#..., id=1): CSRF token "fR9m4zs0pzHbfsY07Ce-UOKhYkE6MTY5MDg4MTUxOTE1ODY4MDAwMA" does not match expected value "fR9m4zstpzHbfsY07Ce-UOKhYkE6MTY5MDg4MTUxOTE1ODY4MDAwMA"
[E] CSRF in header: "", in cookie: "", in request: "fR9m4zs0pzHbfsY07Ce-UOKhYkE6MTY5MDg4MTUxOTE1ODY4MDAwMA"

@wxiaoguang commented on GitHub (Aug 1, 2023): The code is https://github.com/go-gitea/gitea/pull/26266 (you can also build it by yourself: `GOOS=linux GOARCH=amd64 TAGS=bindata GITEA_VERSION="1.20-CsrfTest" make build`). The binary (for linux amd64 only, no sqlite support) is: https://github.com/wxiaoguang/gitea-test-release/releases/tag/v1.20-CsrfTest You can `docker cp ~/Download/gitea gitea:/app/gitea/gitea` and restart (`start/stop`) the container (don't do `compose up/down`, it just resets the filesystem in the container) Then you will see a startup log: `[W] This is a special build for testing CSRF token issues` If the bad CSRF problem happens again, you will see some logs like: ``` [E] Failed to validate CSRF token "fR9m4zs0pzHbfsY07Ce-UOKhYkE6MTY5MDg4MTUxOTE1ODY4MDAwMA" (secret=!#..., id=1): CSRF token "fR9m4zs0pzHbfsY07Ce-UOKhYkE6MTY5MDg4MTUxOTE1ODY4MDAwMA" does not match expected value "fR9m4zstpzHbfsY07Ce-UOKhYkE6MTY5MDg4MTUxOTE1ODY4MDAwMA" [E] CSRF in header: "", in cookie: "", in request: "fR9m4zs0pzHbfsY07Ce-UOKhYkE6MTY5MDg4MTUxOTE1ODY4MDAwMA" ```

GiteaMirror commented 2025-11-02 09:35:59 -06:00

Author

Owner

Copy Link

@lunny commented on GitHub (Aug 1, 2023):

Could you paste some of your configuration? ROOT_URL and which url are you visiting in your webbrowser?

@lunny commented on GitHub (Aug 1, 2023): Could you paste some of your configuration? ROOT_URL and which url are you visiting in your webbrowser?

GiteaMirror commented 2025-11-02 09:35:59 -06:00

Author

Owner

Copy Link

@sgabenov commented on GitHub (Aug 16, 2023):

Browser - https://gitea.devos.club/
Config:

[server]
APP_DATA_PATH = /data/gitea
SSH_DOMAIN = gitea.devos.club
ROOT_URL = https://gitea.devos.club
DISABLE_SSH = false
LFS_START_SERVER = true
DOMAIN = gitea.devos.club

@sgabenov commented on GitHub (Aug 16, 2023): Browser - https://gitea.devos.club/ Config: ``` [server] APP_DATA_PATH = /data/gitea SSH_DOMAIN = gitea.devos.club ROOT_URL = https://gitea.devos.club DISABLE_SSH = false LFS_START_SERVER = true DOMAIN = gitea.devos.club ```

GiteaMirror commented 2025-11-02 09:35:59 -06:00

Author

Owner

Copy Link

@sgabenov commented on GitHub (Aug 16, 2023):

I have figured out from the user with this problem, that he has a pined tab in his browser when he work with gitea. So, there is a pined tab and another tabs, where he do his work and where he got CSRF token problem. Could this pinned tab in browser be an issue?
We have a lot of developers in our gitea and such issue reports only 1 person.

@sgabenov commented on GitHub (Aug 16, 2023): I have figured out from the user with this problem, that he has a pined tab in his browser when he work with gitea. So, there is a pined tab and another tabs, where he do his work and where he got CSRF token problem. Could this pinned tab in browser be an issue? We have a lot of developers in our gitea and such issue reports only 1 person.

GiteaMirror commented 2025-11-02 09:36:00 -06:00

Author

Owner

Copy Link

@wxiaoguang commented on GitHub (Aug 16, 2023):

So, there is a pined tab and another tabs,

Hmm, I also consider it as the key problem. The "pinned" tab might have been there for long time, the CSRF token in that tab might have been expired.

At the moment, there is no clear solution for this problem, but I think 1.21 (refactoring more forms to "form-fetch-action", like #25219) could avoid such problem as much as possible.

@wxiaoguang commented on GitHub (Aug 16, 2023): > So, there is a pined tab and another tabs, Hmm, I also consider it as the key problem. The "pinned" tab might have been there for long time, the CSRF token in that tab might have been expired. At the moment, there is no clear solution for this problem, but I think 1.21 (refactoring more forms to "form-fetch-action", like #25219) could avoid such problem as much as possible.

GiteaMirror commented 2025-11-02 09:36:00 -06:00

Author

Owner

Copy Link

@wxiaoguang commented on GitHub (Feb 20, 2024):

No more feedbacks. Feel free to provide more clues and some reproducible steps and reopen.

@wxiaoguang commented on GitHub (Feb 20, 2024): No more feedbacks. Feel free to provide more clues and some reproducible steps and reopen.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label type/bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#11375