Invalid csrf token #1972

New Issue

Closed

opened 2025-11-02 04:19:49 -06:00 by GiteaMirror · 12 comments

GiteaMirror commented 2025-11-02 04:19:49 -06:00

Owner

Copy Link

Originally created by @GoodERPJeff on GitHub (Jun 25, 2018).

• Gitea version (or commit ref):1.4.2
• Git version:2.17
• Operating system:
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • [ x] No
  • Not relevant
• Log gist:

Description

...
repo setting, uncheck the pull request options, save.

show blank page with " Invalid csrf token."

Screenshots

Originally created by @GoodERPJeff on GitHub (Jun 25, 2018). <!-- 1. Please speak English, this is the language all of us can speak and write. 2. Please ask questions or configuration/deploy problems on our Discord server (https://discord.gg/NsatcWJ) or forum (https://discourse.gitea.io). 3. Please take a moment to check that your issue doesn't already exist. 4. Please give all relevant information below for bug reports, because incomplete details will be handled as an invalid report. --> - Gitea version (or commit ref):1.4.2 - Git version:2.17 - Operating system: - Database (use `[x]`): - [x] PostgreSQL - [ ] MySQL - [ ] MSSQL - [ ] SQLite - Can you reproduce the bug at https://try.gitea.io: - [ ] Yes (provide example URL) - [ x] No - [ ] Not relevant - Log gist: ## Description ... repo setting, uncheck the pull request options, save. show blank page with " Invalid csrf token." ## Screenshots <!-- **If this issue involves the Web Interface, please include a screenshot** --> 

GiteaMirror closed this issue 2025-11-02 04:19:49 -06:00

GiteaMirror commented 2025-11-02 04:19:50 -06:00

Author

Owner

Copy Link

@GoodERPJeff commented on GitHub (Jun 25, 2018):

This happen on Chrome, but I change to firefox, settings are successfully saved.

I may close this issue and keep tracking.

@GoodERPJeff commented on GitHub (Jun 25, 2018): This happen on Chrome, but I change to firefox, settings are successfully saved. I may close this issue and keep tracking.

GiteaMirror commented 2025-11-02 04:19:50 -06:00

Author

Owner

Copy Link

@gruo commented on GitHub (Feb 21, 2019):

Happened to me while trying to comment on an still open issue. I had two tabs of this particular gitea instance open, which pointed to different repositories.

After going to issues home and opening the same issue and commenting afterwards the problem disappered and the comment was added.

@gruo commented on GitHub (Feb 21, 2019): Happened to me while trying to comment on an still open issue. I had two tabs of this particular gitea instance open, which pointed to different repositories. After going to issues home and opening the same issue and commenting afterwards the problem disappered and the comment was added.

GiteaMirror commented 2025-11-02 04:19:50 -06:00

Author

Owner

Copy Link

@bohwaz commented on GitHub (Jun 6, 2019):

Same issue as @gruo, the page was in my browser cache, when I tried to submit it just showed this message.

It would be good to just show the page again and ask the user to re-submit!

@bohwaz commented on GitHub (Jun 6, 2019): Same issue as @gruo, the page was in my browser cache, when I tried to submit it just showed this message. It would be good to just show the page again and ask the user to re-submit!

GiteaMirror commented 2025-11-02 04:19:50 -06:00

Author

Owner

Copy Link

@choucavalier commented on GitHub (Apr 22, 2020):

I think this is still an issue. Gitea should work on all browsers. This happened to me on the qutebrowser.

@choucavalier commented on GitHub (Apr 22, 2020): I think this is still an issue. Gitea should work on all browsers. This happened to me on the qutebrowser.

GiteaMirror commented 2025-11-02 04:19:51 -06:00

Author

Owner

Copy Link

@3F commented on GitHub (Apr 22, 2020):

Same here with Firefox for issue tracker. I'm already used to the following combination: Backspace + F5 + click button again. But actually too many a broken csrf that I was seeing at least for 1.10.3, 1.11.0 - 1.11.4

@3F commented on GitHub (Apr 22, 2020): Same here with Firefox for issue tracker. I'm already used to the following combination: Backspace + F5 + click button again. But actually too many a *broken csrf* that I was seeing at least for 1.10.3, 1.11.0 - 1.11.4

GiteaMirror commented 2025-11-02 04:19:51 -06:00

Author

Owner

Copy Link

@6543 commented on GitHub (Apr 22, 2020):

this is a caching problem of Chrome - just delete your cache

@6543 commented on GitHub (Apr 22, 2020): this is a caching problem of Chrome - just delete your cache

GiteaMirror commented 2025-11-02 04:19:51 -06:00

Author

Owner

Copy Link

@choucavalier commented on GitHub (Apr 22, 2020):

@6543 i don't think it's valid to just discard this issue by saying "Chrome is the problem". i personally don't have any issue with other websites i'm using that definitely use csrf tokens

@choucavalier commented on GitHub (Apr 22, 2020): @6543 i don't think it's valid to just discard this issue by saying "Chrome is the problem". i personally don't have any issue with other websites i'm using that definitely use csrf tokens

GiteaMirror commented 2025-11-02 04:19:51 -06:00

Author

Owner

Copy Link

@6543 commented on GitHub (Apr 22, 2020):

I would still say this is a feature request: #11182

you dont have to clean the cache you can logout and login afterwards to fix this

@6543 commented on GitHub (Apr 22, 2020): I would still say this is a feature request: #11182 you dont have to clean the cache you can logout and login afterwards to fix this

GiteaMirror commented 2025-11-02 04:19:52 -06:00

Author

Owner

Copy Link

@3F commented on GitHub (Apr 22, 2020):

@6543

1. I think I mentioned exactly Firefox. Why Chrome?
2. Why "detect and "logout" on old csrf token #11182" ? If I am still authorized ! I can easily interact with gitea after F5 (on the contrary, cache helps to restore missing data)

Moreover, token problems sometime appears every ~5/10 minutes. What I should to do after your amazing #11182 ? login after each ~5 minutes? If so, please leave it as is.

Sorry, but I'd prefer spend ~3 sec for just Backspace + F5 + click button again instead of your login/pass <_<

@3F commented on GitHub (Apr 22, 2020): @6543 1. I think I mentioned exactly Firefox. Why Chrome? 2. Why "detect and "logout" on old csrf token #11182" ? If I am **still authorized** ! I can easily interact with gitea after F5 (on the contrary, cache helps to restore missing data) Moreover, token problems sometime appears every ~5/10 minutes. **What** I should to do after your amazing #11182 ? login after each ~5 minutes? If so, please leave it as is. Sorry, but I'd prefer spend ~3 sec for just `Backspace + F5 + click button again` instead of your login/pass <_<

GiteaMirror commented 2025-11-02 04:19:52 -06:00

Author

Owner

Copy Link

@zeripath commented on GitHub (Apr 22, 2020):

@3F this reads a little rude. @6543 is a volunteer like all of us here and has put a lot of hours in to make this project better overall.

Generally I'd argue against logging out here - you could be denied service that way - issuing a redirect may be better however there should be a document somewhere stating the recommended practice but my googlefu is failing me.

If we end up wanting to issue a redirect we will need to change the csrf library to give us access to the request in the errorfunc so we can send a proper redirect.

@zeripath commented on GitHub (Apr 22, 2020): @3F this reads a little rude. @6543 is a volunteer like all of us here and has put a lot of hours in to make this project better overall. Generally I'd argue against logging out here - you could be denied service that way - issuing a redirect may be better however there should be a document somewhere stating the recommended practice but my googlefu is failing me. If we end up wanting to issue a redirect we will need to change the csrf library to give us access to the request in the errorfunc so we can send a proper redirect.

GiteaMirror commented 2025-11-02 04:19:52 -06:00

Author

Owner

Copy Link

@3F commented on GitHub (Apr 22, 2020):

@zeripath

this reads a little rude.

?? I'm sorry, but what and where I said "little rude"?

I simply shared about my problem where each ~5 minutes is invalid token and proposed logout for this method is just not a good idea. Isn't it?

Or I can not offer my thoughts for this project?! I'm sorry, I didn’t know that here is so severe censorship for this project o_o

@3F commented on GitHub (Apr 22, 2020): @zeripath > this reads a little rude. ?? I'm sorry, but what and where I said "little rude"? I simply shared about my problem where each ~5 minutes is invalid token and proposed logout for this method **is just not a good idea.** Isn't it? Or I can not offer my thoughts for this project?! I'm sorry, I didn’t know that here is so severe censorship for this project o_o

GiteaMirror commented 2025-11-02 04:19:53 -06:00

Author

Owner

Copy Link

@techknowlogick commented on GitHub (Apr 22, 2020):

I've locked this ticket as it has been closed since 2018. @6543 took the right approach to open a new ticket. An invalid token should not be treated as valid, as otherwise that is a security issue.

@techknowlogick commented on GitHub (Apr 22, 2020): I've locked this ticket as it has been closed since 2018. @6543 took the right approach to open a new ticket. An invalid token should not be treated as valid, as otherwise that is a security issue.

GiteaMirror referenced this issue 2025-11-02 12:03:27 -06:00

[PR #1972] [MERGED] Add pull-create integration test #16151

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#1972