github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-03-12 02:24:21 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

Blank page with "Invalid csrf token." #6592

New Issue
Closed
opened 2025-11-02 07:00:30 -06:00 by GiteaMirror · 16 comments
GiteaMirror commented 2025-11-02 07:00:30 -06:00
Owner
Copy Link

Originally created by @DuckDuckWhale on GitHub (Dec 28, 2020).

  • Gitea version (or commit ref): 1.13.0
  • Git version: 2.25.1
  • Operating system: Ubuntu Server 20.04
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No
    • Haven't tried
  • Log gist: N/A

Description

When clicking buttons or adding comments in issues I often see a blank page saying Invalid csrf token., which I had to work around using a refresh and a re-click, which has problems such as losing text already typed up in the comments. This could be related to me using a lot of tabs.

Issues that this might be related to are:

  • #4311: seems very similar, but locked so no discussion can be continued. Don't quite understand how it is closed as #11182 doesn't seem to be solution to this page appearing and proposes to log out instead (why though and how does it make things better?).
  • #11188: proposes switching to SameSite=strict cookies instead, which seem to be able to fix this issue. Still filling this issue since this is not what a user might expect so should be better categorized as a bug than a proposal. Also, fixing this issue doesn't directly necessitate using #11188 and other fixes might be possible.
Originally created by @DuckDuckWhale on GitHub (Dec 28, 2020). - Gitea version (or commit ref): 1.13.0 - Git version: 2.25.1 - Operating system: Ubuntu Server 20.04 - Database (use `[x]`): - [x] PostgreSQL - [ ] MySQL - [ ] MSSQL - [ ] SQLite - Can you reproduce the bug at https://try.gitea.io: - [ ] Yes (provide example URL) - [ ] No - [x] Haven't tried - Log gist: N/A ## Description When clicking buttons or adding comments in issues I often see a blank page saying `Invalid csrf token.`, which I had to work around using a refresh and a re-click, which has problems such as losing text already typed up in the comments. This could be related to me using a lot of tabs. Issues that this might be related to are: - #4311: seems very similar, but locked so no discussion can be continued. Don't quite understand how it is closed as #11182 doesn't seem to be solution to this page appearing and proposes to log out instead (why though and how does it make things better?). - #11188: proposes switching to `SameSite=strict` cookies instead, which seem to be able to fix this issue. Still filling this issue since this is not what a user might expect so should be better categorized as a bug than a proposal. Also, fixing this issue doesn't directly necessitate using #11188 and other fixes might be possible.
GiteaMirror added the type/bug label 2025-11-02 07:00:30 -06:00
GiteaMirror commented 2025-11-02 07:00:31 -06:00
Author
Owner
Copy Link

@lunny commented on GitHub (Dec 28, 2020):

csrf token has an expired time. Most time it occurred because stay in an input page too long.

@lunny commented on GitHub (Dec 28, 2020): `csrf` `token` has an expired time. Most time it occurred because stay in an input page too long.
GiteaMirror commented 2025-11-02 07:00:31 -06:00
Author
Owner
Copy Link

@lunny commented on GitHub (Dec 28, 2020):

The CSRF token expired time should larger than session expired time. Then if you click the submit button, you will be redirected to a Gitea login page but not returned invalid csrf token.

@lunny commented on GitHub (Dec 28, 2020): The CSRF token expired time should larger than session expired time. Then if you click the submit button, you will be redirected to a Gitea login page but not returned invalid csrf token.
GiteaMirror commented 2025-11-02 07:00:31 -06:00
Author
Owner
Copy Link

@DuckDuckWhale commented on GitHub (Dec 30, 2020):

That's strange... After how long does it expire? I have just encountered it again when I opened a lot of Gitea tabs and waited for only about an hour.

@DuckDuckWhale commented on GitHub (Dec 30, 2020): That's strange... After how long does it expire? I have just encountered it again when I opened a lot of Gitea tabs and waited for only about an hour.
GiteaMirror commented 2025-11-02 07:00:32 -06:00
Author
Owner
Copy Link

@lunny commented on GitHub (Jan 1, 2021):

That's wired. CSRF expired time is one day.

@lunny commented on GitHub (Jan 1, 2021): That's wired. CSRF expired time is one day.
GiteaMirror commented 2025-11-02 07:00:32 -06:00
Author
Owner
Copy Link

@DuckDuckWhale commented on GitHub (Jan 6, 2021):

Encountered this again (400 Bad Request with Invalid csrf token but when saving a comment, in which case after the refresh the typed up comment disappeared so it might lead to small scale data loss which is bad), I think this page lived less than a day as well.

@DuckDuckWhale commented on GitHub (Jan 6, 2021): Encountered this again (400 Bad Request with `Invalid csrf token` but when saving a comment, in which case after the refresh the typed up comment disappeared so it might lead to small scale data loss which is bad), I think this page lived less than a day as well.
GiteaMirror commented 2025-11-02 07:00:32 -06:00
Author
Owner
Copy Link

@somera commented on GitHub (Jan 6, 2021):

That's wired. CSRF expired time is one day.

Is this a new feature in 1.13.x? I didn't get it before 1.13.x.

And if it expired, why the browsing is working? I get the error only when I start import new mirror:

@somera commented on GitHub (Jan 6, 2021): > That's wired. CSRF expired time is one day. Is this a new feature in 1.13.x? I didn't get it before 1.13.x. And if it expired, why the browsing is working? I get the error only when I start import new mirror:
GiteaMirror commented 2025-11-02 07:00:33 -06:00
Author
Owner
Copy Link

@lakostin commented on GitHub (Jan 14, 2021):

Have the same problem.

@lakostin commented on GitHub (Jan 14, 2021): Have the same problem.
GiteaMirror commented 2025-11-02 07:00:33 -06:00
Author
Owner
Copy Link

@zeripath commented on GitHub (Mar 6, 2021):

CSRF is only checked on POST so GETs will not affect it.

@zeripath commented on GitHub (Mar 6, 2021): CSRF is only checked on POST so GETs will not affect it.
GiteaMirror commented 2025-11-02 07:00:33 -06:00
Author
Owner
Copy Link

@lafriks commented on GitHub (Mar 9, 2021):

Could it be related to token strict attribute?

@lafriks commented on GitHub (Mar 9, 2021): Could it be related to token strict attribute?
GiteaMirror commented 2025-11-02 07:00:34 -06:00
Author
Owner
Copy Link

@kevung commented on GitHub (Mar 23, 2021):

I encounter the same problem, on version 1.13.0+rc1. I have only one Gitea tab open and the "Invalid csrf token" page appears imediately after I try to comment and review a Pull request. (for me, no need to wait an expire time to see the problem)

@kevung commented on GitHub (Mar 23, 2021): I encounter the same problem, on version 1.13.0+rc1. I have only one Gitea tab open and the "Invalid csrf token" page appears imediately after I try to comment and review a Pull request. (for me, no need to wait an expire time to see the problem)
GiteaMirror commented 2025-11-02 07:00:34 -06:00
Author
Owner
Copy Link

@JulianOrteil commented on GitHub (Mar 24, 2021):

Encountering the same scenario as @kevung as well on 1.13.6 for Windows. What do you guys need from us since @CL-Jeremy says you need more information in the linked PR?

@JulianOrteil commented on GitHub (Mar 24, 2021): Encountering the same scenario as @kevung as well on 1.13.6 for Windows. What do you guys need from us since @CL-Jeremy says you need more information in the linked PR?
GiteaMirror commented 2025-11-02 07:00:34 -06:00
Author
Owner
Copy Link

@kevung commented on GitHub (Mar 25, 2021):

Hello everybody,
I migrated today to Gitea 1.14.0+rc2, and I could not reproduce the problem :) I could smoothly review pull requests. It seems to have been fixed somehow. Perhaps, it is wise to confirmation from other people using 1.14 before resolving this issue.
Thanks to the Gitea team for the amazing work.

@kevung commented on GitHub (Mar 25, 2021): Hello everybody, I migrated today to Gitea 1.14.0+rc2, and I could not reproduce the problem :) I could smoothly review pull requests. It seems to have been fixed somehow. Perhaps, it is wise to confirmation from other people using 1.14 before resolving this issue. Thanks to the Gitea team for the amazing work.
GiteaMirror commented 2025-11-02 07:00:34 -06:00
Author
Owner
Copy Link

@lunny commented on GitHub (Mar 25, 2021):

v1.14 changed web framework from macaron to chi and modified the old csrf middleware. But I cannot ensure we fixed that.

@lunny commented on GitHub (Mar 25, 2021): v1.14 changed web framework from macaron to chi and modified the old csrf middleware. But I cannot ensure we fixed that.
GiteaMirror commented 2025-11-02 07:00:35 -06:00
Author
Owner
Copy Link

@josch commented on GitHub (Apr 25, 2021):

I just created a fresh installation of v1.14.1 and am seeing the Invalid csrf token. message every time there is a POST request. Interestingly this only happens with firefox 86 but not with chromium 89. In contrast to the other reports, refreshing the page does not fix this.

EDIT: what fixed the problem for me was to clear all cookies and site data in the firefox preferences.

@josch commented on GitHub (Apr 25, 2021): I just created a fresh installation of `v1.14.1` and am seeing the `Invalid csrf token.` message every time there is a POST request. Interestingly this only happens with firefox 86 but not with chromium 89. In contrast to the other reports, refreshing the page does not fix this. EDIT: what fixed the problem for me was to clear all cookies and site data in the firefox preferences.
GiteaMirror commented 2025-11-02 07:00:35 -06:00
Author
Owner
Copy Link

@xergio commented on GitHub (May 2, 2021):

@josch solution was the key for me, I had some cookies from a previous instalation of gogs, then installed gitea in the same domain and some cookies remained (maybe the one called _csrf) and was doing something bad.

@xergio commented on GitHub (May 2, 2021): @josch solution was the key for me, I had some cookies from a previous instalation of gogs, then installed gitea in the same domain and some cookies remained (maybe the one called `_csrf`) and was doing something bad.
GiteaMirror commented 2025-11-02 07:00:35 -06:00
Author
Owner
Copy Link

@kevung commented on GitHub (May 4, 2021):

Hello, I am encountering the problem "Invalid csrf token." when I try to start the Timer on an issue. I use Gitea Version: 1.14.0+rc2

@kevung commented on GitHub (May 4, 2021): Hello, I am encountering the problem "Invalid csrf token." when I try to start the Timer on an issue. I use Gitea Version: 1.14.0+rc2
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label type/bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#6592
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?