Defect #5051

Cookie issue when using Redmine on Firefox

Added by Lee McIntosh almost 8 years ago. Updated almost 5 years ago.

Status:ClosedStart date:2010-03-11
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:-
Target version:-
Resolution:No feedback Affected version:0.9.1

Description

Redmine appears to not correctly remove the cookies/cache for login/logout when using Firefox. I've test this in FF 3.5.8/3.6 on Windows XP/Vista/7/Ubuntu, and I get the same problem. Using IE 7/8 it works fine.

Occasionally whilst performing operations (including Login) it returns this error message:
Invalid form authenticity token.

Using Chris Pederick's Firefox Web Developer Toolbar to clear cookies manually resolves the login problem.

System details
*Database: MySQL 5.1.44
*Ruby: 4.2
*Rails: 2.2.3
*Redmine: 0.9.1 > 0.9.3
*Server: Debian Squeeze

cookie_path.gif (15.7 KB) Fritz brause, 2010-05-06 10:08


Related issues

Related to Redmine - Defect #5387: Invalid autenticity token Closed 2010-04-27
Related to Redmine - Patch #3968: session cookie path does not respect RAILS_RELATIVE_URL_ROOT Closed 2009-10-04
Related to Redmine - Defect #5230: Invalid form authenticity token. New 2010-04-01

History

#1 Updated by Jean-Philippe Lang almost 8 years ago

Please give the detailed steps that shows the problem.

#2 Updated by Ewan Makepeace over 7 years ago

Am getting the 'Invalid form authenticity token.' message quite often these days. It seems to be related to whether I have recently logged in on another browser (since I started with Chrome for Mac) but I am unsure. What I do know is that it is incredibly frustrating, because when it starts to happen I often cannot access Redmine for some time and may have to switch browsers, restart the browser, delete all cookies or reboot (am still not quite sure which is the magic incantation).

#3 Updated by Nikolay Kotlyarov over 7 years ago

Way to reproduce (using Firefox on windows):
Log in redmine choosing the "remember me" check box.
Then use redmine for a while closing and opening the browser (which logs automatically).
After that click the "log out" link and
try to log in -- the error "Invalid form authenticity token." appears:(

Redmine version: 0.9.3

#4 Updated by Nikolay Kotlyarov over 7 years ago

+ trying to log in after actions above using IE -- same error.

#5 Updated by Nikolay Kotlyarov over 7 years ago

found also:
the error appears independently of username and password entered.

#6 Updated by Nikolay Kotlyarov over 7 years ago

Sorry, my error was due to redmine_time_tracker plugin..

#7 Updated by Fritz brause over 7 years ago

Way to reproduce (using Firefox,Safari,Chrome on Mac):
- Login redmine
- choose project
- choose ticket
- click on "Log time"
- enterning valid data to the "Spent time"-Form
- click save

-> Result "Invalid form authenticity token."

#8 Updated by Nikolay Kotlyarov over 7 years ago

Fritz brause wrote:

-> Result "Invalid form authenticity token."

For me reproducing was without errors.

Have you installed any plugins? (especially some time logging plugins?)
Try to reproduce your bug after disabling/deleting them.

#9 Updated by Fritz brause over 7 years ago

Nikolay Kotlyarov wrote:

Have you installed any plugins? (especially some time logging plugins?)

No, i didn't install any plugins, it's "plain redmine" - The Debian release for squeeze.

#10 Updated by Nikolay Kotlyarov over 7 years ago

Fritz brause wrote:

No, i didn't install any plugins, it's "plain redmine" - The Debian release for squeeze.

Check what happens in your environment's log when reproducing the bug (for RAILS_ENV="production": production.log in redmine/log).

(using Firefox,Safari,Chrome on Mac):

is it only Mac issue, or on other platforms the result is the same?

#11 Updated by Fritz brause over 7 years ago

Nikolay Kotlyarov wrote:

is it only Mac issue, or on other platforms the result is the same?

Same behavior on an WindowsXP FF

#12 Updated by Fritz brause over 7 years ago

Maybe a Cookie Problem:
Because when i view at all the redmine-cookies, there is for each path an own cookie, is this a normal behavior?

#13 Updated by Fritz brause over 7 years ago

Nikolay Kotlyarov wrote:

Check what happens in your environment's log when reproducing the bug (for RAILS_ENV="production": production.log in redmine/log).

My Logfile Login:


Processing AccountController#login (for 78.42.130.210 at 2010-05-05 22:34:30) [POST]
  Parameters: {"back_url"=>"https%3A%2F%2F+++%2Flogin%3Fback_url%3Dhttps%3A%2F%2F+++%2Fissues%2F6", "action"=>"login", "authenticity_token"=>"34b450a791fe21e942b0936fe663865d48c969d0", "username"=>"fb", "controller"=>"account", "password"=>"[FILTERED]", "login"=>"Anmelden \302\273"}
Redirected to controllermyactionpage
Completed in 15ms (DB: 9) | 302 Found [https://++/login]

Changing to the Issue Page:

Processing TimelogController#edit (for 78.42.130.210 at 2010-05-05 22:36:23) [GET]
  Parameters: {"issue_id"=>"7", "action"=>"edit", "controller"=>"timelog"}
Rendering template within layouts/base
Rendering timelog/edit
Completed in 61ms (View: 40, DB: 1) | 200 OK [https://+++/issues/7/time_entries/new]

After Submitting the timelog...

Processing TimelogController#edit (for 78.42.130.210 at 2010-05-05 22:37:23) [POST]
  Parameters: {"time_entry"=>{"comments"=>"134", "issue_id"=>"7", "activity_id"=>"9", "spent_on"=>"2010-05-05", "hours"=>"1"}, "back_url"=>"https%3A%2F%2F+++%2Fissues%2F7", "commit"=>"Save", "project_id"=>"redmine", "action"=>"edit", "authenticity_token"=>"f3facdd3991dd20d70381df4fdcfa069f197304d", "controller"=>"timelog"}
Rendering template within layouts/base

- The authenticity_token is note the same as after the login.
- i got 3 Cookies for 3 pathes with different values.

#14 Updated by Nikolay Kotlyarov over 7 years ago

You are using secure connection. That's why cookies may be different each time..
Maybe that is due to your local network settings.. Or maybe that's due to server SSL settings.

How did you set up your redmine service? (apache(noSSL|OpenSSL)/nginx/etc + webrick/mongrel/thin/etc)

To localize the problem try the following:
log on to server(to exclude local network case) and see if the problem reproduces when
  • connecting directly from server to apache/etc (localhost/127.0.0.1/0.0.0.1)
  • connecting directly from server to mongrel/thin service (localgost:3000)

#15 Updated by Fritz brause over 7 years ago

Nikolay Kotlyarov wrote:

You are using secure connection. That's why cookies may be different each time..

may i am wrong, but this shouldn't happen - the cookie may change his value but not one Cookie for each path: image attached:

How did you set up your redmine service? (apache(noSSL|OpenSSL)/nginx/etc + webrick/mongrel/thin/etc)

Apache mod_ssl, our setup runs on over 400 Servers.

To localize the problem try the following:
log on to server(to exclude local network case) and see if the problem reproduces when
  • connecting directly from server to apache/etc (localhost/127.0.0.1/0.0.0.1)

127.0.0.1 is localhost and not set to our Redmine Virtual Host ;-) I dont think this issue belongs to SSL.

#16 Updated by Fritz brause over 7 years ago

an other related bug ? #5387

#17 Updated by Fritz brause over 7 years ago

By the Way:

if i "update" the Issue, i can add a time an everthing ist well, but just logging an Time Log is not possible in any way for me.

#18 Updated by Lluís Vilanova over 7 years ago

Issue #5387 contains an explanation of why this might have already been resolved.

#19 Updated by Fritz brause over 7 years ago

hallo Lluís Vilanova, an Debian-Update fixed this for me.

#20 Updated by Fritz brause over 7 years ago

Thanks a lot!

#21 Updated by Felix Schäfer over 7 years ago

  • Status changed from New to Closed
  • Resolution set to Duplicate

I'll flag this as fixed, the resolution seems to be in #3968.

#22 Updated by Ewan Makepeace about 7 years ago

  • Status changed from Closed to Reopened

In version Redmine 1.0.1.devel.4167 (MySQL) I am still seeing this problem every day. See #5230 ?

#23 Updated by Felix Schäfer about 7 years ago

Ewan Makepeace wrote:

In version Redmine 1.0.1.devel.4167 (MySQL) I am still seeing this problem every day. See #5230 ?

What now, a cookie or an invalid authenticity token problem?

#24 Updated by Jan Niggemann (redmine.org team member) almost 5 years ago

  • Status changed from Reopened to Closed
  • Resolution changed from Duplicate to No feedback

We are currently clearing the tracker, I'm closing this one because it lacks feedback and is about a very old release.

#25 Updated by Toshi MARUYAMA over 2 years ago

  • Related to Defect #5230: Invalid form authenticity token. added

Also available in: Atom PDF