CSRF check failed on logout

ℹ️ Support
, , ,
1

Nextcloud version (eg, 29.0.5): 29.0.4
Operating system and version (eg, Ubuntu 24.04): Ubuntu 22.04.4 LTS
Apache or nginx version (eg, Apache 2.4.25): nginx/1.25.2 (Ubuntu)
PHP version (eg, 8.3): PHP 8.1.2-1ubuntu2.18

The issue you are facing: When trying to log out of the webinterface Nextcloud shows “Access forbidden – CSRF check failed”. The session is not invalidated and it is impossible to log out.

Is this the first time you’ve seen this error? (Y/N): No, I have seen it for months, googled multiple times, tried to apply several fixes and until today failed miserably.

Steps to replicate it:

  1. Log in on any device (Linux desktop, Android smartphone with various browsers).
  2. Log out using the button in the web interface.

The output of your Nextcloud log in Admin > Logging:

Nothing that seems related to this issue.

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'passwordsalt' => 'REDACTED',
  'secret' => 'REDACTED',
  'trusted_domains' => 
  array (
    0 => 'nc.my.domain',
  ),
  'trusted_proxies' => 
  array (
    0 => 'ip.addr.of.proxy',
  ),
  'datadirectory' => '/var/nc_data',
  'dbtype' => 'mysql',
  'version' => '29.0.4.1',
  'overwrite.cli.url' => 'https://nc.my.domain',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'REDACTED',
  'installed' => true,
  'instanceid' => 'REDACTED',
  'activity_expire_days' => 14,
  'auth.bruteforce.protection.enabled' => true,
  'blacklisted_files' => 
  array (
    0 => '.htaccess',
    1 => 'Thumbs.db',
    2 => 'thumbs.db',
  ),
  'default_phone_region' => 'DE',
  'cron_log' => true,
  'enable_previews' => true,
  'enabledPreviewProviders' => 
  array (
    0 => 'OC\\Preview\\PNG',
    1 => 'OC\\Preview\\JPEG',
    2 => 'OC\\Preview\\GIF',
    3 => 'OC\\Preview\\BMP',
    4 => 'OC\\Preview\\XBitmap',
    5 => 'OC\\Preview\\Movie',
    6 => 'OC\\Preview\\PDF',
    7 => 'OC\\Preview\\MP3',
    8 => 'OC\\Preview\\TXT',
    9 => 'OC\\Preview\\MarkDown',
  ),
  'filesystem_check_changes' => 0,
  'filelocking.enabled' => 'true',
  'htaccess.RewriteBase' => '/',
  'integrity.check.disabled' => false,
  'knowledgebaseenabled' => false,
  'logfile' => '/var/nc_data/nextcloud.log',
  'loglevel' => 0,
  'logtimezone' => 'Europe/Berlin',
  'log_rotate_size' => 104857600,
  'maintenance' => false,
  'maintenance_window_start' => 2,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  #sollte Logout-Issue beheben: https://github.com/nextcloud/server/issues/1075#issuecomment-274376615
  'forcessl' => true,
  'overwriteprotocol' => 'https',
  'overwritehost' => 'nc.my.domain',
  'preview_max_x' => 1024,
  'preview_max_y' => 768,
  'preview_max_scale_factor' => 1,
  'redis' => 
  array (
    'host' => '/var/run/redis/redis-server.sock',
    'port' => 0,
    'timeout' => 0.0,
  ),
  'quota_include_external_storage' => false,
  'share_folder' => '/Shares',
  'skeletondirectory' => '',
  'theme' => '',
  'trashbin_retention_obligation' => 'auto, 7',
  'updater.release.channel' => 'stable',
  'app_install_overwrite' => 
  array (
    0 => 'cookbook',
  ),
  'mail_smtpmode' => 'sendmail',
  'mail_sendmailmode' => 'smtp',
  'mail_from_address' => 'nextcloud',
  'mail_domain' => 'my.mail.domain',
);

The output of your Apache/nginx/system log in /var/log/____:

my.public.ip.addr - - [04/Aug/2024:14:28:17 +0200] "GET /logout?requesttoken=asdf%2Fasdfsadf%2Basdfsadf%2Fasdf%3D%3Aasdfsdf%3D HTTP/1.0" 412 23744 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"

Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.

Isn't that the same as Admin->Logging shown above? Nothing related to logout here.

During my own research of this problem I found CSRF check failed Upon Logout (Upgrade NC9 to NC10) · Issue #1075 · nextcloud/server · GitHub and Access forbidden: CSRF check failed on logout · Issue #17065 · nextcloud/server · GitHub.
It seems that the issue might be caused by me using a reverse proxy (I have multiple service running in LXD containers, one container provides an nginx reverse proxy that forwards requests to all other containers that also run nginx).
From my understanding, there has been an issue with lighttp reverse proxy that was caused by wrong URL encoding, but the issues I found are quite old and in “closed” state so they should be resolved. They also affected lighttpd while I am using nginx, and in the linked issues people explicitely wrote that nginx was working fine for them.

Is there any way that I could change my configuration to make it work?

2

it sounds similar to this topic CSRF check Fehler - #5 by wwe and related "csrf check failed" after Nextcloud session ends · Issue #743 · nextcloud/user_oidc · GitHub this one was realted to user_oidc I don’t see if you have this or another SSO app in place.

3

Thank you for your references. I reviewed both of them.
In the forum post, the user describes that it worked in Firefox but not Google Chrome. For me, both browsers show the same behavior. To be extra sure, I deleted all browser data in Chrome, logged back into Nextcloud, immediately tried to log out and was shown the same error message.
I don’t use user_oidc. Below is a list of my installed apps (fairly standard, the only thing I installed that goes broadly in this direction is the Two-Factor TOTP Provider.

sudo -u www-data php /var/www/nextcloud/occ app:list
Enabled:
  - activity: 2.21.1
  - admin_audit: 1.19.0
  - bookmarks: 14.2.3
  - calendar: 4.7.14
  - cfg_share_links: 5.1.1
  - circles: 29.0.0-dev
  - cloud_federation_api: 1.12.0
  - comments: 1.19.0
  - contacts: 6.0.0
  - contactsinteraction: 1.10.0
  - cookbook: 0.11.1
  - cospend: 1.6.1
  - dashboard: 7.9.0
  - dav: 1.30.1
  - end_to_end_encryption: 1.15.2
  - external: 5.4.0
  - federatedfilesharing: 1.19.0
  - federation: 1.19.0
  - files: 2.1.0
  - files_downloadlimit: 2.0.0
  - files_pdfviewer: 2.10.0
  - files_reminders: 1.2.0
  - files_sharing: 1.21.0
  - files_trashbin: 1.19.0
  - files_versions: 1.22.0
  - impersonate: 1.16.0
  - logreader: 2.14.0
  - lookup_server_connector: 1.17.0
  - maps: 1.4.0
  - nextcloud_announcements: 1.18.0
  - notifications: 2.17.0
  - oauth2: 1.17.0
  - password_policy: 1.19.0
  - photos: 2.5.0
  - polls: 7.1.4
  - previewgenerator: 5.6.0
  - privacy: 1.13.0
  - provisioning_api: 1.19.0
  - recommendations: 2.1.0
  - related_resources: 1.4.0
  - serverinfo: 1.19.0
  - settings: 1.12.0
  - sharebymail: 1.19.0
  - support: 1.12.0
  - systemtags: 1.19.0
  - tasks: 0.16.0
  - text: 3.10.1
  - theming: 2.4.0
  - twofactor_backupcodes: 1.18.0
  - twofactor_totp: 11.0.0-dev
  - updatenotification: 1.19.1
  - user_migration: 6.0.0
  - user_status: 1.9.0
  - viewer: 2.3.0
  - weather_status: 1.9.0
  - workflowengine: 2.11.0
Disabled:
  - bruteforcesettings: 2.9.0
  - encryption: 2.17.0
  - files_external: 1.21.0
  - files_rightclick: 0.15.1 (installed 1.6.0)
  - firstrunwizard: 2.18.0 (installed 2.9.0)
  - survey_client: 1.17.0 (installed 1.8.0)
  - suspicious_login: 7.0.0
  - user_ldap: 1.20.0
``
4

@jtr found the solution in another thread about a different issue that I had: LogController fails to poll after some update

Turns out both were related to the same slight misconfiguration in my nginx config.

2 Likes
5

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.