Share Links CSRF Check Failed

Hi there

Nextcloud version (eg, 20.0.5): 27.0.2
Operating system and version (eg, Ubuntu 20.04): DSM 7.1.1-42962 Update 6
Apache or nginx version (eg, Apache 2.4.25): nginx/1.24.0
PHP version (eg, 7.4): PHP 8.2.8

The issue you are facing:
I’m facing the issue, that whenever I create a new share link, wether it be for down or uploading, secured with a password of course, the user in some browsers will get a “CSRF Check Failed” error.

I myself can reproduce it with my firefox android browser, if I use the icognito tab the check passes after entering the password and I can open the folder. All in all very unreliable and not made for sharing in my family as I choose Nextcloud so it’s easy to use for everyone, not so that I get x amount of calls, telling me the link and password does not work.

This worked before but I think is broken after upgrading to 27.0.0

Is this the first time you’ve seen this error? (Y/N):Yes

Steps to replicate it:

Open Link
Enter Password

The output of your Nextcloud log in Admin > Logging:

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

I’ve entered my domain and local IP Address

The output of your Apache/nginx/system log in /var/log/____:

var/log/nginx/error.log is empty

Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.

root@Nextcloud:/config/www/nextcloud/data# tail -f nextcloud.log
{"reqId":"gvUfYTSGeF4hPHVAL09B","level":0,"time":"2023-08-16T00:05:52+00:00","remoteAddr":"","user":"--","app":"","method":"","url":"--","message":"[debug] running maintenance (1)","userAgent":"--","version":"27.0.2.1","data":{"app":""}}
{"reqId":"gvUfYTSGeF4hPHVAL09B","level":0,"time":"2023-08-16T00:05:53+00:00","remoteAddr":"","user":"--","app":"cron","method":"","url":"--","message":"Finished OCA\\Circles\\Cron\\Maintenance job with ID 257806 in 2 seconds","userAgent":"--","version":"27.0.2.1","data":{"app":"cron"}}
{"reqId":"gvUfYTSGeF4hPHVAL09B","level":0,"time":"2023-08-16T00:05:54+00:00","remoteAddr":"","user":"--","app":"cron","method":"","url":"--","message":"CLI cron call has selected job with ID 260195","userAgent":"--","version":"27.0.2.1","data":{"app":"cron"}}
{"reqId":"gvUfYTSGeF4hPHVAL09B","level":0,"time":"2023-08-16T00:05:55+00:00","remoteAddr":"","user":"--","app":"cron","method":"","url":"--","message":"CLI cron call has selected job with ID 260196","userAgent":"--","version":"27.0.2.1","data":{"app":"cron"}}
{"reqId":"gvUfYTSGeF4hPHVAL09B","level":0,"time":"2023-08-16T00:05:55+00:00","remoteAddr":"","user":"--","app":"cron","method":"","url":"--","message":"Run OCA\\Notifications\\BackgroundJob\\SendNotificationMails job with ID 260196","userAgent":"--","version":"27.0.2.1","data":{"app":"cron"}}
{"reqId":"gvUfYTSGeF4hPHVAL09B","level":0,"time":"2023-08-16T00:05:56+00:00","remoteAddr":"","user":"--","app":"cron","method":"","url":"--","message":"Finished OCA\\Notifications\\BackgroundJob\\SendNotificationMails job with ID 260196 in 1 seconds","userAgent":"--","version":"27.0.2.1","data":{"app":"cron"}}
{"reqId":"gvUfYTSGeF4hPHVAL09B","level":0,"time":"2023-08-16T00:05:59+00:00","remoteAddr":"","user":"--","app":"cron","method":"","url":"--","message":"CLI cron call has selected job with ID 263363","userAgent":"--","version":"27.0.2.1","data":{"app":"cron"}}
{"reqId":"gvUfYTSGeF4hPHVAL09B","level":0,"time":"2023-08-16T00:06:01+00:00","remoteAddr":"","user":"--","app":"cron","method":"","url":"--","message":"CLI cron call has selected job with ID 1","userAgent":"--","version":"27.0.2.1","data":{"app":"cron"}}
{"reqId":"gvUfYTSGeF4hPHVAL09B","level":0,"time":"2023-08-16T00:06:01+00:00","remoteAddr":"","user":"--","app":"cron","method":"","url":"--","message":"Run OCA\\Activity\\BackgroundJob\\EmailNotification job with ID 1","userAgent":"--","version":"27.0.2.1","data":{"app":"cron"}}
{"reqId":"gvUfYTSGeF4hPHVAL09B","level":0,"time":"2023-08-16T00:06:01+00:00","remoteAddr":"","user":"--","app":"cron","method":"","url":"--","message":"Finished OCA\\Activity\\BackgroundJob\\EmailNotification job with ID 1 in 0 seconds","userAgent":"--","version":"27.0.2.1","data":{"app":"cron"}}
{"reqId":"LrwBnbX6J0oreGIZRME3","level":1,"time":"2023-08-16T00:08:04+00:00","remoteAddr":"X.X.X.X","user":"--","app":"core","method":"GET","url":"/apps/theming/image/logo?v=16","message":"Tried to log in next_adm but could not verify token","userAgent":"Mozilla/5.0 (Android 13; Mobile; rv:109.0) Gecko/116.0 Firefox/116.0","version":"27.0.2.1","data":{"app":"core"}}
{"reqId":"YzvojtaJMOIRiAauKlGI","level":1,"time":"2023-08-16T00:08:04+00:00","remoteAddr":"X.X.X.X","user":"--","app":"core","method":"GET","url":"/apps/theming/image/background?v=16","message":"Tried to log in next_adm but could not verify token","userAgent":"Mozilla/5.0 (Android 13; Mobile; rv:109.0) Gecko/116.0 Firefox/116.0","version":"27.0.2.1","data":{"app":"core"}}
{"reqId":"6hAchsTZmIoCdtNdR7fJ","level":1,"time":"2023-08-16T00:08:04+00:00","remoteAddr":"X.X.X.X","user":"--","app":"core","method":"GET","url":"/s/DfWH7EsJHb59i7d/authenticate/showShare","message":"Tried to log in next_adm but could not verify token","userAgent":"Mozilla/5.0 (Android 13; Mobile; rv:109.0) Gecko/116.0 Firefox/116.0","version":"27.0.2.1","data":{"app":"core"}}
{"reqId":"fQib88IUUqDQHf9oWMoq","level":1,"time":"2023-08-16T00:08:05+00:00","remoteAddr":"X.X.X.X","user":"--","app":"core","method":"GET","url":"/apps/theming/image/logo?v=16","message":"Tried to log in next_adm but could not verify token","userAgent":"Mozilla/5.0 (Android 13; Mobile; rv:109.0) Gecko/116.0 Firefox/116.0","version":"27.0.2.1","data":{"app":"core"}}
{"reqId":"oMXbdOHvx2fyxDAQgpCH","level":1,"time":"2023-08-16T00:08:05+00:00","remoteAddr":"X.X.X.X","user":"--","app":"core","method":"GET","url":"/apps/theming/image/background?v=16","message":"Tried to log in next_adm but could not verify token","userAgent":"Mozilla/5.0 (Android 13; Mobile; rv:109.0) Gecko/116.0 Firefox/116.0","version":"27.0.2.1","data":{"app":"core"}}
{"reqId":"m3uzgsQMZOqepsJZZwBL","level":1,"time":"2023-08-16T00:08:06+00:00","remoteAddr":"X.X.X.X","user":"--","app":"core","method":"GET","url":"/apps/theming/image/background?v=16","message":"Tried to log in next_adm but could not verify token","userAgent":"Mozilla/5.0 (Android 13; Mobile; rv:109.0) Gecko/116.0 Firefox/116.0","version":"27.0.2.1","data":{"app":"core"}}
{"reqId":"VgYJseiBvMpv2CV39G8V","level":1,"time":"2023-08-16T00:08:06+00:00","remoteAddr":"X.X.X.X","user":"--","app":"core","method":"GET","url":"/apps/theming/image/logo?v=16","message":"Tried to log in next_adm but could not verify token","userAgent":"Mozilla/5.0 (Android 13; Mobile; rv:109.0) Gecko/116.0 Firefox/116.0","version":"27.0.2.1","data":{"app":"core"}}
{"reqId":"MVBw88YfpSiDeD5kvFVJ","level":1,"time":"2023-08-16T00:08:06+00:00","remoteAddr":"X.X.X.X","user":"--","app":"core","method":"GET","url":"/apps/theming/image/logo?v=16","message":"Tried to log in next_adm but could not verify token","userAgent":"Mozilla/5.0 (Android 13; Mobile; rv:109.0) Gecko/116.0 Firefox/116.0","version":"27.0.2.1","data":{"app":"core"}}
{"reqId":"FqUW8GbwV7VcTU9CIJyz","level":1,"time":"2023-08-16T00:08:06+00:00","remoteAddr":"X.X.X.X","user":"--","app":"core","method":"GET","url":"/apps/theming/image/background?v=16","message":"Tried to log in next_adm but could not verify token","userAgent":"Mozilla/5.0 (Android 13; Mobile; rv:109.0) Gecko/116.0 Firefox/116.0","version":"27.0.2.1","data":{"app":"core"}}
{"reqId":"fiJjMocRqyTvN1v1iWbz","level":1,"time":"2023-08-16T00:08:14+00:00","remoteAddr":"X.X.X.X","user":"--","app":"core","method":"POST","url":"/s/DfWH7EsJHb59i7d/authenticate/showShare","message":"Tried to log in next_adm but could not verify token","userAgent":"Mozilla/5.0 (Android 13; Mobile; rv:109.0) Gecko/116.0 Firefox/116.0","version":"27.0.2.1","data":{"app":"core"}}
{"reqId":"fiJjMocRqyTvN1v1iWbz","level":0,"time":"2023-08-16T00:08:14+00:00","remoteAddr":"X.X.X.X","user":"--","app":"no app in context","method":"POST","url":"/s/DfWH7EsJHb59i7d/authenticate/showShare","message":"CSRF check failed","userAgent":"Mozilla/5.0 (Android 13; Mobile; rv:109.0) Gecko/116.0 Firefox/116.0","version":"27.0.2.1","exception":{"Exception":"OC\\AppFramework\\Middleware\\Security\\Exceptions\\CrossSiteRequestForgeryException","Message":"CSRF check failed","Code":412,"Trace":[{"file":"/app/www/public/lib/private/AppFramework/Middleware/MiddlewareDispatcher.php","line":96,"function":"beforeController","class":"OC\\AppFramework\\Middleware\\Security\\SecurityMiddleware","type":"->"},{"file":"/app/www/public/lib/private/AppFramework/Http/Dispatcher.php","line":129,"function":"beforeController","class":"OC\\AppFramework\\Middleware\\MiddlewareDispatcher","type":"->"},{"file":"/app/www/public/lib/private/AppFramework/App.php","line":183,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/app/www/public/lib/private/Route/Router.php","line":315,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/app/www/public/lib/base.php","line":1071,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/app/www/public/index.php","line":36,"function":"handleRequest","class":"OC","type":"::"}],"File":"/app/www/public/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php","Line":224,"message":"CSRF check failed","exception":{},"CustomMessage":"CSRF check failed"}}
{"reqId":"Mlyy8qlilsAX73iNlkNQ","level":1,"time":"2023-08-16T00:08:14+00:00","remoteAddr":"X.X.X.X","user":"--","app":"core","method":"GET","url":"/apps/theming/image/background?v=16","message":"Tried to log in next_adm but could not verify token","userAgent":"Mozilla/5.0 (Android 13; Mobile; rv:109.0) Gecko/116.0 Firefox/116.0","version":"27.0.2.1","data":{"app":"core"}}
{"reqId":"TYR1n6e7MtTr5yc7qMds","level":1,"time":"2023-08-16T00:08:14+00:00","remoteAddr":"X.X.X.X","user":"--","app":"core","method":"GET","url":"/apps/theming/image/logo?v=16","message":"Tried to log in next_adm but could not verify token","userAgent":"Mozilla/5.0 (Android 13; Mobile; rv:109.0) Gecko/116.0 Firefox/116.0","version":"27.0.2.1","data":{"app":"core"}}
{"reqId":"eScmTSohX4cMJ94qbUFh","level":1,"time":"2023-08-16T00:08:15+00:00","remoteAddr":"X.X.X.X","user":"--","app":"core","method":"GET","url":"/apps/theming/image/background?v=16","message":"Tried to log in next_adm but could not verify token","userAgent":"Mozilla/5.0 (Android 13; Mobile; rv:109.0) Gecko/116.0 Firefox/116.0","version":"27.0.2.1","data":{"app":"core"}}
{"reqId":"6tB2G6Up8B7w3wzoE4iK","level":1,"time":"2023-08-16T00:08:15+00:00","remoteAddr":"X.X.X.X","user":"--","app":"core","method":"GET","url":"/apps/theming/image/logo?v=16","message":"Tried to log in next_adm but could not verify token","userAgent":"Mozilla/5.0 (Android 13; Mobile; rv:109.0) Gecko/116.0 Firefox/116.0","version":"27.0.2.1","data":{"app":"core"}}

I can confirm this behavior with NC 27.1.2
It should also work without a incognito browser window.

The problem has to do with the user being logged in and trying to open that link.
If the user logs out and open that link, then the link will work after entering the password.
It would be great if a logged in user would not have to log-out or use an incognito window in order to use that link.