Solved CSRF Token Invalid

guipamo

Hey, guys!
This is the first time I ever have an issue with Vivaldi since I started using it long time ago.
After the last update, in a portal I use on my job, I keep having the CSRF token invalid error, so I can't fill any form and well- that's an important part of my job! Msg as follows:

Forbidden (403)
CSRF verification failed. Request aborted.

You are seeing this message because this site requires a CSRF cookie when submitting forms. This cookie is required for security reasons, to ensure that your browser is not being hijacked by third parties.

If you have configured your browser to disable cookies, please re-enable them, at least for this site, or for 'same-origin' requests.

More information is available with DEBUG=True.

I have already cleared the cache and reset the password for this website with no results. I do see that the CSRF token gets downloaded every time that I clear the cookies, but it keeps telling the same error message.

Any idea why this could be happening?

Addendum: I have a Portable version on Chrome, where I do not have the problem at all.

Pathduck

@guipamo Go Settings > Privacy > Do not track, and disable "Ask websites not to track me".

It seems pretty consistent, if the browser sends a DNT header, it will get the CSRF error page. Even if the DNT header has nothing to do with security.

Then I recommend you contact the site support and ask them why their login fails if DNT header is sent. It's very bad behaviour.

Pathduck

@guipamo Hello, are you blocking 3rd-party cookies? That would be the most likely explanation. Look in the Settings > Privacy. Also check the Site Info (padlock) icon > Cookies > Blocked if anything is being blocked.

I do see that the CSRF token gets downloaded every time

How do you "see" this? Tokens are usually set as cookies or as form/request parameters.

guipamo

Thank you so much for your answer!

So no, 3rd-party cookies are already allowed for this. Also, I see the token by looking at the list of cookies downloaded. Attaching pictures on this:

Pathduck

@guipamo said in CSRF Token Invalid:

Also, I see the token by looking at the list of cookies downloaded.

What would be more interesting is what is in the Blocked area of the Cookies dialog.

Also try disabling your adblocker for the site, disable all extensions and test in another profile, as well as the other steps in the troubleshooting guide.
https://help.vivaldi.com/desktop/troubleshoot/troubleshooting-issues/

Pathduck

Interestingly, I just tried logging in with some bogus data:
https://kfmelevate.kfm247.com/accounts/login/

I get the same error 403 Forbidden error.

BUT when trying in a clean Vivaldi profile, I get "The username and/or password you specified are not correct." - as expected.

Tried in Chrome, same error. In Chrome, Opera, Chromium, Firefox - seems to work.
Edit: Chrome error was due to DNT header as well...

I do notice that I get a cookie:
Set-cookie: csrftoken=TgLSkq4O3vpWsA2XfCRJkcfV3KYA9wowJ75Q7gIR7bjylGsGrEIFso65CjVshem0;

And when I do the login request I send the same cookie:
Cookie: csrftoken=TgLSkq4O3vpWsA2XfCRJkcfV3KYA9wowJ75Q7gIR7bjylGsGrEIFso65CjVshem0

However, the Form Data sent in the login also contains a token which does not match:
csrfmiddlewaretoken: yTvIzbjNtP0xAohup9MiygxOG4GADXaZoKPGm1XQxvU9tuHdBbDeGsoYfDDsLF8t

(Hope they don't report me for "brute force hacks" lol )

Pathduck

@guipamo Go Settings > Privacy > Do not track, and disable "Ask websites not to track me".

It seems pretty consistent, if the browser sends a DNT header, it will get the CSRF error page. Even if the DNT header has nothing to do with security.

Then I recommend you contact the site support and ask them why their login fails if DNT header is sent. It's very bad behaviour.

guipamo

Wow, Sir. Actually worked. I really appreciate your help on this.
I am redirecting the information you have shared with me right now to the developing team.

I really thank you for your insight on this. Is working now.

UPDATE: Actually, with your explanation I think I also understand why I didn't get the error in Chrome. I was running the tests on a portable clean version.

Once again, thank you.

DoctorG

The HTTP header "Do not Track" (DNT) is only a wish not to track a user and no web server has to respect it, some servers do.

But that a DNT header causes a broken webpage, that i would call: ugly programming of webapp and bad work of webmasters.

Cajun

@pathduck I am having a similar log in issue with Brooklyn Public Library. When attempting to log in I get an error username or password is incorrect. However, they are not. If I go to another browser I can log in with no issues. Any thoughts on how to resolve this issue?

"Ask websites not to track me" is not ticked in my settings.

Pathduck

@cajun Hello and Welcome to the Vivaldi Community

Sorry but it's probably not the same issue.
Do you get the same error message as the first post?

Forbidden (403)
CSRF verification failed. Request aborted.

If not, it's not the same issue. Please open a new topic about your login issue. And go through the troubleshooting steps:
https://help.vivaldi.com/desktop/troubleshoot/troubleshooting-issues/