CSRF Verification Failed


#1

Hi,

I’m using the Sentry Docker image and the PHP-SDK.

Sentry itself is running fine but sending and error causes an 403 error. Logfile from the docker logs:

web_1 | <****local_ip****> - - [19/Dec/2017:15:28:07 +0000] "POST //api/2/store/ HTTP/1.1" 403 8076 "-" "sentry-php/1.8.1"

I tried to debug the /vendor/sentry/sentry/lib/Raven/Client.php file by using var_dump() for the $buffer variable in the send_http_synchronous function:

$buffer = curl_exec($this->_curl_instance);

and it returns:

CSRF Verification Failed
A required security token was not found or was invalid.

DSN setup:

$client = new Raven_Client('http://xxx:xxxx@localhost:9000//2');

FQDN doesn’t work either:

$client = new Raven_Client('http://xxx:xxxx@foo.bar.local:9000//2');

Any hints what I’m doing wrong?

@matt maybe?

TIA!


#2

The obvious thing I can see at a glance is the double / in your DSN which is causing it to hit the wrong URL.


#3

Thank you so much @matt. That solved it.
I entered the Root URL in the sentry settings with a trailing slash:

http://foo.bar.local:9000/

so Sentry proposed:

$client = new Raven_Client('http://xxx:xxxx@foo.bar.local:9000//2');


#4

Hi Matt,

I’ve encountered CSRF problem when I tried to login from web. I know the user was created already since docker logs with createuser command gave this: django.db.utils.IntegrityError: IntegrityError(‘duplicate key value violates unique constraint “auth_user_username_key”\nDETAIL: Key (username)=(web-deploy@xxxxxx.com) already exists.\n’,)
SQL: INSERT INTO “auth_user” (“password”, “last_login”, “username”, “first_name”, “email”, “is_staff”, “is_active”, “is_superuser”, “is_managed”, “is_password_expired”, “last_password_change”, “session_nonce”, “date_joined”, “last_active”) VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s) RETURNING “auth_user”.“id”

but when I login using the email, it gave this: "CSRF Verification Failed
A required security token was not found or was invalid.

If you’re continually seeing this issue, try the following:

Clear cookies (at least for Sentry’s domain).
Reload the page you’re trying to submit (don’t re-submit data).
Re-enter the information, and submit the form again.
Read more about CSRF on Wikipedia."

I’ve tried password recover page, it’s the same error.

Also tried with non-existing username, same error.

Docker log for web container shows no error.

Tried with both Safari and Chrome.


#5

Never mind. I’ve found the problem. “SENTRY_USE_SSL” set to ‘1’ was the problem.


#6

I hit the same problem as @jaltek – it seems like the root URL field should trim trailing slashes or the template should do urljoin(root, endpoint) to normalize the paths.