Issue #200: CRSF Check Failing (403) on Form Submit
|Reported by:||Rhys Llewellyn|
|Created on:||2016-03-23 19:52|
|Updated on:||2016-03-24 05:40|
I have changed to using Container Auth in order to provide SSO for my personal instance of Kallithea. However whilst the user logs in successfully, any form submit will result in a 403 Forbidden error. A check of the paster output shows a successful container authentication but a CRSF check failure.
The container authentication is set up as specified on the Kallithea Docs.
I will update the issue with logs later this afternoon when I regain access to ssh.
Comment by Mads Kiilerich, on 2016-03-23 19:58
I don't think anything has changed in this area recently and I don't recall any reports of issues like that so I assume it works elsewhere. Weird.
Looking forward to see more details!
Comment by Rhys Llewellyn, on 2016-03-24 04:26
It seems the issue was with Kallithea not detecting the url scheme from the proxy, and issuing redirects to http resources whilst in a https reverse proxy which was invalidating cookies. I have forced SSL and it seems to have resolved the issue.
Comment by Mads Kiilerich, on 2016-03-24 05:40
Ok, so some combination of secure cookies (43ad9c3b7d5d) and http://docs.kallithea-scm.org/en/latest/overview.html#web-server and http://docs.kallithea-scm.org/en/latest/setup.html#https-support not being sufficiently clear?
Contributions to improve the documentation (or code) would be appreciated a lot!