MISP icon indicating copy to clipboard operation
MISP copied to clipboard
verified publisher icon MISP

Support: CSRF Token Mismatch When Accessing /users/login

Open Diogo-Rego opened this issue 1 year ago • 0 comments

Support Questions

When attempting to access the MISP login page, the following error occurs due to a CSRF token issue:

2024-09-26 10:38:00 Error: Blackhole exception when accessing /users/login (isRest: 0, action: login, unlockedActions: []): CSRF token mismatch
2024-09-26 10:38:00 Error: [BadRequestException] The request has been black-holed
Request URL: /users/login?_=1727347065825
Stack Trace:
#0 /var/www/MISP/app/Lib/cakephp/lib/Cake/Controller/Component/SecurityComponent.php(831): AppController->blackhole()
#1 /var/www/MISP/app/Lib/cakephp/lib/Cake/Controller/Component/SecurityComponent.php(351): SecurityComponent->_callback()
#2 /var/www/MISP/app/Controller/Component/BetterSecurityComponent.php(22): SecurityComponent->blackHole()
#3 /var/www/MISP/app/Lib/cakephp/lib/Cake/Controller/Component/SecurityComponent.php(255): BetterSecurityComponent->blackHole()
#4 /var/www/MISP/app/Lib/cakephp/lib/Cake/Utility/ObjectCollection.php(129): SecurityComponent->startup()
#5 /var/www/MISP/app/Lib/Tools/BetterCakeEventManager.php(23): ObjectCollection->trigger()
#6 /var/www/MISP/app/Lib/cakephp/lib/Cake/Controller/Controller.php(683): BetterCakeEventManager->dispatch()
#7 /var/www/MISP/app/Lib/cakephp/lib/Cake/Routing/Dispatcher.php(189): Controller->startupProcess()
#8 /var/www/MISP/app/Lib/cakephp/lib/Cake/Routing/Dispatcher.php(167): Dispatcher->_invoke()
#9 /var/www/MISP/app/webroot/index.php(101): Dispatcher->dispatch()
#10 {main}

Steps to Reproduce:

  1. Navigate to the URL /users/login.
  2. Observe the CSRF token mismatch error.

Additional Information: This problem occurs specifically when adding MISP as a widget in Element. Accessing MISP directly works without any issues.

Expected Behavior: The login page should be accessible without any CSRF errors.

Possible Causes and Solutions:

  • Check if Nginx is configured to correctly pass CSRF headers.
  • Adjust the CSRF token expiration time in the MISP configuration.
  • Ensure that the CSRF token is included correctly in all POST requests.
  • Reload the login page before attempting to submit the form again.

Additional Logs:

image image

MISP version

2.4.197

Operating System

Ubuntu

Operating System version

20.04

PHP version

7.4

Browser

Chrome

Browser version

129.0.6668.58

Relevant log output

No response

Extra attachments

No response

Code of Conduct

  • [x] I agree to follow this project's Code of Conduct

Diogo-Rego avatar Sep 26 '24 11:09 Diogo-Rego