plane icon indicating copy to clipboard operation
plane copied to clipboard
Published 2 days ago verified publisher icon makeplane

[bug]: Getting `CSRF cookie not set` when using 1Password to login

Open tomerh2001 opened this issue 1 year ago • 9 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Current behavior

Getting this when attempting to login using 1Password: image

Steps to reproduce

  1. Click on the username input field on the login page
  2. Click on my saved 1Password user
  3. 1Password automatically inputs my credentials AND submits the form.
  4. I'm redirected to the page saying CSRF Verification Failed

Note: I suspect it has something to do with part 3 - specifically the way 1Password automatically submits the form.

Environment

Production

Browser

Other

Variant

Self-hosted

Version

v0.22.0 community

tomerh2001 avatar Aug 25 '24 18:08 tomerh2001

Note: Typing my credentials manually works. It only happens when using 1Password

tomerh2001 avatar Aug 25 '24 18:08 tomerh2001

I had the same issue but it disappeared without any changes from my side... 1Password 7 on macOS.

florian-obradovic avatar Aug 28 '24 07:08 florian-obradovic

Was just about to report this issue. Same thing happens to me when using 1Password's autofill feature. Maybe some kind of race condition issue where 1Password is autofilling and submitting too fast?

ajschofield avatar Sep 08 '24 18:09 ajschofield

Same problem her, selfhosted on debian 12.7 with docker. Same in Firefox and Google Chrome, but all forms are filled out manually no 1Password or other software like this

thomasx81x avatar Sep 11 '24 14:09 thomasx81x

Same here with self hosted instance & 1P

wottpal avatar Oct 06 '24 10:10 wottpal

Does anyone know a way to then bypass or solve this

neoighodaro avatar Feb 27 '25 12:02 neoighodaro

Same here, selfhosted with Coolify. It worked when I installed it, haven't used it for a month or so, and now getting this when I try to login. (edit: I'm not using 1Password though)

rujorgensen avatar Mar 15 '25 11:03 rujorgensen

Check for CORS_ALLOWED_ORIGINS environment variable. It should be http://... not https://.... When I changed it from https to http it worked.

tosh99 avatar Mar 18 '25 12:03 tosh99

Check for CORS_ALLOWED_ORIGINS environment variable. It should be http://... not https://.... When I changed it from https to http it worked.

Hi @tosh99 👋. I don't see that variable at all, maybe I need to add it. What exactly should the value be? Do you mean 'http://my-plane-domain.domain'?

edit: I got mine to work by adding my domain to CORS_ALLOWED_ORIGINS. I initially didn't have the CORS_ALLOWED_ORIGINS env variable, but I deleted Plane completely, and re-deployed (obviously this option is not for everyone as you will lose data, but it indicates whereabouts the issue could be, as @tosh99 pointed out). After re-deploying the newest image, I now had the CORS_ALLOWED_ORIGINS env variable, but it was set to "http://localhost", and I still got "CSRF ...". I changed it to "http://localhost,https://[YOUR-DOMAIN]" and now it works ✅.

rujorgensen avatar Mar 25 '25 10:03 rujorgensen