CSRF verification failed message in Reviewboard login

[Rashmi Sherawat]

Hi,

 I have installed Revieboard v5.0.2 and python v3.9 . I configured it with apache but while running URL on web, when I am trying to login, it is giving below message:

Forbidden (403)

CSRF verification failed. Request aborted.

More information is available with DEBUG=True.

Content in my reviewboard.wsgi is as below:

-----------------------------------------------------------------------------------------------

import __main__
__main__.__requires__ = ['ReviewBoard']
import pkg_resources

import os

os.environ['REVIEWBOARD_SITEDIR'] = '/var/www/reviewboard'

from reviewboard.wsgi import application

----------------------------------------------------------------------------------------------------

[Christian Hammond]

Hi Rashmi,

Any number of things can trigger a CSRF verification failure. Can you verify that:

1. The hostname being accessed matches the configured hostname used when installing the site

2. Cookies are enabled

Also, can you tell me more about your setup? Is there anything like a load balancer in-between you and the server, or a HTTP(S) proxy server?

Is the site configured for HTTP or HTTPS?

Christian

--

---
You received this message because you are subscribed to the Google Groups "Review Board Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to reviewboard-d...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/reviewboard-dev/741ad494-5876-4f39-8346-dec9c1a89d01n%40googlegroups.com.

--

Christian Hammond

President/CEO of Beanbag

Makers of Review Board

[Rashmi Sherawat]

Hi Christian,

Hostname is similar as used during installation. Alos, cookies are enabled.

As of now, I am running on 80 port, later on we will move it to https.

I tried giving ALLOWED_HOSTS and CSRF_TRUSTED_ORIGINS in settings_local.py but it is also not solving this issue.

Sometimes, we get this error on our production system also but we able to resolve by login through the command line like below and then it works for us.   /grid/common/pkgs/python/v2.7.2/bin/rbt status --username <userid> --debug

Not sure If I am missing something in configuration somewhere.

You received this message because you are subscribed to a topic in the Google Groups "Review Board Development" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/reviewboard-dev/i8M9jQcPn1k/unsubscribe.
To unsubscribe from this group and all its topics, send an email to reviewboard-d...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/reviewboard-dev/CAE7VndkRmtetok_hRskYLQfnPm%2BUwTDK03fQQzoz6Wa5N4a06Q%40mail.gmail.com.

--

Thanks and Regards

Rashmi

[Christian Hammond]

Hi Rashmi,

rbt status can't influence the CSRF support, so if CSRF is failing intermittently, then there's a problem elsewhere.

I'd make sure that:

1. All users are accessing Review Board through one official fully-qualified hostname. So, reviewboard.example.com, not just 'reviewboard', or 'reviewboard-staging.example.com' or an IP address (all examples).

2. The hostname shown in Admin UI -> General Settings matches what people are accessing.

3. If HTTPS is at all an option, it needs to be the only option. HTTP should redirect.

4. If you're behind a load balancer with multiple Review Board servers, make sure that each Review Board server is accessing the same memcached server, same database server, and are configured with the same ALLOWED_HOSTS setting.

5. Again, if behind a load balancer, make sure that it's forwarding the IP addresses correctly (it should fill out a X-Forwarded-For header, and/or X-Real-IP header).

Christian

To view this discussion on the web visit https://groups.google.com/d/msgid/reviewboard-dev/CAG%3Dub%2BYqhg1Qmzf6XQRFbpzKZhtcnc185O%3D7SJNYTmNz%3D7WsyA%40mail.gmail.com.