Invalid CSRF token

SuiteCRM Forum - English Language Installation & Upgrade Help
#1

Hello,

My SuiteCRM stack is:

  • Operating System: Windows Server 2019 Std 1809 (latest updates)
  • Web Server: Apache 2.4.54 (Win64)
  • PHP: 8.0.23
  • Database: MariaDB 10.4.25
  • HTTPS (self-signed)
  • SuiteCRM: 8.2.0

While working with SuiteCRM, I get errors of type: Invalid CSRF token. It is a POST 403 graphql problem according to the browser’s tools. Network scanning reveals that Requested Cookie is NOT the one that Response sends back! Log file more or less say the same:
[prod.log]:
request.ERROR: Uncaught PHP Exception Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException: “Invalid CSRF token” at C:\xampp\htdocs

Upon browser refreshing a couple of times, everything is ok until next time.

image
image974×100 40.6 KB

image

image
image588×754 100 KB

Any ideas?

Thank you in advance,

George

#2

I also get this error with SuiteCRM 8.2.0. SuiteCRM have to be reloaded to work again. I can find the following error message in logs/prod/prod.log:

[2022-11-02 10:35:36] request.INFO: Matched route "api_graphql_entrypoint". {"route":"api_graphql_entrypoint","route_parameters":{"_route":"api_graphql_entrypoint","_controller":"api_platform.graphql.action.entrypoint","_graphql":true},"request_uri":"https://subdomain.example.com/api/graphql","method":"POST"} []
[2022-11-02 10:35:36] request.ERROR: Uncaught PHP Exception Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException: "Invalid CSRF token" at /usr/www/users/xxxxxxxx/subdomain.example.com/core/backend/Security/CSRFValidationListener.php line 96 {"exception":"[object] (Symfony\\Component\\HttpKernel\\Exception\\AccessDeniedHttpException(code: 0): Invalid CSRF token at /usr/www/users/xxxxxxxx/subdomain.example.com/core/backend/Security/CSRFValidationListener.php:96)"} []
#3

We have the same behaviour. Did you solve it in the meantime?
Bitnami Docker:

  • PHP 8.0.25
  • Apache/2.4.54 (Unix)
  • SuiteCRM 8.2
#4

Hello,

For the moment, I did what is wrong and NOT suggested for production environments.

I edited file \core\backend\Security\CSRFValidationListener.php and abandoned line 96 that throws the error:

$value = $event->getRequest()->headers->get($this->headerName);
if (!$value || !$this->csrfTokenManager->isTokenValid($value)) {
return;
}

But, I still consider the ticket open and I am investigating for a solution.

Regards,

George

1 Like
/api/graphql: 403 Forbidden
#5

Update to 8.2.1 did nit resolve the issue… :smiling_face_with_tear:

I feel irritated that there are not more admins facing this issue, which is massive from my perspective. Core hack should be not a solution…

#6

Hello! did you open an issue at github? If not, I suggest to open a ticket to the issue tracker of the repository.

#7

I just created one: Invalid CSRF token · Issue #180 · salesagility/SuiteCRM-Core · GitHub

#8

Hello. After migrating from 7.12.8 to 8. I’m in the same behavior. Modifying onKernelRequest allows access but no menus. In short, it is not usable from the app. Any suggestions?

#9

Core hack above works for us. We created a patch for that.

#10

We were facing similar issue, in our case issue was cached files.
After clearing cache files as shown below

rm -rf cache
rm -rf public/legacy/cache

It started working :slight_smile:

#11

Hi all!

Invalid CSRF token · Issue #180 · salesagility/SuiteCRM-Core · GitHub was closed recently with the launch of 8.2.3 version. So everyone is welcome to test it.

Cheers!

2 Likes