Suite8 Graphle Error 403 Forbidden - XSRF-TOKEN = Lax

Hi All…

Desperately looking for some help. Have spent countless hours trying to find a solution and have not been able to. I have read probably every similar report, plus multiple other sources to try and find a solution.
This includes reviewing the Symfony documentation as well, and which is where I believe the issue possibly lies. Framework Configuration Reference (FrameworkBundle) (Symfony 5.x Docs)

I am upgrading from Suite7 to Suite 8.
In Suite 7, this was working.
I am embedding SuiteCRM URL as an iframe in a remote web page so that users have access to crm data from a single page.
When I do this in Suite7 it is working, but with Suite8, the browser complains about XSRF-TOKEN being blocked due to the cookie set as Lax, but I have set pretty much every reference I can find to "none.
According to the Symfony documentation when using PHP samesite cookie settings, the value should be set to Null, which I modified in the respective /config/packages/framework + nelmio yaml files.
This does not seem to affect anything.
I have also tried setting them to none with no changed.
I also followed the Session Directory guide and created a custom directory in extensions, following the example on the site for directory path and set the framework.yaml to alos be none or null based on the respective test.

No luck.

I then created and added an info.php file and placed it in my directory, and was able to successfully connect to while embedded in the iframe, so I feel confident that apache is not impacting this.

I suspect that the issue is likely buried somewhere in a symfony setting, or the version of Symfony (which is outdated) has a bug and it is not properly respecting the SameSite= None setting.
I took a snapshot of the server and then tried to do a symfony update including the available packages but on the plus side the page started being displayed in the iframe… unfortunately though it was pretty much there to tell me that the page was broken with missing config files etc.
When I looked at the composer.json, it also referenced that PHP7.4 was required (I believe for Symfony) but Suite8 required 8+.

As a side note, when I connect directly to SuiteCRM8, using the browser developer tools, there are multiple references to same site attribute settings being set to Lax for “ck_login” but because it is a same as origin it’s being allowed.
Apache has a header setting for samesite = none and I have verified that it is being correctly set. PHPSSEID is also setting the samesite=none…
But there are still references to samesite=lax both direct and via iframe.

My environment is Ubuntu 22.04, Apache2, PHP (both 7.4 and 8.2 are installed but Apache is configure to use 8.2). SuiteCRM is 8.5.1 (latest).

If there are any suggestions, please I am all ears. I have been working on this since early last week and I need to get it resolved. Hopefully the image works… Thanks

As an Update:

I managed to get this working both from iframe as well as direct connection. I believe there is an issue with the CSRFCookieListener.php file which is where I worked around the problem.

I am not a developer nor do I understand PHP code, however while troubleshooting, I was reading an article that referenced the need to define a $event->getResponse that would contain the trusted URL’s in order to define the appropriate cookie. I didn’t see that in the php file but honestly I don’t know what i am looking for. Is this not something that would get picked up from the config. I have the trusted sites defined in the config.php

However for now, by way of a workaround, I discovered that line 130 has a setting Cookie::SAMESITE_LAX.
Change this to SAMESITE_NONE.
This will set the cookie in both 3rd party cross-site iframe and 1st party cookie to None.
I will add that I also made changes to the vendor/symfony/http-foundation/Cookie.php and changed the following values as seen below

 $data = [
           'secure' => true,
            'samesite' => 'none',
            'partitioned' => true,

The problem will become that an upgrade will break this again unless it gets addressed.

Does anyone have any experience or thoughts on the issue or perhaps what I may be configuring incorrectly ?


You could post issues on the GitHub. But first check if we have similar issue on it or not.


I am using suitecrm 8.6 , I dont see anything related to the code near line 130, Which lines in Cookie.php was this found?

I am using Suite 8.5 but Line 130 was in CSRFCookieListener.php…
I mentioned I had also made a change to the Cookie.php file in the section mentioned in the post. I don’t know how relevant it was. Once I had things working I left it alone, but if you search inside /vendor/symfony/http-foundation/Cookie.php for ‘samesite’ you should find it in the $data section starting around line 47. It is probably set to Lax, and you change it to ‘none’ (must be in quotes)

Thanks for the answer, how did you add your site as a trusted site in the config.php file?
In suitecrm 8.6, ive made the changes you made… line 130 to csrfcookie + cookie.php file but i keep getting a blank screen, i tried clearing the cach with php console clear:cache , but i still get a blank screen…

In your sites directory (/public/legacy), you have the option of modifying the config.php or you can cerate a config_override.php. You will have an entry similar to the below which you should be able to search for and locate.
‘http_referer’ =>
array (
‘actions’ =>
array (
0 => ‘index’,
1 => ‘ListView’,
2 => ‘DetailView’,
3 => ‘EditView’,
4 => ‘oauth’,
5 => ‘authorize’,
6 => ‘Authenticate’,
7 => ‘Login’,
8 => ‘SupportPortal’,
9 => ‘UnifiedSearch’,
‘list’ =>
array (
0 => ‘*’,

But that isn’t necessarily all you need to do. You still have to allow access by specifying CORS rules within your Web Server settings as well which is outside of suitecrm configuration. That wouldn’t be included here, because that is more web server specific depending on you backend web server that you may be using i.e. Apache2 or NGINX.

Here is an example from my site which is running Apache2. The commands are similar to NGINX but generally formatted differently. I have it in the Conf file for the SuiteCRM virtual host, in the following section. Leave the Strict Transport section commented out until you know you have things working.
There are quite a few examples on options / formats that you can use doing a google search. But what I have below works for me…

           DocumentRoot /mnt/HDD2/www/suitecrm8/public
            <Directory /mnt/HDD2/www/suitecrm8/public>
    AllowOverride All
    Require all granted
    Order Allow,Deny
 Header always set X-Frame-Options "ALLOW-FROM"
Header set Content-Security-Policy: "frame-ancestors 'self' *"

Header set Strict-Transport-Security: ‘max-age=31536000 ; includeSubDomains’

Header set Access-Control-Allow-Origin
Header set Access-Control-Allow-Credentials: true
Header set X-Permitted-Cross-Domain-Policies: all
Header set Cross-Origin-Resource-Policy: cross-origin
Header set X-XSS-Protection: 0

Hope that Helps you… its a bit of trial and error getting the Headers right.

1 Like