CSRF errors on logging into OMERO with Chrome and Firefox

Occasionally Firefox and Chrome users cannot login to our OMERO server and receive an error message that looks like this:

CSRF Error. You need to include valid CSRF tokens for any POST, PUT, PATCH or DELETE operations. You have to include CSRF token in the POST data or add the token to the HTTP header.

Has anyone else seen this? I have been offering users suggestions for clearing their browser cache and deleting any omero cookies or csrf tokens. This helps sometimes. Usually people switch to Safari trying to fix the browser fails to resolve the problem.

What I would really like is to find to root cause of this and fix it permanently, if possible. I would appreciate any suggestions for how to troubleshoot and fix this.

Thank you!

Jay

Hi Jay,

The login form (and any other form that modifies data) includes an input like this:

<input type="hidden" name="csrfmiddlewaretoken" value="NhDkNNCgDiJG3S8lZFnI1WCWXp0DVIES">

where the value is linked to the current OMERO.web (Django) session, to protect against CSRF attacks (see https://docs.djangoproject.com/en/2.2/ref/csrf/).

For some reason, your users must have stale CSRF tokens in their login forms but I don’t have any clear ideas of how this might be happening. I’m not aware of reports from other users seeing this issue. I wouldn’t think that this would be cached in the browser since the token is within the html form and would be loaded afresh when you visit or refresh the login page.

If any other users have seen this problem it would be great to hear about since it might shed some light on possible causes.

Apologies I can’t be more helpful,
Regards,

Will.

1 Like