"No CSRF value available in the session cookie": Chrome on Samsung, ideas? Nothing changed

ghenry · July 15, 2020, 3:13pm

Hi all,

Reading this:

and I’ve changed nothing on my side or test devices which all use AppAuth. All of a sudden my own phone is returning this.

I’m running Hydra behind Apache Reverse Proxy with HTTPS / LE and have been for months all fine.

Haven’t changed any settings on the Chrome browser on my mobile. So strange!!!

Thanks.

ghenry · July 15, 2020, 3:13pm

Rebooted phone and cleared cache etc. in Chrome.

hackerman · August 14, 2020, 1:22pm

Without details on logs, browser debug information, and other details I won’t be able to help. We haven’t changed things in CSRF though for quite some time. The last change was SameSite cookies

ghenry · July 17, 2020, 11:22am

Yeah, I just change browser. Will investigate again if users report it.

ghenry · July 29, 2020, 12:54pm

Just hit this again on a fresh Android 11 simulator with an up to date Chrome browser. What info do you need?

Thanks.

ghenry · July 29, 2020, 12:54pm

On latest hydra.

ghenry · July 29, 2020, 12:57pm

Hydra logs:

hydra_1          | time="2020-07-29T12:54:32Z" level=info msg="completed handling request" measure#hydra/public: https://authz.testing.co.uk/.latency=5095151 method=GET remote="172.18.0.1:35382" request="/oauth2/auth?redirect_uri=com.testing.talk%3A%2Foauth2redirect&client_id=asd1745-efc-4as3c9323-f1c6885eba5e&response_type=code&login_hint=ghenry%40testing.co.uk&state=QfAb1Frf_kDT-tgMMGaVyA&scope=openid%20offline&code_challenge=Z_H6UNn9JdE9VcaDvJL7H4GBvDsVoRKvyIcz341X1ww&code_challenge_method=S256" status=302 text_status=Found took=5.095151ms
hydra_1          | time="2020-07-29T12:54:32Z" level=info msg="started handling request" method=GET remote="172.18.0.1:37466" request="/oauth2/auth/requests/login?login_challenge=92112c5f0bed40348c7604d8d4a063ab"
hydra_1          | time="2020-07-29T12:54:32Z" level=info msg="completed handling request" measure#hydra/admin: https://authz.testing.co.uk/.latency=1459139 method=GET remote="172.18.0.1:37466" request="/oauth2/auth/requests/login?login_challenge=92112c5f0bed40348c7604d8d4a063ab" status=200 text_status=OK took=1.459139ms
hydra_1          | time="2020-07-29T12:54:37Z" level=info msg="started handling request" method=PUT remote="172.18.0.1:37508" request="/oauth2/auth/requests/login/accept?login_challenge=92112c5f0bed40348c7604d8d4a063ab"
hydra_1          | time="2020-07-29T12:54:37Z" level=info msg="completed handling request" measure#hydra/admin: https://authz.testing.co.uk/.latency=6018886 method=PUT remote="172.18.0.1:37508" request="/oauth2/auth/requests/login/accept?login_challenge=92112c5f0bed40348c7604d8d4a063ab" status=200 text_status=OK took=6.018886ms
hydra_1          | time="2020-07-29T12:54:37Z" level=info msg="started handling request" method=GET remote="172.18.0.1:35382" request="/oauth2/auth?client_id=asd1745-efc-4as3c9323-f1c6885eba5e&code_challenge=Z_H6UNn9JdE9VcaDvJL7H4GBvDsVoRKvyIcz341X1ww&code_challenge_method=S256&login_hint=ghenry%40testing.co.uk&login_verifier=5c84ef04d51348a395f01ceb218bbc41&redirect_uri=com.testing.talk%3A%2Foauth2redirect&response_type=code&scope=openid+offline&state=QfAb1Frf_kDT-tgMMGaVyA"
hydra_1          | time="2020-07-29T12:54:37Z" level=error msg="An error occurred" debug="No CSRF value available in the session cookie" description="The request is not allowed" error=request_forbidden hint="You are not allowed to perform this action."
hydra_1          | time="2020-07-29T12:54:37Z" level=debug msg="Stack trace: \ngithub.com/ory/hydra/consent.validateCsrfSession\n\t/home/ory/consent/helper.go:85\ngithub.com/ory/hydra/consent.(*DefaultStrategy).verifyAuthentication\n\t/home/ory/consent/strategy_default.go:352\ngithub.com/ory/hydra/consent.(*DefaultStrategy).HandleOAuth2AuthorizationRequest\n\t/home/ory/consent/strategy_default.go:970\ngithub.com/ory/hydra/oauth2.(*Handler).AuthHandler\n\t/home/ory/oauth2/handler.go:624\ngithub.com/julienschmidt/httprouter.(*Router).ServeHTTP\n\t/go/pkg/mod/github.com/julienschmidt/[email protected]/router.go:334\ngithub.com/urfave/negroni.Wrap.func1\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:46\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2012\ngithub.com/ory/hydra/x.RejectInsecureRequests.func1\n\t/home/ory/x/tls_termination.go:55\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38\ngithub.com/ory/x/metricsx.(*Service).ServeHTTP\n\t/go/pkg/mod/github.com/ory/[email protected]/metricsx/middleware.go:261\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38\ngithub.com/ory/hydra/metrics/prometheus.(*MetricsManager).ServeHTTP\n\t/home/ory/metrics/prometheus/middleware.go:26\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38\ngithub.com/ory/x/reqlog.(*Middleware).ServeHTTP\n\t/go/pkg/mod/github.com/ory/[email protected]/reqlog/middleware.go:140\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38\ngithub.com/urfave/negroni.(*Negroni).ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:96\nnet/http.serverHandler.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2807\nnet/http.(*conn).serve\n\t/usr/local/go/src/net/http/server.go:1895\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1373"
hydra_1          | time="2020-07-29T12:54:37Z" level=info msg="completed handling request" measure#hydra/public: https://authz.testing.co.uk/.latency=6143421 method=GET remote="172.18.0.1:35382" request="/oauth2/auth?client_id=asd1745-efc-4as3c9323-f1c6885eba5e&code_challenge=Z_H6UNn9JdE9VcaDvJL7H4GBvDsVoRKvyIcz341X1ww&code_challenge_method=S256&login_hint=ghenry%40testing.co.uk&login_verifier=5c84ef04d51348a395f01ceb218bbc41&redirect_uri=com.testing.talk%3A%2Foauth2redirect&response_type=code&scope=openid+offline&state=QfAb1Frf_kDT-tgMMGaVyA" status=302 text_status=Found took=6.143421ms
hydra_1          | time="2020-07-29T12:54:37Z" level=info msg="started handling request" method=GET remote="172.18.0.1:35382" request="/oauth2/fallbacks/error?error=request_forbidden&error_debug=No+CSRF+value+available+in+the+session+cookie&error_description=The+request+is+not+allowed&error_hint=You+are+not+allowed+to+perform+this+action."
hydra_1          | time="2020-07-29T12:54:37Z" level=warning msg="A client requested the default error URL, environment variable OAUTH2_ERROR_URL is probably not set."
hydra_1          | time="2020-07-29T12:54:37Z" level=info msg="completed handling request" measure#hydra/public: https://authz.testing.co.uk/.latency=380714 method=GET remote="172.18.0.1:35382" request="/oauth2/fallbacks/error?error=request_forbidden&error_debug=No+CSRF+value+available+in+the+session+cookie&error_description=The+request+is+not+allowed&error_hint=You+are+not+allowed+to+perform+this+action." status=500 text_status="Internal Server Error" took="380.714µs"

ghenry · July 29, 2020, 2:07pm

You could try this out by downloading Android Studio:

https://developer.android.com/studio

Then go to Tools -> AVD Manager then Create Virtual Device to create an Android phone. Log in to Play Store with an account, update Chrome and then visit a Hydra backed website/app etc.

Thanks.

ghenry · July 29, 2020, 2:43pm

Working Android 10 with Firefox:

[29/Jul/2020:15:36:54 +0100] "GET /oauth2/auth?redirect_uri=com.testing.talk%3A%2Foauth2redirect&client_id=9323-f1c6885eba5e&response_type=code&login_hint=ghenry%40testing.co.uk&state=g6Epg6capgPQd3PvwVH7wA&scope=openid%20offline&code_challenge=HzONZ6WZVFTLQgRmpzFXuUeKDnm2OuuykBYIgez_uSU&code_challenge_method=S256 HTTP/1.1" 302 107 "-" "Mozilla/5.0 (Android 10; Mobile; rv:68.0) Gecko/68.0 Firefox/68.0"
[29/Jul/2020:15:36:59 +0100] "GET /oauth2/auth?client_id=9323-f1c6885eba5e&code_challenge=HzONZ6WZVFTLQgRmpzFXuUeKDnm2OuuykBYIgez_uSU&code_challenge_method=S256&login_hint=ghenry%40testing.co.uk&login_verifier=32d29a635cf74e3eabe6124ff9943ae7&redirect_uri=com.testing.talk%3A%2Foauth2redirect&response_type=code&scope=openid+offline&state=g6Epg6capgPQd3PvwVH7wA HTTP/1.1" 302 111 "https://portal.testing.co.uk/login?login_challenge=5f3bc29480944df69ff57136d1f13ac6" "Mozilla/5.0 (Android 10; Mobile; rv:68.0) Gecko/68.0 Firefox/68.0"
[29/Jul/2020:15:36:59 +0100] "GET /oauth2/auth?client_id=9323-f1c6885eba5e&code_challenge=HzONZ6WZVFTLQgRmpzFXuUeKDnm2OuuykBYIgez_uSU&code_challenge_method=S256&consent_verifier=e94b16a44e8e49808487769d72123317&login_hint=ghenry%40testing.co.uk&redirect_uri=com.testing.talk%3A%2Foauth2redirect&response_type=code&scope=openid+offline&state=g6Epg6capgPQd3PvwVH7wA HTTP/1.1" 302 - "https://portal.testing.co.uk/login?login_challenge=5f3bc29480944df69ff57136d1f13ac6" "Mozilla/5.0 (Android 10; Mobile; rv:68.0) Gecko/68.0 Firefox/68.0"
[29/Jul/2020:15:37:00 +0100] "POST /oauth2/token HTTP/1.1" 200 1649 "-" "Dalvik/2.1.0 (Linux; U; Android 10; SM-G970F Build/QP1A.190711.020)"

Android 11, Chrome up to date.

[29/Jul/2020:15:38:02 +0100] "GET /oauth2/auth?redirect_uri=com.testing.talk%3A%2Foauth2redirect&client_id=9323-f1c6885eba5e&response_type=code&login_hint=ghenry%40testing.co.uk&state=IgvZOAhsh8YaCcFw_vnaSw&scope=openid%20offline&code_challenge=ewLWCgvE6rOPKp88r-Oz6y1yMYOq_K_G1Gnr9PR9eXw&code_challenge_method=S256 HTTP/1.1" 302 107 "-" "Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Mobile Safari/537.36"
[29/Jul/2020:15:38:09 +0100] "GET /oauth2/auth?client_id=9323-f1c6885eba5e&code_challenge=ewLWCgvE6rOPKp88r-Oz6y1yMYOq_K_G1Gnr9PR9eXw&code_challenge_method=S256&login_hint=ghenry%40testing.co.uk&login_verifier=61dc1fc565a542eca8ccc8e516ca684d&redirect_uri=com.testing.talk%3A%2Foauth2redirect&response_type=code&scope=openid+offline&state=IgvZOAhsh8YaCcFw_vnaSw HTTP/1.1" 302 268 "https://portal.testing.co.uk/login?login_challenge=06c9086cc29449a3bf055f05d764a668" "Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Mobile Safari/537.36"
[29/Jul/2020:15:38:09 +0100] "GET /oauth2/fallbacks/error?error=request_forbidden&error_debug=No+CSRF+value+available+in+the+session+cookie&error_description=The+request+is+not+allowed&error_hint=You+are+not+allowed+to+perform+this+action. HTTP/1.1" 500 647 "https://portal.testing.co.uk/login?login_challenge=06c9086cc29449a3bf055f05d764a668" "Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Mobile Safari/537.36"

ghenry · July 29, 2020, 3:23pm

If I switch my default browser to a freshly installed Firefox on the Android 11 device, all is good and works.

hackerman · August 14, 2020, 1:22pm

Are you using the --dangerous-force-http flag? Chrome rejects cookies with SameSite=none that do not have the secure flag, which is the case when using that option.

ghenry · August 14, 2020, 1:23pm

Yeah, I see in v1.7.0 this is mentioned. I’ll remove that and re-test as Firefox is next.

Thanks and apologies for not coming back sooner.

hackerman · August 14, 2020, 1:51pm

No problem, glad we were able to get to the root of the problem!

ghenry · August 14, 2020, 1:53pm

Chome is working fine now. Great. Still have http on though, but not in production yet.