"No CSRF value available in the session cookie": Chrome on Samsung, ideas? Nothing changed

Hi all,

Reading this:

and I’ve changed nothing on my side or test devices which all use AppAuth. All of a sudden my own phone is returning this.

I’m running Hydra behind Apache Reverse Proxy with HTTPS / LE and have been for months all fine.

Haven’t changed any settings on the Chrome browser on my mobile. So strange!!!

Thanks.

Rebooted phone and cleared cache etc. in Chrome.

Without details on logs, browser debug information, and other details I won’t be able to help. We haven’t changed things in CSRF though for quite some time. The last change was SameSite cookies

1 Like

Yeah, I just change browser. Will investigate again if users report it.

Just hit this again on a fresh Android 11 simulator with an up to date Chrome browser. What info do you need?

Thanks.

On latest hydra.

Hydra logs:

hydra_1          | time="2020-07-29T12:54:32Z" level=info msg="completed handling request" measure#hydra/public: https://authz.testing.co.uk/.latency=5095151 method=GET remote="172.18.0.1:35382" request="/oauth2/auth?redirect_uri=com.testing.talk%3A%2Foauth2redirect&client_id=asd1745-efc-4as3c9323-f1c6885eba5e&response_type=code&login_hint=ghenry%40testing.co.uk&state=QfAb1Frf_kDT-tgMMGaVyA&scope=openid%20offline&code_challenge=Z_H6UNn9JdE9VcaDvJL7H4GBvDsVoRKvyIcz341X1ww&code_challenge_method=S256" status=302 text_status=Found took=5.095151ms
hydra_1          | time="2020-07-29T12:54:32Z" level=info msg="started handling request" method=GET remote="172.18.0.1:37466" request="/oauth2/auth/requests/login?login_challenge=92112c5f0bed40348c7604d8d4a063ab"
hydra_1          | time="2020-07-29T12:54:32Z" level=info msg="completed handling request" measure#hydra/admin: https://authz.testing.co.uk/.latency=1459139 method=GET remote="172.18.0.1:37466" request="/oauth2/auth/requests/login?login_challenge=92112c5f0bed40348c7604d8d4a063ab" status=200 text_status=OK took=1.459139ms
hydra_1          | time="2020-07-29T12:54:37Z" level=info msg="started handling request" method=PUT remote="172.18.0.1:37508" request="/oauth2/auth/requests/login/accept?login_challenge=92112c5f0bed40348c7604d8d4a063ab"
hydra_1          | time="2020-07-29T12:54:37Z" level=info msg="completed handling request" measure#hydra/admin: https://authz.testing.co.uk/.latency=6018886 method=PUT remote="172.18.0.1:37508" request="/oauth2/auth/requests/login/accept?login_challenge=92112c5f0bed40348c7604d8d4a063ab" status=200 text_status=OK took=6.018886ms
hydra_1          | time="2020-07-29T12:54:37Z" level=info msg="started handling request" method=GET remote="172.18.0.1:35382" request="/oauth2/auth?client_id=asd1745-efc-4as3c9323-f1c6885eba5e&code_challenge=Z_H6UNn9JdE9VcaDvJL7H4GBvDsVoRKvyIcz341X1ww&code_challenge_method=S256&login_hint=ghenry%40testing.co.uk&login_verifier=5c84ef04d51348a395f01ceb218bbc41&redirect_uri=com.testing.talk%3A%2Foauth2redirect&response_type=code&scope=openid+offline&state=QfAb1Frf_kDT-tgMMGaVyA"
hydra_1          | time="2020-07-29T12:54:37Z" level=error msg="An error occurred" debug="No CSRF value available in the session cookie" description="The request is not allowed" error=request_forbidden hint="You are not allowed to perform this action."
hydra_1          | time="2020-07-29T12:54:37Z" level=debug msg="Stack trace: \ngithub.com/ory/hydra/consent.validateCsrfSession\n\t/home/ory/consent/helper.go:85\ngithub.com/ory/hydra/consent.(*DefaultStrategy).verifyAuthentication\n\t/home/ory/consent/strategy_default.go:352\ngithub.com/ory/hydra/consent.(*DefaultStrategy).HandleOAuth2AuthorizationRequest\n\t/home/ory/consent/strategy_default.go:970\ngithub.com/ory/hydra/oauth2.(*Handler).AuthHandler\n\t/home/ory/oauth2/handler.go:624\ngithub.com/julienschmidt/httprouter.(*Router).ServeHTTP\n\t/go/pkg/mod/github.com/julienschmidt/[email protected]/router.go:334\ngithub.com/urfave/negroni.Wrap.func1\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:46\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2012\ngithub.com/ory/hydra/x.RejectInsecureRequests.func1\n\t/home/ory/x/tls_termination.go:55\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38\ngithub.com/ory/x/metricsx.(*Service).ServeHTTP\n\t/go/pkg/mod/github.com/ory/[email protected]/metricsx/middleware.go:261\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38\ngithub.com/ory/hydra/metrics/prometheus.(*MetricsManager).ServeHTTP\n\t/home/ory/metrics/prometheus/middleware.go:26\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38\ngithub.com/ory/x/reqlog.(*Middleware).ServeHTTP\n\t/go/pkg/mod/github.com/ory/[email protected]/reqlog/middleware.go:140\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38\ngithub.com/urfave/negroni.(*Negroni).ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:96\nnet/http.serverHandler.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2807\nnet/http.(*conn).serve\n\t/usr/local/go/src/net/http/server.go:1895\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1373"
hydra_1          | time="2020-07-29T12:54:37Z" level=info msg="completed handling request" measure#hydra/public: https://authz.testing.co.uk/.latency=6143421 method=GET remote="172.18.0.1:35382" request="/oauth2/auth?client_id=asd1745-efc-4as3c9323-f1c6885eba5e&code_challenge=Z_H6UNn9JdE9VcaDvJL7H4GBvDsVoRKvyIcz341X1ww&code_challenge_method=S256&login_hint=ghenry%40testing.co.uk&login_verifier=5c84ef04d51348a395f01ceb218bbc41&redirect_uri=com.testing.talk%3A%2Foauth2redirect&response_type=code&scope=openid+offline&state=QfAb1Frf_kDT-tgMMGaVyA" status=302 text_status=Found took=6.143421ms
hydra_1          | time="2020-07-29T12:54:37Z" level=info msg="started handling request" method=GET remote="172.18.0.1:35382" request="/oauth2/fallbacks/error?error=request_forbidden&error_debug=No+CSRF+value+available+in+the+session+cookie&error_description=The+request+is+not+allowed&error_hint=You+are+not+allowed+to+perform+this+action."
hydra_1          | time="2020-07-29T12:54:37Z" level=warning msg="A client requested the default error URL, environment variable OAUTH2_ERROR_URL is probably not set."
hydra_1          | time="2020-07-29T12:54:37Z" level=info msg="completed handling request" measure#hydra/public: https://authz.testing.co.uk/.latency=380714 method=GET remote="172.18.0.1:35382" request="/oauth2/fallbacks/error?error=request_forbidden&error_debug=No+CSRF+value+available+in+the+session+cookie&error_description=The+request+is+not+allowed&error_hint=You+are+not+allowed+to+perform+this+action." status=500 text_status="Internal Server Error" took="380.714µs"

You could try this out by downloading Android Studio:

https://developer.android.com/studio

Then go to Tools -> AVD Manager then Create Virtual Device to create an Android phone. Log in to Play Store with an account, update Chrome and then visit a Hydra backed website/app etc.

Thanks.

Working Android 10 with Firefox:

[29/Jul/2020:15:36:54 +0100] "GET /oauth2/auth?redirect_uri=com.testing.talk%3A%2Foauth2redirect&client_id=9323-f1c6885eba5e&response_type=code&login_hint=ghenry%40testing.co.uk&state=g6Epg6capgPQd3PvwVH7wA&scope=openid%20offline&code_challenge=HzONZ6WZVFTLQgRmpzFXuUeKDnm2OuuykBYIgez_uSU&code_challenge_method=S256 HTTP/1.1" 302 107 "-" "Mozilla/5.0 (Android 10; Mobile; rv:68.0) Gecko/68.0 Firefox/68.0"
[29/Jul/2020:15:36:59 +0100] "GET /oauth2/auth?client_id=9323-f1c6885eba5e&code_challenge=HzONZ6WZVFTLQgRmpzFXuUeKDnm2OuuykBYIgez_uSU&code_challenge_method=S256&login_hint=ghenry%40testing.co.uk&login_verifier=32d29a635cf74e3eabe6124ff9943ae7&redirect_uri=com.testing.talk%3A%2Foauth2redirect&response_type=code&scope=openid+offline&state=g6Epg6capgPQd3PvwVH7wA HTTP/1.1" 302 111 "https://portal.testing.co.uk/login?login_challenge=5f3bc29480944df69ff57136d1f13ac6" "Mozilla/5.0 (Android 10; Mobile; rv:68.0) Gecko/68.0 Firefox/68.0"
[29/Jul/2020:15:36:59 +0100] "GET /oauth2/auth?client_id=9323-f1c6885eba5e&code_challenge=HzONZ6WZVFTLQgRmpzFXuUeKDnm2OuuykBYIgez_uSU&code_challenge_method=S256&consent_verifier=e94b16a44e8e49808487769d72123317&login_hint=ghenry%40testing.co.uk&redirect_uri=com.testing.talk%3A%2Foauth2redirect&response_type=code&scope=openid+offline&state=g6Epg6capgPQd3PvwVH7wA HTTP/1.1" 302 - "https://portal.testing.co.uk/login?login_challenge=5f3bc29480944df69ff57136d1f13ac6" "Mozilla/5.0 (Android 10; Mobile; rv:68.0) Gecko/68.0 Firefox/68.0"
[29/Jul/2020:15:37:00 +0100] "POST /oauth2/token HTTP/1.1" 200 1649 "-" "Dalvik/2.1.0 (Linux; U; Android 10; SM-G970F Build/QP1A.190711.020)"

Android 11, Chrome up to date.

[29/Jul/2020:15:38:02 +0100] "GET /oauth2/auth?redirect_uri=com.testing.talk%3A%2Foauth2redirect&client_id=9323-f1c6885eba5e&response_type=code&login_hint=ghenry%40testing.co.uk&state=IgvZOAhsh8YaCcFw_vnaSw&scope=openid%20offline&code_challenge=ewLWCgvE6rOPKp88r-Oz6y1yMYOq_K_G1Gnr9PR9eXw&code_challenge_method=S256 HTTP/1.1" 302 107 "-" "Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Mobile Safari/537.36"
[29/Jul/2020:15:38:09 +0100] "GET /oauth2/auth?client_id=9323-f1c6885eba5e&code_challenge=ewLWCgvE6rOPKp88r-Oz6y1yMYOq_K_G1Gnr9PR9eXw&code_challenge_method=S256&login_hint=ghenry%40testing.co.uk&login_verifier=61dc1fc565a542eca8ccc8e516ca684d&redirect_uri=com.testing.talk%3A%2Foauth2redirect&response_type=code&scope=openid+offline&state=IgvZOAhsh8YaCcFw_vnaSw HTTP/1.1" 302 268 "https://portal.testing.co.uk/login?login_challenge=06c9086cc29449a3bf055f05d764a668" "Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Mobile Safari/537.36"
[29/Jul/2020:15:38:09 +0100] "GET /oauth2/fallbacks/error?error=request_forbidden&error_debug=No+CSRF+value+available+in+the+session+cookie&error_description=The+request+is+not+allowed&error_hint=You+are+not+allowed+to+perform+this+action. HTTP/1.1" 500 647 "https://portal.testing.co.uk/login?login_challenge=06c9086cc29449a3bf055f05d764a668" "Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Mobile Safari/537.36"

If I switch my default browser to a freshly installed Firefox on the Android 11 device, all is good and works.

Are you using the --dangerous-force-http flag? Chrome rejects cookies with SameSite=none that do not have the secure flag, which is the case when using that option.