No CSRF value available in the session cookie

kayrules · May 20, 2020, 7:46am

Hi,

I got error when trying to setup hydra and my login page. I even tried it with hydra-login-consent-node demo, the same issue occurred.

time="2018-10-02T02:27:01Z" level=info msg="started handling request" method=GET remote="172.18.0.1:44734" request="/oauth2/auth?client_id=d0a5928b-47e3-4f72-9c02-b2d95887da6f&login_verifier=9861d23bbabe4ee1968975cdfbb5f6c5&redirect_uri=http%3A%2F%2Flocalhost%3A9020%2Fcallback&response_type=code&scope=&state=1234567890"
time="2018-10-02T02:27:01Z" level=error msg="An error occurred" debug="No CSRF value available in the session cookie" description="The request is not allowed" error=request_forbidden hint="You are not allowed to perform this action."

I only added callback page on the demo code as below:

var callback = require('./routes/callback');
app.use('/callback', callback);

I tried with hydra 1.0.0-beta.9

hydra version                                                                                       
Version:    v1.0.0-beta.9
Git Hash:   f359d0809badec1219d4678afe54ae628b0bdf70
Build Time: 2018-09-19T03:41:54Z

and triggered hydra with command below:

SYSTEM_SECRET=$(export LC_CTYPE=C; cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) \
DATABASE_URL=memory \
OAUTH2_ISSUER_URL=http://localhost:4444/ \
OAUTH2_CONSENT_URL=http://localhost:3000/consent \
OAUTH2_LOGIN_URL=http://localhost:3000/login \
hydra serve --dangerous-force-http all

Please help.
Thank you in advance.

kayrules · October 2, 2018, 5:25am

oh got it…

its my own fault. I generated the login_challenge url using postman but trigger it and run the login page on chrome. so the oauth2_authentication_csrf cookie not generated on chrome.

my bad.

kientv · April 14, 2020, 3:24pm

kayrules: I have same issue

debug="No CSRF value available in the session cookie" description="The request is not allowed" error=request_forbidden hint="You are not allowed to perform this action."

And then How can you generate oauth2_authentication_csrf cookie on chrome?

Hekewa · May 5, 2020, 5:20am

In the quickstart.yaml the redirect URIs are all 127.0.0.1:3000 so you need to start the flow by calling http://127.0.0.1:4444/oauth2/auth?response_type=code&and=so-on. If you use http://localhost:4444/oauth2/token then the cookie is stored for the wrong domain to use in the latter step. This was the cause for this issue for me.

hackerman · May 5, 2020, 6:51am

Have you seen https://www.ory.sh/hydra/docs/debugging#i-am-running-into-csrf-issues ?