Defect #16895
closed
Can't verify CSRF token authenticity on IE9 with Alias
0%
Description
Dear Redmine team,
I've a strange behavior/issue during the user connexion with IE9 (no test on other IE) when I use the alias but it's ok with the hostname.
I've LDAP connexion to AD directory.
No issue with another web browser like FireFox or Chrome (alais and hostname ok).
Only one plugin and no change if I remove it.
- Environment:
Redmine version 2.5.1.stable
Ruby version 1.9.3-p484 (2013-11-22) [x86_64-linux]
Rails version 3.2.17
Environment production
Database adapter Mysql2
SCM:
Subversion 1.6.11
Filesystem
Redmine plugins:
redmine_issue_templates 0.0.8
- Web access: Alias & HTTPS
- Apache conf:
Two virtuals host for redmine and same behavior for eachone
<VirtualHost *:443>
ServerName UCC_redmine.XXX.corp:443
DocumentRoot /home/apache/html/redmine-2.5.1/public/
<Directory "/home/apache/html/redmine-2.5.1/public/">
Options Indexes ExecCGI FollowSymLinks
Order allow,deny
Allow from all
AllowOverride all
</Directory>ErrorLog /var/log/httpd/redmine_ssl_error.log
TransferLog /var/log/httpd/redmine_ssl_access.log
CustomLog /var/log/httpd/redmine_ssl_request.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
LogLevel infoSSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /home/apache/html/redmine-2.5.1/config/cert/UCC_redmine.XXX.corp.crt
SSLCertificateKeyFile /home/apache/html/redmine-2.5.1/config/cert/UCC_redmine.XXX.corp.key
</VirtualHost>
- Logs:
IE - hostname - OK
Started POST "/login" for @IPUSER at 2014-05-15 17:54:32 +0200
Processing by AccountController#login as HTML
Parameters: {"utf8"=>"â", "authenticity_token"=>"6EoJDRXhaE9kXwqD1W+POIhu49K6o+jjW+8aS45C0CU=", "back_url"=>"https://m01a8-fript02/", "username"=>"USERID", "password"=>"[FILTERED]", "login"=>"Connexion »"}
Current user: anonymous
Successful authentication for 'USERID' from @IPUSER at 2014-05-15 15:54:33 UTC
Redirected to https://m01a8-fript02/
Completed 302 Found in 211.2ms (ActiveRecord: 4.2ms)
IE - Alias - KO
Started POST "/login" for @IPUSER at 2014-05-15 17:57:27 +0200
Processing by AccountController#login as HTML
Parameters: {"utf8"=>"â", "authenticity_token"=>"6FEa0BYyKvsz0JLRcpwA5qfE01BOxKrX6Ymdlz3tf0U=", "back_url"=>"https://ucc_redmine.XXX.corp/", "username"=>"USERID", "password"=>"[FILTERED]", "login"=>"Connexion »"}
WARNING: Can't verify CSRF token authenticity
Rendered common/error.html.erb within layouts/base (0.6ms)
Filter chain halted as :verify_authenticity_token rendered or redirected
Completed 422 Unprocessable Entity in 8.4ms (Views: 7.7ms | ActiveRecord: 0.0ms)
FF - OK
Started POST "/login" for @IPUSER at 2014-05-15 17:46:41 +0200
Processing by AccountController#login as HTML
Parameters: {"utf8"=>"â", "authenticity_token"=>"U8IhNNVpo+KHuF5T5DwXkEtNnSk0dDgc6KQUaDyPHIU=", "back_url"=>"https://ucc_redmine.XXX.corp/", "username"=>"USERID", "password"=>"[FILTERED]", "login"=>"Connexion »"}
Current user: anonymous
Successful authentication for 'USERID' from @IPUSER at 2014-05-15 15:46:41 UTC
Could not redirect to invalid URL https://ucc_redmine.XXX.corp/
Redirected to https://ucc_redmine.XXX.corp/my/page
Completed 302 Found in 385.2ms (ActiveRecord: 5.4ms)
Thanks in advance for your feedback!!!
Related issues
Updated by Jiri Chadima over 9 years ago
Hi, I've came accross a similar problem in IE that was caused by a security policy that was blocking cookies from some domains. As the authenticity_token is passed to server, this seems like the problem is on the cookie/session side. Try digging in that direction, the browser's identification is probably not matched on webserver.
Updated by Go MAEDA almost 3 years ago
- Status changed from New to Closed
- Resolution set to Wont fix
Redmine no longer supports Internet Explorer (see #34978).
Updated by Go MAEDA almost 3 years ago
- Related to Feature #34978: Add the list of supported browsers to docs and drop support for IE 11 added