Kratos CSRF issue on self hosted setup #3318
Replies: 1 comment 2 replies
-
Hello @Imtinan1996 It seems like you're encountering a Cross-Site Request Forgery (CSRF) violation error when trying to log back in after logging out. Ory Kratos provides CSRF protection for all flows. When submitting a flow, you must send a CSRF token in the body and CSRF cookie back. The cookie should be sent by default by your browser, but you must add the CSRF token manually to the request body. This can be a JSON object or a native form POST. Here are some relevant links from the documentation for reference: |
Beta Was this translation helpful? Give feedback.
-
Preflight checklist
Describe the bug
Hi I am using the Kratos CLI to run a self hosted instance.
The issue is with logging in to sessions and logging out. When i first create the Browser Login Flow, a CSRF token Cookie is set
This is okay, and it logs me in and I can successfully log out as well with the Browser Logout Flow
Now when I try to log back in, it gives me the "security_csrf_violation" error. This is due to the fact that the older CSRF token still resides in the cookies and both the new and old cookies are sent over, but the older one is utilized which leads to an error
Am i doing something wrong? I am using a SSR framework (Remix) and i have even tried to clear the cookie from the server, but nothing seems to work. This is limiting the functionality, and i have to continuously clear cookies when trying to develop and has become a hindrance, moreover i cant go to production with this current limitation so any help will be greatly appreciated
self-hosted
Reproducing the bug
Relevant log output
Relevant configuration
Version
v0.13.0
On which operating system are you observing this issue?
Windows
In which environment are you deploying?
Binary
Additional Context
No response
Beta Was this translation helpful? Give feedback.
All reactions