Can't Login to Admin Dashboard - CSRF Error


#1

After successfully installing Omeka S I can’t login to the Admin dashboard. The error I get is: CSRF: The form submitted did not originate from the expected site.

Has anyone see this before? This site is running under SSL but I have the same issue if I configure it for plain http.

Any help/insight would be appreciated!


#2

You’re getting this error on the login page itself?

That CSRF error happens basically when you submit a form and it doesn’t contain a token that’s part of the form… I don’t think we’ve had any reports of CSRF problems like this in quite a while, none at all that I’m aware of for the current version. Is it Omeka S 1.1.1 that you’re using?

If so, my first guess would be that there might be some problem with session saving on your server/PHP setup (the CSRF token is stored in the PHP session, so if that’s not working properly you could get this kind of error).


#3

Yes, I see this error after clicking the Log In button. I’m using Omeka S 1.1.1 with PHP 7.1.16. I don’t see any errors in the Apache logs, so I’m somewhat at a loss. I’m not the only admin on this server but I’m fairly certain that PHP session configuration is just the default out-of-the-box setup.


#4

If you know your way around the web inspector in some browser, can you check to see if the session cookie is maintaining the same value if you reload the login page?

Omeka S only sets one cookie, and it should be keeping the same name and value between requests if things are working properly.


#5

You were right, the problem is with sessions, when I look at phpinfo() the session.save_handler is set to memcached, should just be files. I can’t seem to find where it’s being overridden, the setting is correct in php.ini. I’ll keep looking, thanks!