403 Forbidden on either admin or forums if 2 separate tabs

[patsanch]

Hi,

I noticed something weird. I'll try to explain as clearly as I can.

step 1

tab 1:
i tried saving a group (success)

tab 2:
i tried creating a post (403 forbidden)

step 2

tab 2:
refreshed page
i tried creating a post (success)

tab 1:
i tried saving a group (403 forbidden)

I do not notice the issue if I use just one tab and go through the steps from admin to forums multiple times.

I disabled the plugin and don't see the issue.

I enabled the plugin and was able to replicate the issue again.

I tried the different session handling options and get the same behavior for all.

Any idea what's happening? I'm wondering if it's a misconfiguration on our end.

Thanks!

[patsanch]

Trying to find what other actions will return 403 and found these:

• reordering categories
• disabling categories
• creating a group

There are actions that return success. So far everything I've tried under Settings saves successfully.

[julianlam]

Hi @patsanch — have you tried on different browsers?

Did you try the trust session handling option? That one should have fewer issues as it's not going through any sort of login flow again.

Could be related to #132...

Also are you seeing any server-side errors? Something about CSRF maybe?

[patsanch]

Hi @julianlam ,

I was using FF. I tried Safari now and notice the same issue.

I tried all 3 options and notice the same issue.

In ./nodebb log, I see
2023-02-10T23:09:11.889Z [4568/8008] - error: PUT /api/v3/groups/sds
invalid csrf token