419 Page expired about shotshare HOT 16 CLOSED

419 is normally a CSRF Token issue.

Hopefully this answer helps from Stack.
https://stackoverflow.com/questions/52583886/post-request-in-laravel-error-419-sorry-your-session-419-your-page-has-exp?rq=4

from shotshare.

Thanks, but adding -e SESSION_DRIVER=file -e SESSION_DOMAIN=img.airikr.me -e SESSION_SECURE_COOKIE=true to the docker run command didn't fix the issue. Same for SESSION_SECURE_COOKIE=false and when I removed -e SESSION_DRIVER=file -e SESSION_SECURE_COOKIE=true and only leaved SESSION_DOMAIN untouched.

The rest of the answers is for JavaScript or other stuff that must be added inside the actual source code. Didn't bother to do anything with that part :)

from shotshare.

Is it a Caddy 419 or an Apache 419?

from shotshare.

Apache 419. I use "Run in HTTP mode" with -e FORCE_HTTPS=true.

from shotshare.

I'm not super familiar with Apache in general, but what is mod_headers being used to do here?

And I don't think that really makes sense... Apache doesn't generate a 419 Page-Expired, Apache's 419 error is Insufficient-Space-On-Resource. 419 Page-Expired is a Laravel/Caddy error.

(as an aside, it might make more sense to use Apache to redirect to HTTPS on port 80 rather than have the proxied application do it. Saves on some troubleshooting steps and keeps all connections HTTPS. My nginx config doesn't have port 80 pointing to anything other than a 508 redirect to https://$host$request_uri which is best practices for nginx but idk what the best practices for Apache are.)

from shotshare.

Thank you for the information. I will get back to you after I got some sleep. Am very sleepy xD

from shotshare.

Alright! I use mod_headers to hardening my web server and strength the security of it. I use the following guides:

• https://geekflare.com/apache-web-server-hardening-security/
• https://www.tecmint.com/apache-security-tips/
• https://www.acunetix.com/blog/articles/10-tips-secure-apache-installation/

So the 419 error is Laravel/Caddy and not Apache after all? Then I have no clue of how to fix this issue :( I don't have any knowledge at all of Caddy nor Laravel (more than Laravel is PHP based).

I will ask someone to help me with all this, or if I have the mental strength to search the net for a solution.

Thank you for your help :)

from shotshare.

While looking up information about this for nginx, I stumbled over this SO answer which kind of explains the issue entirely! So in your apache config you'll need to include SameSite=none in the cookie line.

from shotshare.

Oho! But what cookie line? I don't have any in my configuration file for my domain.

from shotshare.

Number 10 on this page describes setting a cookie to handle the header setting. You'd need to set a cookie anyway for this kind of security to work either way.

from shotshare.

Aha, ok :) I'm sorry, can't think straight now.

I added Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure below ProxyPassReverse for both *:80 and *:443 in the config file for my domain and reloaded Apache. Same issue.

I saw now that I already have added that line to my apache.conf file.

from shotshare.

After Secure set ;SameSite=none

from shotshare.

Here's the line in apache.conf now: Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=none

I restarted (not reloaded as I did the previous times) Apache and tried to login again. Same issue.

from shotshare.

Sadly I've already overextended my knowledge here. I will say that nginx's proxy_cookie_flags ~ secure; worked for me but I'd imagine you don't want to learn a whole new server just for this.

from shotshare.

I am sort of interested in switching to nginx, but that's when I am ready for it.

Many thanks for your help anyway :) You have guided me to the right path (I hope) so I will dig deeper into this when my brain is more cooperative.

from shotshare.

This issue has now been solved. I tried to comment out Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=none and restarted Apache and everything just worked!

Update
Replacing the commented line with Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;SameSite=none;Secure did work flawlessly.

from shotshare.