Comments (16)
419 is normally a CSRF Token issue.
Hopefully this answer helps from Stack.
https://stackoverflow.com/questions/52583886/post-request-in-laravel-error-419-sorry-your-session-419-your-page-has-exp?rq=4
from shotshare.
Thanks, but adding -e SESSION_DRIVER=file -e SESSION_DOMAIN=img.airikr.me -e SESSION_SECURE_COOKIE=true
to the docker run
command didn't fix the issue. Same for SESSION_SECURE_COOKIE=false
and when I removed -e SESSION_DRIVER=file -e SESSION_SECURE_COOKIE=true
and only leaved SESSION_DOMAIN
untouched.
The rest of the answers is for JavaScript or other stuff that must be added inside the actual source code. Didn't bother to do anything with that part :)
from shotshare.
Is it a Caddy 419 or an Apache 419?
from shotshare.
Apache 419. I use "Run in HTTP mode" with -e FORCE_HTTPS=true
.
from shotshare.
I'm not super familiar with Apache in general, but what is mod_headers being used to do here?
And I don't think that really makes sense... Apache doesn't generate a 419 Page-Expired
, Apache's 419 error is Insufficient-Space-On-Resource
. 419 Page-Expired
is a Laravel/Caddy error.
(as an aside, it might make more sense to use Apache to redirect to HTTPS on port 80 rather than have the proxied application do it. Saves on some troubleshooting steps and keeps all connections HTTPS. My nginx config doesn't have port 80 pointing to anything other than a 508 redirect to https://$host$request_uri
which is best practices for nginx but idk what the best practices for Apache are.)
from shotshare.
Thank you for the information. I will get back to you after I got some sleep. Am very sleepy xD
from shotshare.
Alright! I use mod_headers
to hardening my web server and strength the security of it. I use the following guides:
- https://geekflare.com/apache-web-server-hardening-security/
- https://www.tecmint.com/apache-security-tips/
- https://www.acunetix.com/blog/articles/10-tips-secure-apache-installation/
So the 419 error is Laravel/Caddy and not Apache after all? Then I have no clue of how to fix this issue :( I don't have any knowledge at all of Caddy nor Laravel (more than Laravel is PHP based).
I will ask someone to help me with all this, or if I have the mental strength to search the net for a solution.
Thank you for your help :)
from shotshare.
While looking up information about this for nginx, I stumbled over this SO answer which kind of explains the issue entirely! So in your apache config you'll need to include SameSite=none
in the cookie line.
from shotshare.
Oho! But what cookie line? I don't have any in my configuration file for my domain.
from shotshare.
Number 10 on this page describes setting a cookie to handle the header setting. You'd need to set a cookie anyway for this kind of security to work either way.
from shotshare.
Aha, ok :) I'm sorry, can't think straight now.
I added Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
below ProxyPassReverse
for both *:80
and *:443
in the config file for my domain and reloaded Apache. Same issue.
I saw now that I already have added that line to my apache.conf
file.
from shotshare.
After Secure
set ;SameSite=none
from shotshare.
Here's the line in apache.conf
now: Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=none
I restarted (not reloaded as I did the previous times) Apache and tried to login again. Same issue.
from shotshare.
Sadly I've already overextended my knowledge here. I will say that nginx's proxy_cookie_flags ~ secure;
worked for me but I'd imagine you don't want to learn a whole new server just for this.
from shotshare.
I am sort of interested in switching to nginx, but that's when I am ready for it.
Many thanks for your help anyway :) You have guided me to the right path (I hope) so I will dig deeper into this when my brain is more cooperative.
from shotshare.
This issue has now been solved. I tried to comment out Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=none
and restarted Apache and everything just worked!
Update
Replacing the commented line with Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;SameSite=none;Secure
did work flawlessly.
from shotshare.
Related Issues (20)
- Better way to indicate that a shot's title is editable HOT 8
- Ability to hide/privatize uploader name HOT 3
- Ability to choose whether to upload multiple images as a set or as individual shots HOT 4
- Deleted images is still be accessable via direct link HOT 6
- [Enhancement] Store config in a configuration file instead of relying on environment variables HOT 3
- Be able to upload an avatar HOT 2
- Image preview embed for Discord et. al. HOT 7
- Blank home page HOT 5
- Sharing link buttons not working HOT 1
- Shot visibility issue HOT 1
- Cloud-based Providers (S3) Support
- Laravel Octane + FrankenPHP
- Optional EXIF Stripping
- "Server Error" HOT 1
- [ERROR] Create user via CLI - could not find driver HOT 1
- Allow videos to be uploaded HOT 1
- User invitations
- Web installer for first time run
- Guest access
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from shotshare.