Page MenuHomePhabricator
Create Task
Maniphest T390512

"Invalid CSRF token" on any actions by registered users
Closed, ResolvedPublicBUG REPORT
Actions

Description

I'm user MBH. I tried to revert last edit on [1] and got
Session Error. There appears to be a problem with your current session; this action has been cancelled to prevent "session hijacking". Please resubmit the form.
I reloaded a page and got the same error. I tried to edit a page manually and got the same error. I tried to log out: pressed a blue button on https://ru.wikipedia.org/wiki/Special:Userlogout and it takes me back to the same page (without logging out).

I can't logout (https://commons.wikimedia.org/wiki/Special:UserLogout) and edit also on Commons (tried to edit https://commons.wikimedia.org/wiki/Category:UMMC_Museum_Complex)

[1]: https://ru.wikipedia.org/w/index.php?title=Talk:%D0%92%D1%82%D0%BE%D1%80%D0%B6%D0%B5%D0%BD%D0%B8%D0%B5_%D0%B2_%D1%8D%D1%84%D0%B8%D1%80&action=history

[impossible to log out due to "Invalid CSRF token"]

Related Objects

Event Timeline

MBH created this task.Mar 31 2025, 3:09 AM
Restricted Application added subscribers: Base, Aklapper. · View Herald TranscriptMar 31 2025, 3:09 AM
MBH added a comment.EditedMar 31 2025, 3:11 AM

I also can't log out from another account (user:Железный капут) on another browser (Firefox, main browser is Chrome) due to "Invalid CSRF token"

Benwing2 triaged this task as Unbreak Now! priority.Mar 31 2025, 3:12 AM
Benwing2 subscribed.

I have raised this to the highest priority as it presumably means all MediaWiki sites are broken.

AntiCompositeNumber added projects: Wikimedia-Incident, SRE.Mar 31 2025, 3:14 AM
Jarekt subscribed.Mar 31 2025, 3:16 AM

I get similar message when trying to login:

Screenshot 2025-03-30 231505.png (507×318 px, 13 KB)

Benwing2 updated the task description. (Show Details)Mar 31 2025, 3:17 AM
Jarekt added a comment.Mar 31 2025, 3:22 AM

The log-in trouble described above, is when using Firefox. In Chrome I am logged in, but can not edit due to error:
Sorry! We could not process your edit due to a loss of session data.

You might have been logged out. Please verify that you're still logged in and try again. If it still does not work, try logging out and logging back in, and check that your browser allows cookies from this site.

Screenshot 2025-03-30 231823.png (310×1 px, 34 KB)

And when trying to log out I get: "Invalid CSRF token"

Benwing2 mentioned this in T255179: Session failures ("invalid CSRF token") preventing edits, login, logout, etc due to kask outage.Mar 31 2025, 3:23 AM
DuncanHill subscribed.Mar 31 2025, 3:26 AM

EnWIki user here. Using Edge on Win11 I get the same errors as Jarekt. Same with Chrome on my mobile.
Also, "email this user" doesn't work, the page just blinks but stays the same when I click "Send"

Looking at "Recent changes" it looks like IPs can edit. So there's going to be a lot of mess to clear up!

Quiddity subscribed.Mar 31 2025, 3:28 AM

Devs are looking into it. https://www.wikimediastatus.net/incidents/1w3rq4d2zljj

Jacobolus subscribed.Mar 31 2025, 3:30 AM

I'm running into the same issue. Couldn't edit (with a message about needing to log out), then couldn't log out ("invalid CSRF token"), cleared my browser's saved data to force log out, and now it's impossible to log in.

Ahecht awarded a token.Mar 31 2025, 3:33 AM
MBH renamed this task from I can't edit "to prevent session hijacking" and log out to "Invalid CSRF token" on any actions by registered users.Mar 31 2025, 3:34 AM
Yiming subscribed.Mar 31 2025, 3:35 AM
Dragoniez awarded a token.Mar 31 2025, 3:35 AM
Anoop subscribed.Mar 31 2025, 3:37 AM
Dragoniez subscribed.Mar 31 2025, 3:46 AM
MBH closed this task as Resolved.Mar 31 2025, 3:50 AM
MBH claimed this task.

Fixed.

Jacobolus added a comment.Mar 31 2025, 3:58 AM

Thanks for your quick work!

Xaosflux subscribed.Mar 31 2025, 10:02 AM
matmarex subscribed.Mar 31 2025, 5:38 PM

Investigation into the root cause and avoiding repeats of this event is in progress at T390514.

bd808 removed MBH as the assignee of this task.Mar 31 2025, 5:44 PM
JeanFred subscribed.May 2 2025, 10:32 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits