CSRF error on 6.1.1 when trying to delete user

I seem to get a CSRF error when trying to delete a user or reset his password.
I am on Seafile Community 6.1.1 (on Debian Jessie).
Can someone confirm that they have the problem as well ?


File and DB Permission are ok?

I suppose because I’ve never changed the permissions since I installed version 3.0.0.
In addition the error message is

[WARNING] django.request:98 _reject Forbidden (CSRF token missing or incorrect.)

This clearly looks like a bug. Last think you can try is to open an incognito tab and see if it works there. If not it’s a bug.


I tried with Firefox incognito mode and I unfortunately still have the CSRF error.

Yes, I have the same problem when I click on “Generate” for a download link.

EDIT: it only happens with Firefox 54, Chromium 59 works.

Indeed it works with Chromium. I still haven’t found a workaround for Firefox.

I have the same problem for actions like accessing encrypted librarys, deleteing share links etc. Problem occurs with Firefox and Chromium ( and every other browser i tried so far). I noticed that teh X-CSRFToken is not set on such requests (its null). If i fire such a request via curl with the X-CSRFToken set then it’s working.
Everything is working if i use the client.
This problem only occurs if i use wsgi, with fastcgi everything is working fine.
Both 6.2.0 and 6.2.2 are affected over here (switched to wsgi with 6.2.0).
I’m running 6.2.2 atm behind an apache2 proxy on a debian stretch system.

If anybody is experiencing the same issue, for me it was the apache2 configuration interfering.
I had “Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure” set which caused my problems.