Some users getting CSRF warnings when creating tickets?

RT Users
1

Hi all,
We’re starting to have more people test RT now. Oddly, the two who just
started trying it out get CSRF warnings when they try to make or update
tickets, while no one else does. They are using Chrome, but so is a guy who
is not getting the warnings. We’re all in the same building, thus on the
same network. Any idea why this might be happening? My Nginx log for RT
doesn’t include anything about this, and my RT log is empty. Thanks.

Alex Hall
Automatic Distributors, IT department
ahall@autodist.com

2

That makes me wonder: would having two subdomains do it? I have
tickets.domain.com and rt.domain.com both going to the same thing, but
rt.autodist.com is the actual domain in the configuration files. I wonder
if starting from tickets.domain.com would cause this warning, as the
browser sees one domain trying to do action on what it thinks is a
different one? I’ll have people stick to rt.domain.com and see if that
makes a difference.On Tue, Sep 27, 2016 at 8:23 AM, Sean Cwiek cwieks@mcls.org wrote:

Hey Alex,

We’ve seen this when users are jumping between the http and https versions
of our RT instance. Advising everyone to login at the https address seemed
to resolve it for us.

Thanks.

-Sean

From: rt-users [mailto:rt-users-bounces@lists.bestpractical.com] *On
Behalf Of *Alex Hall
Sent: Monday, September 26, 2016 4:07 PM
To: rt-users rt-users@lists.bestpractical.com
Subject: [rt-users] Some users getting CSRF warnings when creating
tickets?

Hi all,

We’re starting to have more people test RT now. Oddly, the two who just
started trying it out get CSRF warnings when they try to make or update
tickets, while no one else does. They are using Chrome, but so is a guy who
is not getting the warnings. We’re all in the same building, thus on the
same network. Any idea why this might be happening? My Nginx log for RT
doesn’t include anything about this, and my RT log is empty. Thanks.

Alex Hall

Automatic Distributors, IT department

ahall@autodist.com

Alex Hall
Automatic Distributors, IT department
ahall@autodist.com

3

Hey Alex,

We’ve seen this when users are jumping between the http and https versions of our RT instance. Advising everyone to login at the https address seemed to resolve it for us.

Thanks.

-SeanFrom: rt-users [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Alex Hall
Sent: Monday, September 26, 2016 4:07 PM
To: rt-users rt-users@lists.bestpractical.com
Subject: [rt-users] Some users getting CSRF warnings when creating tickets?

Hi all,
We’re starting to have more people test RT now. Oddly, the two who just started trying it out get CSRF warnings when they try to make or update tickets, while no one else does. They are using Chrome, but so is a guy who is not getting the warnings. We’re all in the same building, thus on the same network. Any idea why this might be happening? My Nginx log for RT doesn’t include anything about this, and my RT log is empty. Thanks.

Alex Hall
Automatic Distributors, IT department
ahall@autodist.commailto:ahall@autodist.com

4

That makes me wonder: would having two subdomains do it? I have
tickets.domain.com and rt.domain.com both going to the same thing,
but rt.autodist.com is the actual domain in the configuration files.

Yes this would do it. There is a config option to allow you to bypass
the CSRF warning for the additional domains:

https://docs.bestpractical.com/rt/4.4.1/RT_Config.html#ReferrerWhitelist