Support » Plugin: Nextend Social Login and Register » Error: Unable to validate CSRF state

  • Resolved sasongkohendrat

    (@sasongkohendrat)


    Hello,

    I cannot login or register,
    Error: Unable to validate CSRF state.
    I’ve contacted my hosting provider (rocket.net) and told them about this: https://nextendweb.com/nextend-social-login-docs/common-error-messages.
    They said that they had it done in their side.
    But the error still appears.
    Can you please help me?

    note:
    Verify Setting results: Works Fine – Enabled
    If i login with website credential (username and password) and then try to link to the social account: it linked succesfully. But still, cannot login or register via NSL.

    thank you.

    • This topic was modified 2 months, 1 week ago by sasongkohendrat. Reason: add more info

    The page I need help with: [log in to see the link]

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Support Gabor

    (@nextendweb_gabor)

    Hi @sasongkohendrat!

    The problem on your website is, that we cannot set the “SESSnsl” cookie, possibly due to your server host’s configuration.

    Often, defining a new name solves this issue, so please try to insert this code:
    define('NSL_SESSION_NAME', 'nextendlogin');

    into the wp-config.php file of your WordPress installation. This will rename our “SESSnsl” cookie to “nextendlogin”. But you can use any name in place of “nextendlogin”, so this is just an example.

    If you would still see the same issue after this, then please upload this test file to your FTP:
    https://www.dropbox.com/s/sj9q3k3564qny2o/test.php?dl=1
    Then use Chrome to debug the problem -> visit the uploaded file: https://hompimpaa.id/test.php -> press F12 -> as you see here:
    https://www.dropbox.com/s/d8k24oga1o83l0b/cookie.PNG?dl=0
    click on “Application” tab -> under “Cookies”, select your domain -> check the right side. You should see a “SESSnsl” cookie there. If that won’t happen, it confirms, that your host blocks this cookie’s creation. The code in that file is this:

    <?php
    setcookie('SESSnsl', 'test');

    For testing you can change the ‘SESSnsl’ cookie name to anything, to see if other cookies would be created. If you cannot create any cookies, you should show this file to your host and ask them why the cookie won’t be created.

    But there are cases, when cookies are only blocked at certain pages; also other plugins could have a connection to this as well, just most commonly this is a server caused issue, that is why we should debug that first. Then if these won’t lead to a solution, let me know, and we will try to give other suggestions!

    Thread Starter sasongkohendrat

    (@sasongkohendrat)

    Hi,

    thank you for your reply.

    defining a new name and upload the test file (https://hompimpaa.id/test.php) are not solve my problem.

    I have contacted my hosting provider again and will see what they suggest to me.

    i will come back with the update.

    Thank you

    Thread Starter sasongkohendrat

    (@sasongkohendrat)

    Hi,

    their answers:

    Hi,

    We have cookie stripping in place to maximize cache hit ratio, please disregard this for now.

    If I can have the best ways to reproduce the social login issue I can fix it so the query strings it uses are on the allowed list.`

    Ramona

    (@nextend_ramona)

    Hi @sasongkohendrat

    You should ask your host to whitelist the “SESSnsl” cookie, as it’s clear from the test.php file Gabor sent that your host doesn’t allow setting this cookie.

    During the login process we’re trying to set it as soon as a login button is pressed. So you can verify whether they managed to whitelist the cookie by visiting your login page and opening your browser’s console (right click anywhere and choose Inspect element, or press F12).
    If you’re using Chrome, go to the Application tab, if you’re using Firefox, go to the Storage tab. Find the Cookies menu item and see your site URL under it. Now click on the a social login button on your site. The authorization popup should appear. Now click on your site URL at the console under Cookies. The SESSnsl cookie should be there if the host whitelisted it. If not, you won’t see anything appearing and you can now that the host still has things to do.
    Opening the test page (https://hompimpaa.id/test.php) should immediately set this cookie (you can check it in the same way, except you won’t need to click on the social login button) which doesn’t happen either.

    Alternatively, you could ask your host if there’s any other cookie name they don’t block and use the NSL_SESSION_NAME constant Gabor has mentioned to change the “SESSnsl” cookie to whatever other cookie your host allows. E.g. if your host allows using “awesomecookie” then use:
    define('NSL_SESSION_NAME', 'awesomecookie');
    in your /wp-config.php file.

    Thread Starter sasongkohendrat

    (@sasongkohendrat)

    Hi,

    I can now verify that my hosting accepted ‘SESSnsl’ and ‘nextendlogin’ cookie name.

    Screenshoot accept SESSnsl

    now I’m using this in my wp-config: define(‘NSL_SESSION_NAME’, ‘nextendlogin’);

    screenshoot nextendsocial in wp-config

    But, login with google still return the same message: Error: Unable to validate CSRF state

    page for testing purpose:
    https://hompimpaa.id/nextend-login-test/

    Thread Starter sasongkohendrat

    (@sasongkohendrat)

    Hi,

    it all work now.

    But, if i activate this plugin: WPS-Hide Login ( it changes my login url to /login/ ),
    create a page with shortcode for register flow, and set it.
    create a blank page for OAuth redirect uri proxy page.

    Google login return error after i click my google account to login:

    `Error 400: redirect_uri_mismatch

    You can’t sign in to this app because it doesn’t comply with Google’s OAuth 2.0 policy.

    If you’re the app developer, register the redirect URI in the Google Cloud Console.
    Request details: access_type=offline response_type=code redirect_uri=https://hompimpaa.id/social/?loginSocial=google state=faadf8706e2fcb9169d2383197bd32be prompt=select_account client_id=411337995064-op9bgbfih9fk6qjm5kdr177df3pgkbon.apps.googleusercontent.com scope=https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile openid’

    Ramona

    (@nextend_ramona)

    Hi @sasongkohendrat

    The redirect_uri_mismatch error means that the OAuth redirect URI is not set for your app.
    You mentioned you set a new OAuth redirect uri proxy page. Is it possible that you didn’t add the new redirect URI to your app? Make sure the proper URL is set for you app by following step 17 of the app setup:
    https://nextendweb.com/nextend-social-login-docs/provider-google/#redirect_uri

    I checked your site now and it seems that the OAuth redirect uri proxy page is disabled now so the registration went fine for me.

    Thread Starter sasongkohendrat

    (@sasongkohendrat)

    thank you.

    i will mark this as resolved

Viewing 8 replies - 1 through 8 (of 8 total)
  • You must be logged in to reply to this topic.