Reputation: 109
403 error in Node Express
I have a node App where there is a page which posts their email address to login to the app (I'm not doing anything but storing the email address for now). When I push the app to production it works fine for a little while and then I start getting a 403 error like this:
Express
403 Error: Forbidden
at Object.exports.error (/opt/run/snapshot/package/node_modules/express/node_modules/connect/lib/utils.js:63:13)
at createToken (/opt/run/snapshot/package/node_modules/express/node_modules/connect/lib/middleware/csrf.js:82:55)
at /opt/run/snapshot/package/node_modules/express/node_modules/connect/lib/middleware/csrf.js:54:7
at Object.ondone (/opt/run/snapshot/package/node_modules/express/node_modules/connect/node_modules/uid2/index.js:46:8)
This is what I'm seeing in the log:
err Sun, 09 Mar 2014 11:52:01 GMT Error: Forbidden
at Object.exports.error (/opt/run/snapshot/package/node_modules/express/node_modules/connect/lib/utils.js:63:13)
at createToken (/opt/run/snapshot/package/node_modules/express/node_modules/connect/lib/middleware/csrf.js:82:55)
at /opt/run/snapshot/package/node_modules/express/node_modules/connect/lib/middleware/csrf.js:54:7
at Object.ondone (/opt/run/snapshot/package/node_modules/express/node_modules/connect/node_modules/uid2/index.js:46:8)
If I restart the app without any code changes, login starts working again. I'm guessing something to do with csrf is going stale. I definitely am passing a csrf token on the login page. I can see it when I do a view source.
I'm on node 0.10, I'm wondering if I should go back to 0.8.
here's my config:
app.configure(function(){
app.set('views', __dirname + '/views');
app.set('view engine','ejs');
app.use(express.logger('dev'));
app.use(express.bodyParser());
app.use(helmet.xframe());
app.use(helmet.iexss());
app.use(helmet.contentTypeOptions());
app.use(helmet.cacheControl());
app.use(express.cookieParser());
app.use(express.session({
secret: "**********************",
cookie: {
maxAge : 3600000, //1 hours
expires : new Date(Date.now() + 3600000), //2 Hours
},
store: new MongoStore({
mongoose_connection: mongoose.connection
})
})
);
//app.use(express.cookieSession({secret:"fooseball123!"}));
app.use(express.csrf());
//middleware to make csrf token available
app.use(function (req, res, next) {
//res.locals.token = req.session._csrf;
res.locals.token = req.csrfToken();
next();
});
app.use(express.compress());
app.use(app.router);
app.use(express.static(__dirname + '/public', {maxAge: 86400000}));
app.use(express.errorHandler());
});
Upvotes: 2
Views: 3712
Answers (1)
Reputation: 109
I did two things and it looks like they fixed the issue.
- I rolled my node version back to 0.8
- I removed the cookie parameter inside the call to express.session.
I'm guessing the issue has something to do with #2.
I don't know what this has to do with the csrf errors I was getting.
Upvotes: 1
Related Questions
- Access to localhost was denied You don't have authorization to view this page. HTTP ERROR 403
- NodeJs Express send 403 and render
- NodeJS Express Website Error 403 on public server
- Node.js : POST - Request Method: OPTIONS Status Code: 403 Forbidden
- 404 Error in Node Application
- Nodejs Express giving 404 error
- Node JS Express all requests showing 404
- Cannot get in Express - NodeJS
- 403 forbidden error when posting in expressjs
- 403/Forbidden error custom page with Express 3 / Node