mirror of
https://github.com/BookStackApp/BookStack.git
synced 2026-02-05 00:29:48 +03:00
419 Page Expired #2185
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @MFYDev on GitHub (Apr 10, 2021).
After upgrade to the latest release which version is 21.04
I cannot log in on the win10 Chrome and Edge browser.
Every time when I log in, it displays things like this:
What's the most weird thing is, I can log in on my phone, which is Android 11 MIUI Edge browser.
This issue has never happened before this upgrade. I can assure the
APP_URLin the env file is correct.Please investigate as it is really an emergent problem.
@ssddanbrown commented on GitHub (Apr 10, 2021):
Hi @MFYDev,
APP_URLvalue exactly match the public base URL for Bookstack, that will be accessed in the browser including the starting https/http, with no trailing slash?bootstrap/cachefolder within your BookStack install folder?@MFYDev commented on GitHub (Apr 10, 2021):
Hi @ssddanbrown ,
I upgraded from 0.31.8
Yes, definitely.
It works well in all version before v21.04 (I started to use BookStack about one year ago and this problem has never happened before this upgrade)
I always use https, and I have turned on forcing https.
There are 3 files:
.gitignore,packages.php,services.php@MFYDev commented on GitHub (Apr 10, 2021):
Dear Dan,
After a long time investigation of
.envfile, I finally found out what parameter cause this problem.It is
ALLOWED_IFRAME_HOSTSThis value is the new parameter and firstly I just set it as
ALLOWED_IFRAME_HOSTS="https://mywordpressblog.com"which is my wordpress blog URL.
From my perspective I thought maybe this value can help BookStack page to be iframed within my wordpress blog passage? (I am not sure if I understand it in the right way)
Honestly I do not know why, removing this line makes all things work well again.
If it is possible, would you please demonstrated where did I set wrong in this value?
Because according to the annotation:
I think what I set is correct, right?
@ssddanbrown commented on GitHub (Apr 10, 2021):
That value appears correct, Were you getting the 419 issue just on embedded/iframed versions of Bookstack or did you get this error all the time, even when using the proper domain?
Setting that value does change how cookies are handled. It may be the case that old cookies are interfering with new cookies that BookStack is attempting to set. It'll be worth completely clearing cookies, or trying to login & use BookStack within a fresh incognito/private window to see if the issue remains.
@MFYDev commented on GitHub (Apr 10, 2021):
I get this error all the time even when I use the proper domain.
So I did a quick test according to your advice.
Firstly, I add that parameter again and view bookstack in private window, this issue still happens.
Then, I tried to clean all the cookies and cache of my browser and view it again. Still, this problem exists.
It is really weird.
@shmoulana commented on GitHub (Apr 14, 2021):
Guys we are also getting the same thing ?
Any solution for this ?
@ssddanbrown commented on GitHub (Apr 15, 2021):
@MFYDev I've setup a replicated test of using this option here: https://danb.me/embed.html
Can you attempt login to the demo site via the iframe in that test page and let me know if that works for you?
@MFYDev commented on GitHub (Apr 15, 2021):
@ssddanbrown Sorry for the delay mate.
Using admin@example.com with password as password, I can successfully log in to this test site.
Would you please tell me if you set any other parameter that is not default which may affect this problem?
Thank you so much in advance.
@ssddanbrown commented on GitHub (Apr 15, 2021):
@MFYDev This is the entire contents of the
.envfor the demo site:If you're able to provide an example of a failing embed I can inspect the headers and make sure everything is aligned or see if there are other things causing interference. Don't need access/login to the BookStack instance, just an example of it embedded.
@MFYDev commented on GitHub (Apr 16, 2021):
Dear Dan @ssddanbrown ,
Thanks for the information.
I set a personal test embed site: https://api.mfy.world/test/embed.html
Finally I found out things make this issue happen:
After I deleted these session configuration parameters, all things work again.
I should have thought of deleting these lines earlier after searching
419 page expiredin google, because most of answers saying that error is related to session. 😥It seems although I always wanna use the complete env file to take full control of my site. but some of the unfamiliar parameters will still cause small problems. I should know more about them before using them.
Thank you so much for all the replies and patience. Lessons are learned for me after all these.
@ssddanbrown commented on GitHub (Apr 16, 2021):
@MFYDev No problem, Happy to hear you git it working!
I'd imagine it was just the
SESSION_SECURE_COOKIE=falseline that was causing issues, This would conflict with the requirements for cookies to be used in an embedded context. BookStack will now dynamically set that option anyway based upon yourAPP_URLvalue.@willre commented on GitHub (Apr 19, 2021):
I have encountered the same problem, which can be solved according to @MFYDev method
@shhoppe commented on GitHub (Mar 16, 2022):
When I went to implement the @MFYDev method, I found that those lines did not exist in my .env so I added them, which resolved the issue for me.
When it happens again, then I'll remove them.
@vdawg-git commented on GitHub (Nov 8, 2022):
I am also facing this issue after adding an URL to
ALLOWED_IFRAME_HOSTS.@shhoppe Have you set
SESSION_SECURE_COOKIEto false or true?@shhoppe commented on GitHub (Nov 8, 2022):
For me, I think it has something to do with the way my server handles sessions, so what I do for the moment is toggle. When the issue occurs, then if it's true I set to false and vice versa. Not ideal, but it suits me until I finally find some time to look at things more deeply.
@ash34 commented on GitHub (Dec 11, 2023):
I see this is marked as closed but I experience the 419 page expired issue with a new install (I'm new to Bookstack).
After logging in and using for maybe 2-3 minutes I will receive the 419 page. I experimented with changing SESSION_LIFETIME=120 to SESSION_LIFETIME=12000 as a temporary workaround but was there a fix for this?
@ssddanbrown commented on GitHub (Dec 11, 2023):
@ash34 The default session time should already by two hours, so I wouldn't expect changing that to affect that particular issue, unless something else was off in regard to that setting.
Otherwise, it's hard to determine exactly what may lead to a 419 without knowing the exact reproduction steps and environment. Sometimes URL misconfiguration, or recently changed session/cookie settings, or browser controls/extensions, or embedding techniques, or failed requests to load things via BookStack, can trip up the session.
@krismarc commented on GitHub (Sep 28, 2024):
@ssddanbrown,
same story here. I'm running bookstack as the add-on in Home Assistant. As long as I do not set ALLOWED_IFRAME_HOSTS all works fine. Once it set this value, I start getting 419 page expired. Happens only in Chrome. In firefox all fine, even with this var.
https://community.home-assistant.io/t/bookstack-embedded-into-dashboard/775013/3
doesn't matter if I access the app directly or from the iframe.
@eric-saintetienne commented on GitHub (Dec 21, 2024):
Same here, with
ALLOWED_IFRAME_HOSTSset, I get the page expired issue, irrespectively of any frame (inside or outside an iframe). I'm using Firefox.@Soosbrecht commented on GitHub (Jul 9, 2025):
Did you manage to fix this problem? I have the same issue when trying to embedd the iframe. I get the 419Error when trying to log in through the frame. When accesing bookstack directly i the login screen gets stuck in a loop (correct login data but not loggin in). If i rmeove the allowed_iframe_hosts it works fine.