Hello, > It's also possible that the reverse proxy is doing something to the Origin > headers, but I have not touched IIS for a very long time, and never used it > in a reverse proxy mode, so have no specific insight there - and to me > doesn't **seem** to explain the CSRF token errors. It also could be something > not working as intended within GoCD.
I think it is related to the reverse proxy setup. I've seen this happen when setups ignore the "X-Forwarded-For" header setup shown [in the documentation](https://docs.gocd.org/current/installation/configure-reverse-proxy.html). How it ends up being related to CSRF tokens *seems* to be: 1. Server sends a response with a session ID in the cookie, along with a CSRF token to be sent back with the form response. 2. Due to the misconfiguration (could be secure site URL as you said), the cookie doesn't get set / sent back with the form response. 3. Then, when the server tries to verify that the CSRF token sent back matches the one expected for the session, it doesn't work, since the session won't be the old session from point 1 above. Something like that. I could be mistaken. Related issue which reminded me of this (no resolutions mentioned there, unfortunately, apart from "proxy configuration was the issue"): <https://github.com/gocd/gocd/issues/5296> Regards, Aravind -- You received this message because you are subscribed to the Google Groups "go-cd" group. To unsubscribe from this group and stop receiving emails from it, send an email to go-cd+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/go-cd/m25yd5uly4.fsf%40arvindsv.com.
