[SOLVED] '400 - CSRF error' trying login to factorio.com

[Tonton.Sancho]

Hi Factorio Team,

From yesterday I tried (without any success) to login onto factorio.com, but instead I got a

Code: Select all

400 - CSRF error
The CSRF session token is missing.
Please use the Back button in your browser and try again. If problem persists, please contact support@factorio.com. 

Using Firefox (v92) and the error occurs.
Using Chrome (v94) and no error occurs, I'm able to login.

More information,
I used to run headless factorio from a VPS linux server. From there, I use wget / curl to download headless build (tar.xz url).
But, this does not work for now :
wget (or curl) warns me about SSL Certificate validation expiration problem.
(telling me to use unsecure request option)

Currently, there is a worldwide problem with Letsencrypt Root Certification expiration.

Could this be a related problem ?
Cloudflare / Your server certificate have to be double checked ?

I'm still there if I can bring you more information.

Best regards

[Sanqui]

Hi, thank you for reporting the issue. I am currently investigating the 400 CSRF error and am unable to reproduce it. Could you please provide me with the following information:

Which operating system are you running?

In Firefox, press CTRL+Shift+I (Inspect element), switch to the Storage tab, on the left, under Cookies, choose https://factorio.com, and tell me if there is a "session" cookie present in the list. (Please do not copy the contents)

Thank you

[Tonton.Sancho]

Thank you for your consideration.

Code: Select all

$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 20.04.3 LTS
Release:	20.04
Codename:	focal

Code: Select all

$ uname -a
Linux <machine name> 5.4.0-88-generic #99-Ubuntu SMP Thu Sep 23 17:29:00 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Under Cookies:
I have 3 'phpbb3_4hp<...>' key/value pair.
I have 2 'session' key with different values.
One 'session' key is for domain: www.factorio.com
The other one (and all phpbb3 related) are for domain: .factorio.com

[Tonton.Sancho]

Under Local storage, I have two myshopify related key/value pair.

[Sanqui]

Under Cookies:
I have 3 'phpbb3_4hp<...>' key/value pair.
I have 2 'session' key with different values.
One 'session' key is for domain: www.factorio.com
The other one (and all phpbb3 related) are for domain: .factorio.com

Thank you. Can you please clear the two session cookies (you can do so by right clicking from the same menu and choosing Delete "session..."), refresh the login page, and attempting to log in again. In other words, clearing your cookies ;), of course there is no need to delete the phpBB cookies. Let me know if that helps.

[Nidan]

Currently, there is a worldwide problem with Letsencrypt Root Certification expiration.

With the end of September, an intermediate certificate that allowed for widespread acceptance of Let's Encrypt certificates expired. By now clients should have had enough time to update and be aware of Let's Encrypt's own root certificate and thus shouldn't need the intermediate anymore. Update the server you used to run wget/curl. (I ran into this at work today, on an Ubuntu 16.04.)
The CSRF issue seems unrelated.

[Tonton.Sancho]

Thank you. Can you please clear the two session cookies (you can do so by right clicking from the same menu and choosing Delete "session..."), refresh the login page, and attempting to log in again. In other words, clearing your cookies , of course there is no need to delete the phpBB cookies. Let me know if that helps.

It was the point, login success now.

Hard to known, from my usage, how could I have prevented this ? (the two session key collision)