Server got invalid CSRF token

I am getting this error in cli-log

2022-11-04T13:24:16.456143Z WARN kopia/server got invalid CSRF token for /api/v1/tasks/15/logs: f547c43cf305f56ef1cf35c345abe4faf5f390fa20b9bea89ca0754146552b24, want e083eb2f3e4db61ab46587866e34081a1711e8adc9dd3d5449e41a5913ebd017, session 6cd1e736-d6cf-439b-91fa-881851833667

And kopia has stoped to write logs in the content-logs folder, is this related? how can I fix it?

Does kopia has a sustem to autorotate the logs?

I am using docker

I “fixed” it with this parameter “–disable-csrf-token-checks” it’s oK? or it’s bad?

On the other hand as I said the docker is not writing logs anymore.

docker run
-e TZ=“Europe/Paris”
-e HOST_OS=“Unraid”
-e ‘KOPIA_PASSWORD’=‘test’
-e ‘TCP_PORT_51515’=‘51515’
-e ‘TZ’=‘Europe/Madrid’
-l net.unraid.docker.managed=dockerman
-l net.unraid.docker.webui=‘http://[IP]:[PORT:51515]’
-l net.unraid.docker.icon=‘
-v ‘/mnt/user/Docker/Kopia/config’:‘/app/config’:‘rw’
-v ‘/mnt/user/Docker/Kopia/cache’:‘/app/cache’:‘rw’
-v ‘/mnt/user/Docker/Kopia/logs/cli-logs/’:‘/app/logs/cli-logs’:‘rw’
-v ‘/mnt/user/’:‘/app/data’:‘rw’
-v ‘/mnt/user/Docker/Kopia/logs/content-logs/’:‘/app/logs/content-logs’:‘rw’
–dns= ‘kopia/kopia’ server
–htpasswd-file /app/config/.htpasswd


The command finished successfully!

I delete the folders and now were created with logs, or at least I did a log cleanup command and new logs were written. But if I run a snapshot, nothing is updated in the content logs folder, is this normal? where I can find a log with the result of a snapshot?

Please anyone can tell me where how I can get the output of a backp written in a log, in order to understand if it’s successfull or no?
I am using the docker version

Disabling CSRF token checks reduces security and should be avoided as it opens up your server to CSRF attack, which is a very common class of attacks on the Internet and can be used for data exfiltration and manipulation by using session cookie of a logged-in user.

See Cross-site request forgery - Wikipedia

Basically an attacker who can guess that:

a) you have a Kopia server running on some host:port
b) you have previously logged into that server in a browser and a cookie is still valid

Without CSRF token protection, if an attacker who knows a) and b) and can trick you into visiting their malicious web page (say that page can issue HTTP POST requests to Kopia server and do damage. I don’t want to give a complete playbook for this kind of attack, but that’s quite a real possibility given that Kopia exposes API that can be triggered this way. So DO NOT disable CSRF tokens except for a very narrow set of cases where you develop Kopia UI itself.

A CRSF token is generated every time server starts. To fix the issue simply refresh the web page (F5 on Windows, Command-R on a Mac) which will cause the client to pick up newly generated session secret.

Alternatively to ensure the client survives server restart an alternative is to pass some fixed random string via --auth-cookie-signing-key flag or KOPIA_AUTH_COOKIE_SIGNING_KEY environment variable.

1 Like