Description
CKAN CSRF Token Issue - Form Submission Fails with "The CSRF token is missing" Error
Issue Description
When attempting to create new datasets or organizations in CKAN, form submissions fail with a 400 Bad Request error and the message "The CSRF token is missing." This occurs despite the CSRF token being properly generated and included in the form HTML.
Environment Details
CKAN Version: 2.11.3 (Docker deployment)
Deployment: Docker Compose with custom theme (ckantemplatev2)
Web Server: Nginx reverse proxy
Database: PostgreSQL
Session Storage: File-based sessions
Steps to Reproduce
Navigate to /dataset/new or /organization/new
Fill out the required form fields
Submit the form
Receive 400 Bad Request error: "The CSRF token is missing"
Current Configuration
CSRF Settings in ckan.ini
wtf.csrf.enabled = false # Temporarily disabled for testing
wtf.csrf.time_limit = 3600
wtf.csrf.ssl_strict = false
CSRF Filter Extension Settings
ckanext.csrf_filter.token_expiry_minutes = 30
ckanext.csrf_filter.token_rotation_minutes = 10
ckanext.csrf_filter.same_site = None
Form Template (package_form.html)
{% snippet 'snippets/csrf_input.html' %}CSRF Input Template (csrf_input.html)
{# CSRF token input field #}
{% if csrf_token %}
{% endif %}
Technical Details
Request Headers
Content-Type: application/x-www-form-urlencoded
Response Headers
Status Code: 400 BAD REQUEST
Content-Type: text/html; charset=utf-8
Form Data Analysis
CSRF token is present in the HTML form:
Form is submitted with correct Content-Type
All required fields are filled
Error Logs
DEBUG [ckan.config.middleware.flask_app] 400 Bad Request: The CSRF token is missing.
Traceback (most recent call last):
File "/usr/lib/ckan/venv/lib/python3.10/site-packages/flask_wtf/csrf.py", line 261, in protect
validate_csrf(self._get_csrf_token())
File "/usr/lib/ckan/venv/lib/python3.10/site-packages/flask_wtf/csrf.py", line 100, in validate_csrf
raise ValidationError("The CSRF token is missing.")
wtforms.validators.ValidationError: The CSRF token is missing.
Attempted Solutions
Updated SECRET_KEY: Changed from a very long complex key to a simpler one
Modified CSRF Input Template: Added conditional check for csrf_token existence
Container Restart: Restarted CKAN container after configuration changes
Temporarily Disabled CSRF: Set wtf.csrf.enabled = false for testing
Root Cause Analysis
The issue appears to be related to:
Session Management: CSRF token generation/validation may be failing due to session issues
Template Rendering: The csrf_token() function may not be returning a valid token
Form Processing: Flask-WTF may not be properly extracting the token from the form data
Questions for the Community
Has anyone experienced similar CSRF token issues with CKAN 2.10.x?
Are there known issues with CSRF token handling in Docker deployments?
What are the recommended CSRF settings for production CKAN deployments?
Are there alternative approaches to CSRF protection in CKAN?
Additional Context
The issue affects both dataset and organization creation forms
The problem persists across different browsers
Session cookies are properly set and transmitted
No JavaScript errors are present in the browser console
Expected Behavior
Form submissions should complete successfully with proper CSRF token validation, allowing users to create datasets and organizations without authentication errors.
Note: This issue is currently blocking production use of the CKAN instance for data creation workflows.