Kratos CSRF issue on self hosted setup

[Imtinan1996]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Network project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe the bug

Hi I am using the Kratos CLI to run a self hosted instance.

The issue is with logging in to sessions and logging out. When i first create the Browser Login Flow, a CSRF token Cookie is set

This is okay, and it logs me in and I can successfully log out as well with the Browser Logout Flow

Now when I try to log back in, it gives me the "security_csrf_violation" error. This is due to the fact that the older CSRF token still resides in the cookies and both the new and old cookies are sent over, but the older one is utilized which leads to an error

Am i doing something wrong? I am using a SSR framework (Remix) and i have even tried to clear the cookie from the server, but nothing seems to work. This is limiting the functionality, and i have to continuously clear cookies when trying to develop and has become a hindrance, moreover i cant go to production with this current limitation so any help will be greatly appreciated
self-hosted

Reproducing the bug

1. Create a Browser Login Flow
2. Login
3. Create Browser Logout Flow
4. Logout
5. Create Browser Login Flow
6. Login - Error

Relevant log output

{
   "audience":"application",
   "error":{
      "debug":"",
      "details":{
         "docs":"https://www.ory.sh/kratos/docs/debug/csrf",
         "hint":"The anti-CSRF cookie was found but the CSRF token was not included in the HTTP request body (csrf_token) nor in the HTTP Header (X-CSRF-Token).",
         "reject_reason":"The HTTP Cookie Header was set and a CSRF token was sent but they do not match. We recommend deleting all cookies for 
this domain and retrying the flow."
      },
      "message":"the request was rejected to protect you from Cross-Site-Request-Forgery",
      "reason":"Please retry the flow and optionally clear your cookies. The request was rejected to protect you from Cross-Site-Request-Forgery (CSRF) which could cause account takeover, leaking personal information, and other serious security issues.",
      "stack_trace":"\ngithub.com/ory/kratos/selfservice/flow.EnsureCSRF\n\t/project/selfservice/flow/request.go:70\ngithub.com/ory/kratos/selfservice/strategy/password.(*Strategy).Login\n\t/project/selfservice/strategy/password/login.go:66\ngithub.com/ory/kratos/selfservice/flow/login.(*Handler).updateLoginFlow\n\t/project/selfservice/flow/login/handler.go:720\ngithub.com/ory/kratos/x.NoCacheHandle.func1\n\t/project/x/nocache.go:21\ngithub.com/ory/kratos/x.NoCacheHandle.func1\n\t/project/x/nocache.go:21\ngithub.com/julienschmidt/httprouter.(*Router).ServeHTTP\n\t/go/pkg/mod/github.com/julienschmidt/[email protected]/router.go:387\ngithub.com/ory/nosurf.(*CSRFHandler).handleSuccess\n\t/go/pkg/mod/github.com/ory/[email protected]/handler.go:234\ngithub.com/ory/nosurf.(*CSRFHandler).ServeHTTP\n\t/go/pkg/mod/github.com/ory/[email protected]/handler.go:185\ngithub.com/urfave/negroni.Wrap.func1\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:46\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38\ngithub.com/ory/kratos/x.glob..func1\n\t/project/x/clean_url.go:15\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2109\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerResponseSize.func1\n\t/go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:284\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2109\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerCounter.func1\n\t/go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:142\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2109\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func1\n\t/go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:92\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2109\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func2\n\t/go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:104\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2109\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerRequestSize.func1\n\t/go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:234\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2109\ngithub.com/ory/x/prometheusx.Metrics.instrumentHandlerStatusBucket.func1\n\t/go/pkg/mod/github.com/ory/[email protected]/prometheusx/metrics.go:115\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2109\ngithub.com/ory/x/prometheusx.(*MetricsManager).ServeHTTP\n\t/go/pkg/mod/github.com/ory/[email protected]/prometheusx/middleware.go:41\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38\ngithub.com/ory/x/metricsx.(*Service).ServeHTTP\n\t/go/pkg/mod/github.com/ory/[email protected]/metricsx/middleware.go:259\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38\ngithub.com/ory/kratos/x.HTTPLoaderContextMiddleware.func1\n\t/project/x/httploadermiddleware.go:23",
      "status":"Forbidden",
      "status_code":403
   },
   "http_request":{
      "headers":{
         "accept":"application/json, text/plain, */*",
         "accept-encoding":"gzip, deflate, br",
         "accept-language":"en,en-GB;q=0.9,en-US;q=0.8",
         "connection":"keep-alive",
         "content-length":"179",
         "content-type":"application/json",
         "cookie":[
            "csrf_token_e04715253caff9a793925fcba527cfabdd2d2de981eacada031790de22126f26=hUI8kGMtEEjJ+k9toUxI+VGvdfDYW/1NoUMg+M2IO8A=; csrf_token_e04715253caff9a793925fcba527cfabdd2d2de981eacada031790de22126f26=TzHksZJR5qZ2/9OVeTyIWoH3rVfb2nczcl06UcpNdYw=; my_session_token=asessiontoken"
         ],
         "origin":"http://localhost:3000",
         "referer":"http://localhost:3000/",
         "sec-ch-ua":"\"Not.A/Brand\";v=\"8\", \"Chromium\";v=\"114\", \"Google Chrome\";v=\"114\"",
         "sec-ch-ua-mobile":"?0",
         "sec-ch-ua-platform":"\"Windows\"",
         "sec-fetch-dest":"empty",
         "sec-fetch-mode":"cors",
         "sec-fetch-site":"same-site",
         "user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
      },
      "host":"localhost:4433",
      "method":"POST",
      "path":"/self-service/login",
      "query":"flow=684086e6-1fa1-4464-a44e-166a790ac7b0",
      "remote":"[::1]:55948",
      "scheme":"http"
   },
   "http_response":{
      "status_code":403
   },
   "level":"info",
   "msg":"An error 
occurred while handling a request",
   "service_name":"Ory Kratos",
   "service_version":"v0.13.0",
   "time":"2023-06-14T13:12:57.0073414+04:00"
}

Relevant configuration

## Ory Kratos Configuration

identity:
  schemas:
    - id: users
      url: file://./user.schema.json

  default_schema_id: "users"

## Data Source Name ##
dsn: postgres://postgres:1234@localhost:5432/postgres

selfservice:
  default_browser_return_url: http://localhost:3000/auth/login/

  flows:
    logout:
      after:
        default_browser_return_url: http://localhost:3000/auth/login/

    login:
      lifespan: 5m
      after:
        password:
          default_browser_return_url: http://localhost:3000/auth/logged-in/
        default_browser_return_url: http://localhost:3000/auth/login/
      ui_url: http://localhost:3000/auth/login/

    ## Account Recovery Configuration ##
    #
    recovery:
      ui_url: http://localhost:3000/auth/recovery/
      lifespan: 1h
      use: code
      notify_unknown_recipients: true
      enabled: true

    settings:
      lifespan: 10m
      privileged_session_max_age: 1h
      required_aal: aal1
      ui_url: http://localhost:3000/auth/settings/password

    error:
      ui_url: http://localhost:3000/auth/error

  methods:
    link:
      config:
        lifespan: 1h
        base_url: http://localhost:3000/auth/password/reset/confirm
      enabled: true

    password:
      config:
        haveibeenpwned_enabled: false
        max_breaches: 0
        ignore_network_errors: false
        min_password_length: 6
        identifier_similarity_check_enabled: false
        haveibeenpwned_host: ""
      enabled: true

    lookup_secret:
      enabled: false

    profile:
      enabled: false


session:
  lifespan: 168h
  cookie:
    persistent: false
    path: ""
    same_site: Strict
    domain: ""
  earliest_possible_extend: 168h
  whoami:
    required_aal: aal1

## The kratos version this config is written for. ##
version: v0.5.0-alpha.1
dev: true
help: true
sqa-opt-out: false
watch-courier: false
expose-metrics-port: 4434
config:
  - ""

serve:
  public:
    base_url: https://localhost:4433/
    port: 4433
    cors:
      allowed_origins:
        - https://localhost:3000/
        - http://localhost:3000
      allowed_methods:
        - POST
        - GET
        - PUT
        - PATCH
        - DELETE
        - OPTIONS
      allowed_headers:
        - Authorization
        - Cookie
        - Content-Type
      exposed_headers:
        - Content-Type
        - Set-Cookie
      allow_credentials: true
      options_passthrough: true
      max_age: 0
      debug: true
      enabled: true

  admin:
    base_url: https://localhost:4434/
    host: "localhost"
    port: 4434
    request_log:
      disable_for_health: false

clients:
  http:
    private_ip_exception_urls:
      - http://a.aaa
    disallow_private_ip_ranges: false

## Database related configuration ##
#
# Miscellaneous settings used in database related tasks (cleanup, etc.)
#
database:
  cleanup:
    sleep:
      tables: 0ns
    older_than: 0ns
    batch_size: 1

Version

v0.13.0

On which operating system are you observing this issue?

Windows

In which environment are you deploying?

Binary

Additional Context

No response

[vinckr]

Hello @Imtinan1996

It seems like you're encountering a Cross-Site Request Forgery (CSRF) violation error when trying to log back in after logging out.
This could be due to the presence of an old CSRF token in the cookies.

Ory Kratos provides CSRF protection for all flows. When submitting a flow, you must send a CSRF token in the body and CSRF cookie back. The cookie should be sent by default by your browser, but you must add the CSRF token manually to the request body. This can be a JSON object or a native form POST.
When mapping UI nodes, take note of input fields with the name csrf_token with the hidden attribute.
Without more specific information or code examples, it's hard to provide a definitive solution.

Here are some relevant links from the documentation for reference:

• CSRF troubleshooting
• Ory Kratos User Login
• Ory Kratos User Settings & Profile Management Documentation

[kevinlaw91]

Hi @vinckr
Can you help me with few questions?
I initialized the registration browser flow and got the CSRF token from 'data'. I updated the url to include flow=xxxxxxx and rendered the form.
Let's assume user then pressed refresh, currently at myapp.com/register?flow=xxxxxxxxx
I call ory.getRegistrationFlow() I get the error "The anti-CSRF cookie was found but the CSRF token was not included in the HTTP request body (csrf_token) nor in the HTTP Header (X-CSRF-Token)."
Cookie was passed correctly using withCredentials: true

My question is, is this behavior correct (the request should be rejected)?
2. Any safe approach to persist csrf token across page refresh without using browser storage
3. If user press refresh accidentally and get such error, should i initialize another fresh new browser flow (and new csrf token)? the old flow that lost its csrf token has to be discarded i guess?

thanks

[vinckr]

1. Yes, this behavior is correct. Ory provides CSRF protection for all flows. This means that you must send a CSRF token in the body and CSRF cookie back when submitting a flow. The cookie should be sent by default by your browser, but you must add the CSRF token manually to the request body. This can be a JSON object or a native form POST. If the CSRF token is not included in the HTTP request body or in the HTTP Header, you will get the error "The anti-CSRF cookie was found but the CSRF token was not included in the HTTP request body (csrf_token) nor in the HTTP Header (X-CSRF-Token)."
2. Not sure, ideally start a new flow if the page is refreshed.
3. Correct, if the user refreshes the page and the CSRF token is lost, you should initialize a new registration flow. The old flow that lost its CSRF token should be discarded. This is because the CSRF token is tied to a specific registration flow, and if the token is lost, the flow can no longer be completed securely.

[NikitaIT]

@vinckr I guess it's actually wrong csrf_token was set for Domain=kratos.blabla.localhost, but session deleted from Domain=blabla.localhost.

So, kratos.yaml was ignored for csrf:

session:
  cookie:
    domain: blabla.localhost

2025-10-28 02:31:10 time=2025-10-28T01:31:10Z level=info msg=completed handling request func=github.com/ory/x/reqlog.(*Middleware).ServeHTTP file=/go/pkg/mod/github.com/ory/[email protected]/reqlog/middleware.go:147 http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 accept-encoding:gzip, deflate, br, zstd accept-language:ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7,pl;q=0.6 cache-control:no-cache connection:close cookie:[__next_hmr_refresh_hash__=4c8ef844190c7f5ed97629ae6ab59bea3a4a0c51ca650548; ory_kratos_continuity=MTc2MTYxMjI1MnxEWDhFQVFMX2dBQUJFQUVRQUFCZl80QUFBUVp6ZEhKcGJtY01Jd0FoYjNKNVgydHlZWFJ2YzE5dmFXUmpYMkYxZEdoZlkyOWtaVjl6WlhOemFXOXVCbk4wY21sdVp3d21BQ1F6TURSak1ESmlPQzFtTldNeExUUXdPREF0WWpnek5TMWtOVEJpTlRkak9ETmtOelk9fG7hGr6xbietf16jnfb3h4iLi4CEp-Db1BTFX1QXX8mO; csrf_token_b861307b02d58f9db244cc9a6e8423b756e7031fe73a3f4297b595dca3f9728f=Lo/LaErw+Xk8vU3QmJUyHopb0RPwzotdBpksvbS9V84=; ory_kratos_session=MTc2MTYxNTA0OHxWajgzYTROczJvbEtsZWFvcXo0NnlOQ0pMYU5DTl9xb0lvd2ZCT2dGdFNnWENVSmtyQXNyUkpyY3ZfYXpWSmRWNWRhcEp1UkZibURwaVRCLVZ4aUlmUVlKd0ZkLS12alRuaXV0TklJLU9wVnlWUmdSNDFWXzlvMnVVLU5EQU1MWDlpbUJWYUUyRzRvU0dPNDMtLXZBOC05TjR6dVRfY3pCczJCbzcxdHhpa3RldElvMnozOXFOMUZZcUxVMk1lV3JHQ291VDdwUkNjM2lFeHoxdWE1NWFfc2RBLWpTcXExYmlicTE3WWRmc1o1aUstMlBxam9oRlRMVVdNX1l3VEg1Yll4NzlIUG81NHFieDBITV9XUHl8OXCDCMzZ7P8dsea5f1uxzpVA4GY9M20FVK-uOVl1YPU=] pragma:no-cache referer:http://blabla.localhost/ sec-ch-ua:"Google Chrome";v="141", "Not?A_Brand";v="8", "Chromium";v="141" sec-ch-ua-mobile:?0 sec-ch-ua-platform:"macOS" sec-fetch-dest:document sec-fetch-mode:navigate sec-fetch-site:same-site sec-fetch-user:?1 upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36 x-forwarded-for:127.0.0.1 x-real-ip:127.0.0.1] host:kratos.blabla.localhost method:GET path:/self-service/logout query:return_to=http%3A%2F%2Fblabla.localhost%2F&token=ory_lo_VQNMn3zvsSakbwr8NSQ2P3PekZbacGC4 remote:172.25.0.1:58296 scheme:http] http_response=map[headers:map[cache-control:private, no-cache, no-store, must-revalidate content-type:text/html; charset=utf-8 
location:http://blabla.localhost/ 
set-cookie:[

ory_kratos_session=MTc2MTYxNTA3MHx6enNtNFNxNTI2a05UUElnV2U2Yld4REFLWS1LX1p0cmNDTXhIRUp0V3Y4X3QyNnhNNVB0X0h1OVlZQVFEV2tBZjB3eUdUODdZM0ExSnV1SFoySGFWREhLM2d5MlBpU1doVjd3WEVBU3BnZFBhMGNUT3YyWGxfRkt0T3pOWS1UZUNrZTdLN2h3VWd4TmlmTTU3dHdob3N3VWw0TmowLUNwa05BOXdERHd6NmpQVGNlUzBGSUpHNlAwSEVBbzQ3UHJKX0ZZQnM4UXdvbmJuZVhHb1ZfSEpVNWlseF9SaElDUkxXUk5IRkVZZGxqRW00ZkRtOWRSM2pHM2k1ZkV0X0xoLUx5TGRJV1V5dVJzYWxVQk5sN1R8lXEf8GX5mrUDsS1i-aYb2io27Q8slIpXXqYW5BEwdas=; 

Path=/; Domain=blabla.localhost; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; HttpOnly; SameSite=Lax 

csrf_token_b861307b02d58f9db244cc9a6e8423b756e7031fe73a3f4297b595dca3f9728f=26CghKiRXaz5PVDX3C3yb8eUsLwy6wGlMVKSQAsbjhQ=; 

Path=/; Max-Age=31536000; HttpOnly; SameSite=Lax] vary:Origin] size:52 status:303 text_status:See Other took:33.430834ms]

[NikitaIT]

Fixed with additional cookies.domain:

cookies:
  domain: blabla.localhost

session:
  cookie:
    domain: blabla.localhost

It's strange, I was sure session.cookie.domain should be enough.