Using 307 redirect causes "Invalid Security Token" error upon login

[msjyoo]

Hello,

Using 307 redirect (client Mozilla Firefox 45.2) causes the "Invalid Security Token" error notification upon first login after a logout, which goes away with a refresh.

If I refresh using F5 and select "Resend" (using the login form POST) the notification remains. If I "enter" on the URL so that a GET is used instead, then the error notification goes away.

Thanks.

[msjyoo]

And yes, the problem does go away if I select "301" on the configuration panel. Haven't tested 303.

[rhukster]

Where is this redirect happening? redirecting to the login page? or during login?

[msjyoo]

Sorry, that description was overly complex.

1. Enter credentials on login page, and click login.
2. The user is then redirected onto the admin panel, using either 301 or 307
3. If 307 is selected, the "Invalid Security Token" appears, which disappears after a refresh

[rhukster]

Question is how you and where are setting the 307 redirect?

[msjyoo]

You can see the setting on the bottom right corner.

EDIT: I did go from like the very early release of Grav to the latest version using updates so there could be something missing or grandfathered in, if you don't have that option :/

[rhukster]

Yah, seems 307 is not a good option. I'll add 302 and 304 and remove 307. 301-304 work fine.

[msjyoo]

Sounds good. Thanks!

[riemers]

Just for reference, i was using a reverse proxy in front of grav in a docker. Admin was either giving me a "invalid token" or it redirected me to "http://unknown:8080/admin" after i changed that setting to 304 the problem seems the be fixed for me. 301 does not work.

[rhukster]

The default in the next release is 302 - getgrav/grav#1619

[riemers]

Tried 302, didn't seems to work in my particular setup. With 304 it does work, but strangely enough i have to press enter twice on the login menu and i see "invalid token" when i'am logged into admin, but all works fine. If it works, it works ;p