CSRF check failed Upon Logout (Upgrade NC9 to NC10)

[Diablosblizz]

Steps to reproduce

1. Log in with any user
2. Attempt to log out
3. Error occurs

Expected behaviour

The user should be logged out.

Actual behaviour

The user clicks logout, and is provided with the error:

"Access forbidden
CSRF check failed"

Going back to the NextCloud login page redirects to the same user being logged in.

Server configuration

Operating system: Ubuntu 16.04

Web server: Apache2

Database: MySQL

PHP version: 7.0.3

Nextcloud version: (see Nextcloud admin page) 10

Updated from an older Nextcloud/ownCloud or fresh install: Updated

Where did you install Nextcloud from: Via .zip file

Signing status:

Signing status

No errors have been found.

List of activated apps:

App list

Enabled:

• activity: 2.3.2
• admin_audit: 1.0.0
• calendar: 1.3.3
• comments: 1.0.0
• contacts: 1.3.1.0
• dav: 1.0.0
• documents: 0.13.1
• federatedfilesharing: 1.0.1
• federation: 1.0.1
• files: 1.5.2
• files_pdfviewer: 0.8.1
• files_sharing: 1.0.0
• files_texteditor: 2.1
• files_trashbin: 1.0.0
• files_versions: 1.3.0
• files_videoplayer: 0.9.8
• firstrunwizard: 1.1
• gallery: 15.0.0
• notifications: 0.3.0
• password_policy: 1.0.0
• provisioning_api: 1.0.0
• qownnotesapi: 0.4.4
• serverinfo: 1.1.1
• survey_client: 0.1.5
• systemtags: 1.0.2
• templateeditor: 0.1
• theming: 1.0.1
• updatenotification: 1.0.1
• workflowengine: 1.0.1
  Disabled:
• bookmarks
• encryption
• external
• files_accesscontrol
• files_automatedtagging
• files_external
• files_retention
• user_external
• user_ldap
• user_saml

The content of config/config.php:

Config report

{
"system": {
"instanceid": "oce8z1iwk6a5",
"passwordsalt": "_REMOVED SENSITIVE VALUE",
"secret": "_REMOVED SENSITIVE VALUE",
"trusted_domains": [
"mauris.kbnetwork.ca"
],
"datadirectory": "/var/www/html/nextcloud/data",
"overwrite.cli.url": "http://mauris.kbnetwork.ca/nextcloud",
"dbtype": "mysql",
"version": "9.1.0.16",
"dbname": "nextcloud",
"dbhost": "192.168.1.143",
"dbtableprefix": "oc_",
"dbuser": "_REMOVED SENSITIVE VALUE",
"dbpassword": "_REMOVED SENSITIVE VALUE",
"logtimezone": "UTC",
"installed": true,
"memcache.local": "\OC\Memcache\APCu",
"maintenance": false,
"loglevel": 2
}
}

Are you using external storage, if yes which one: No

Are you using encryption: no

Are you using an external user-backend, if yes which one: No

Client configuration

Browser: Firefox or Chrome

Operating system: Windows 10

Logs

Web server error log

Web server error log

[Thu Aug 25 19:02:25.230161 2016] [mpm_prefork:notice] [pid 40854] AH00163: Apache/2.4.18 (Ubuntu) configured -- resuming normal operations
[Thu Aug 25 19:02:25.230191 2016] [core:notice] [pid 40854] AH00094: Command line: '/usr/sbin/apache2'
[Thu Aug 25 19:03:12.724372 2016] [authz_core:error] [pid 41301] [client 192.168.1.130:37256] AH01630: client denied by server configuration: /var/www/html/nextcloud/data/htaccesstest.txt
[Thu Aug 25 19:06:37.495216 2016] [authz_core:error] [pid 41276] [client 192.168.1.130:37372] AH01630: client denied by server configuration: /var/www/html/nextcloud/data/htaccesstest.txt
[Thu Aug 25 19:06:44.998652 2016] [authz_core:error] [pid 41282] [client 192.168.1.130:37384] AH01630: client denied by server configuration: /var/www/html/nextcloud/data/htaccesstest.txt

#### Nextcloud log (data/nextcloud.log)

Nextcloud log

{"reqId":"WrGgQpGzWvGO4Hx9xg7T","remoteAddr":"192.168.1.130","app":"PHP","message":"touch(): Utime failed: Permission denied at /var/www/html/nextcloud/lib/private/Config.php#229","level":3,"time":"2016-08-25T22:50:44+00:00","method":"GET","url":"/nextcloud/status.php","user":"--"}
{"reqId":"WrGgQpGzWvGO4Hx9xg7T","remoteAddr":"192.168.1.130","app":"PHP","message":"fopen(/var/www/html/nextcloud/config/config.php): failed to open stream: Permission denied at /var/www/html/nextcloud/lib/private/Config.php#230","level":3,"time":"2016-08-25T22:50:44+00:00","method":"GET","url":"/nextcloud/status.php","$
{"reqId":"WrGgQpGzWvGO4Hx9xg7T","remoteAddr":"192.168.1.130","app":"PHP","message":"chmod(): Operation not permitted at /var/www/html/nextcloud/lib/private/Config.php#233","level":3,"time":"2016-08-25T22:50:44+00:00","method":"GET","url":"/nextcloud/status.php","user":"--"}
{"reqId":"WrGgQpGzWvGO4Hx9xg7T","remoteAddr":"192.168.1.130","app":"remote","message":"Can't write into config directory!","level":4,"time":"2016-08-25T22:50:44+00:00","method":"GET","url":"/nextcloud/status.php","user":"--"}
{"reqId":"7eSpV/jLcMiRp9Qp0jiw","remoteAddr":"","app":"core","message":"starting upgrade from 9.0.53.0 to 9.1.0.16","level":0,"time":"2016-08-25T22:51:09+00:00","method":"--","url":"--","user":"--"}
{"reqId":"NfcQ5rofQ5p3wvXmnaYR","remoteAddr":"192.168.1.130","app":"webdav","message":"Exception: {"Message":"HTTP\/1.1 503 System in maintenance mode.","Exception":"Sabre\DAV\Exception\ServiceUnavailable","Code":0,"Trace":"#0 [internal function]: OCA\DAV\Connector\Sabre\MaintenancePlugin->checkMain$

#### Browser log

Browser log

Nothing in console.

Network: https://mauris.kbnetwork.ca/nextcloud/index.php/s/iHoa08cQZ0H9P0A

[MorrisJobke]

@LukasReschke Do you have an idea what this has caused? I can't reproduce with current stable10

[totalcaos]

I had noticed that when I had enabled a custom image for the login screen prior to upgrade, after upgrade I got the same CSRF check failed message. Refreshing the page completes the login successfully.